Vulnerabilities > CVE-2020-35488 - Deserialization of Untrusted Data vulnerability in Nxlog 2.10.2150

CVSS 4.3 - MEDIUM

Attack vector

NETWORK

Attack complexity

MEDIUM

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

NONE

Availability impact

PARTIAL

network

nxlog

CWE-502

NVD

Published: 2021-01-05

Updated: 2022-04-29

Summary

The fileop module of the NXLog service in NXLog Community Edition 2.10.2150 allows remote attackers to cause a denial of service (daemon crash) via a crafted Syslog payload to the Syslog service. This attack requires a specific configuration. Also, the name of the directory created must use a Syslog field. (For example, on Linux it is not possible to create a .. directory. On Windows, it is not possible to create a CON directory.)

Vulnerable Configurations

Part	Description	Count
Application	Nxlog Nxlog Nxlog 2.10.2150	1

Common Weakness Enumeration (CWE)

CWE-502 - Deserialization of Untrusted Data

References

https://github.com/GuillaumePetit84/CVE-2020-35488
https://gitlab.com/nxlog-public/nxlog-ce/-/blob/master/ChangeLog.txt#L2