CVE-2020-21514
https://notcve.org/view.php?id=CVE-2020-21514
An issue was discovered in Fluent Fluentd v.1.8.0 and Fluent-ui v.1.2.2 allows attackers to gain escalated privileges and execute arbitrary code due to a default password. • https://github.com/fluent/fluentd/issues/2722 •
CVE-2022-39379 – Fluentd vulnerable to remote code execution due to insecure deserialization (in non-default configuration)
https://notcve.org/view.php?id=CVE-2022-39379
Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. A remote code execution (RCE) vulnerability in non-default configurations of Fluentd allows unauthenticated attackers to execute arbitrary code via specially crafted JSON payloads. Fluentd setups are only affected if the environment variable `FLUENT_OJ_OPTION_MODE` is explicitly set to `object`. Please note: The option FLUENT_OJ_OPTION_MODE was introduced in Fluentd version 1.13.2. Earlier versions of Fluentd are not affected by this vulnerability. • https://github.com/fluent/fluentd/commit/48e5b85dab1b6d4c273090d538fc11b3f2fd8135 https://github.com/fluent/fluentd/security/advisories/GHSA-fppq-mj76-fpj2 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MYD5QV66OLDHES6IKVYYM3Y3YID3VVCO • CWE-502: Deserialization of Untrusted Data •
CVE-2021-41186 – ReDoS vulnerability in parser_apache2
https://notcve.org/view.php?id=CVE-2021-41186
Fluentd collects events from various data sources and writes them to files to help unify logging infrastructure. The parser_apache2 plugin in Fluentd v0.14.14 to v1.14.1 suffers from a regular expression denial of service (ReDoS) vulnerability. A broken apache log with a certain pattern of string can spend too much time in a regular expression, resulting in the potential for a DoS attack. This issue is patched in version 1.14.2 There are two workarounds available. Either don't use parser_apache2 for parsing logs (which cannot guarantee generated by Apache), or put patched version of parser_apache2.rb into /etc/fluent/plugin directory (or any other directories specified by the environment variable `FLUENT_PLUGIN` or `--plugin` option of fluentd). • https://github.com/fluent/fluentd/blob/master/CHANGELOG.md#v1142 https://github.com/fluent/fluentd/security/advisories/GHSA-hwhf-64mh-r662 https://github.com/github/securitylab-vulnerabilities/blob/52dc4a2a828c6dc24231967c2937ad92038184a9/vendor_reports/GHSL-2021-102-fluent-fluentd.md • CWE-400: Uncontrolled Resource Consumption •
CVE-2017-10906 – fluentd: Escape sequence injection in filter_parser.rb:filter_stream can lead to arbitrary command execution when processing logs
https://notcve.org/view.php?id=CVE-2017-10906
Escape sequence injection vulnerability in Fluentd versions 0.12.29 through 0.12.40 may allow an attacker to change the terminal UI or execute arbitrary commands on the device via unspecified vectors. Una vulnerabilidad de inyección de secuencias de escape en Fluentd en las versiones 0.12.29 hasta la 0.12.40 podría permitir que un atacante cambie la interfaz de usuario del terminal o ejecute comandos arbitrarios en el dispositivo mediante vectores sin especificar. • https://access.redhat.com/errata/RHSA-2018:2225 https://github.com/fluent/fluentd/blob/v0.12/CHANGELOG.md#bug-fixes https://github.com/fluent/fluentd/pull/1733 https://jvn.jp/en/vu/JVNVU95124098/index.html https://access.redhat.com/security/cve/CVE-2017-10906 https://bugzilla.redhat.com/show_bug.cgi?id=1524783 • CWE-138: Improper Neutralization of Special Elements •