CVE-2021-21296

Опубликовано: 10 фев. 2021

Источник: nvd

CVSS3: 2.7

CVSS2: 4

EPSS Низкий

Описание

Fleet is an open source osquery manager. In Fleet before version 3.7.0 a malicious actor with a valid node key can send a badly formatted request that causes the Fleet server to exit, resulting in denial of service. This is possible only while a live query is currently ongoing. We believe the impact of this vulnerability to be low given the requirement that the actor has a valid node key. There is no information disclosure, privilege escalation, or code execution. The issue is fixed in Fleet 3.7.0.

Ссылки

https://github.com/fleetdm/fleet/commit/f68f4238e83b45b2164e4ed05df14af0f06eaf40
Patch
Third Party Advisory
https://github.com/fleetdm/fleet/security/advisories/GHSA-xwh8-9p3f-3x45
Third Party Advisory
https://www.npmjs.com/package/fleetctl
Product
Third Party Advisory
https://github.com/fleetdm/fleet/commit/f68f4238e83b45b2164e4ed05df14af0f06eaf40
Patch
Third Party Advisory
https://github.com/fleetdm/fleet/security/advisories/GHSA-xwh8-9p3f-3x45
Third Party Advisory
https://www.npmjs.com/package/fleetctl
Product
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:fleetdm:fleet:*:*:*:*:*:node.js:*:*

Версия до 3.7.0 (исключая)

EPSS

Процентиль: 71%

0.00682

Низкий

2.7 Low

CVSS3

4 Medium

CVSS2

Дефекты

CWE-400

NVD-CWE-Other