Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

nvd логотип

CVE-2022-39379

Опубликовано: 02 нояб. 2022
Источник: nvd
CVSS3: 3.1
CVSS3: 9.8
EPSS Низкий

Описание

Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. A remote code execution (RCE) vulnerability in non-default configurations of Fluentd allows unauthenticated attackers to execute arbitrary code via specially crafted JSON payloads. Fluentd setups are only affected if the environment variable FLUENT_OJ_OPTION_MODE is explicitly set to object. Please note: The option FLUENT_OJ_OPTION_MODE was introduced in Fluentd version 1.13.2. Earlier versions of Fluentd are not affected by this vulnerability. This issue was patched in version 1.15.3. As a workaround do not use FLUENT_OJ_OPTION_MODE=object.

Ссылки

Уязвимые конфигурации

Конфигурация 1
cpe:2.3:a:fluentd:fluentd:*:*:*:*:*:*:*:*
Версия от 1.13.2 (включая) до 1.15.3 (исключая)
Конфигурация 2
cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*

EPSS

Процентиль: 89%
0.04991
Низкий

3.1 Low

CVSS3

9.8 Critical

CVSS3

Дефекты

CWE-502
CWE-502

Связанные уязвимости

redhat логотип

CVE-2022-39379

CVSS3: 8.1
redhat
больше 3 лет назад

Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. A remote code execution (RCE) vulnerability in non-default configurations of Fluentd allows unauthenticated attackers to execute arbitrary code via specially crafted JSON payloads. Fluentd setups are only affected if the environment variable `FLUENT_OJ_OPTION_MODE` is explicitly set to `object`. Please note: The option FLUENT_OJ_OPTION_MODE was introduced in Fluentd version 1.13.2. Earlier versions of Fluentd are not affected by this vulnerability. This issue was patched in version 1.15.3. As a workaround do not use `FLUENT_OJ_OPTION_MODE=object`.

msrc логотип

CVE-2022-39379

CVSS3: 9.8
msrc
около 3 лет назад

Fluentd vulnerable to remote code execution due to insecure deserialization (in non-default configuration)

debian логотип

CVE-2022-39379

CVSS3: 3.1
debian
больше 3 лет назад

Fluentd collects events from various data sources and writes them to f ...

github логотип

GHSA-fppq-mj76-fpj2

CVSS3: 3.1
github
больше 3 лет назад

fluentd vulnerable to remote code execution due to insecure deserialization (in non-default configuration)

EPSS

Процентиль: 89%
0.04991
Низкий

3.1 Low

CVSS3

9.8 Critical

CVSS3

Дефекты

CWE-502
CWE-502