BIT-fluent-bit-2024-50608
See a problem?- Import Source
- https://github.com/bitnami/vulndb/tree/main/data/fluent-bit/BIT-fluent-bit-2024-50608.json
- JSON Data
- https://api.osv.dev/v1/vulns/BIT-fluent-bit-2024-50608
- Aliases
- Published
- 2025-04-23T08:54:18.118Z
- Modified
- 2025-04-23T09:57:11.453078Z
- Summary
- [none]
- Details
-
An issue was discovered in Fluent Bit 3.1.9. When the Prometheus Remote Write input plugin is running and listening on an IP address and port, one can send a packet with Content-Length: 0 and it crashes the server. Improper handling of the case when Content-Length is 0 allows a user (with access to the endpoint) to perform a remote Denial of service attack. The crash happens because of a NULL pointer dereference when 0 (from the Content-Length) is passed to the function cflsdslen, which in turn tries to cast a NULL pointer into struct cflsds. This is related to processpayloadmetricsng() at promrwprot.c.
- Database specific
{ "cpes": [ "cpe:2.3:a:treasuredata:fluent_bit:*:*:*:*:*:*:*:*" ], "severity": "High" }- References
Affected packages
Bitnami / fluent-bit
Package
- Name
- fluent-bit
- Purl
- pkg:bitnami/fluent-bit
Severity
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator