GHSA-fppq-mj76-fpj2
Suggest an improvement- Source
- https://github.com/advisories/GHSA-fppq-mj76-fpj2
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-fppq-mj76-fpj2/GHSA-fppq-mj76-fpj2.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-fppq-mj76-fpj2
- Aliases
- Published
- 2022-11-02T18:15:35Z
- Modified
- 2024-02-21T05:28:11.809766Z
- Severity
-
- 3.1 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
- Summary
- fluentd vulnerable to remote code execution due to insecure deserialization (in non-default configuration)
- Details
-
Impact
A remote code execution (RCE) vulnerability in non-default configurations of Fluentd allows unauthenticated attackers to execute arbitrary code via specially crafted JSON payloads.
Fluentd setups are only affected if the environment variable
FLUENT_OJ_OPTION_MODEis explicitly set toobject.Please note: The option FLUENTOJOPTION_MODE was introduced in Fluentd version 1.13.2. Earlier versions of Fluentd are not affected by this vulnerability.
Patches
v1.15.3
Workarounds
Do not use
FLUENT_OJ_OPTION_MODE=object.References
- GHSL-2022-067
- Database specific
{ "nvd_published_at": "2022-11-02T13:15:00Z", "cwe_ids": [ "CWE-502" ], "severity": "LOW", "github_reviewed": true, "github_reviewed_at": "2022-11-02T18:15:35Z" }- References
-
- https://github.com/fluent/fluentd/security/advisories/GHSA-fppq-mj76-fpj2
- https://nvd.nist.gov/vuln/detail/CVE-2022-39379
- https://github.com/fluent/fluentd/commit/48e5b85dab1b6d4c273090d538fc11b3f2fd8135
- https://github.com/fluent/fluentd
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/fluentd/CVE-2022-39379.yml
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MYD5QV66OLDHES6IKVYYM3Y3YID3VVCO
Affected packages
RubyGems / fluentd
Package
- Name
- fluentd
- Purl
- pkg:gem/fluentd