RubyGems - fluentd - Versions - 1.14.4 - Mend

fluentd 1.14.4

1 security vulnerability found in version 1.14.4

fluentd vulnerable to remote code execution due to insecure deserialization (in non-default configuration)

low severity CVE-2022-39379

Patched versions: >= 1.15.3

Unaffected versions: < 1.13.2

Impact

A remote code execution (RCE) vulnerability in non-default configurations of Fluentd allows unauthenticated attackers to execute arbitrary code via specially crafted JSON payloads.

Fluentd setups are only affected if the environment variable FLUENT_OJ_OPTION_MODE is explicitly set to object.

Please note: The option FLUENT_OJ_OPTION_MODE was introduced in Fluentd version 1.13.2. Earlier versions of Fluentd are not affected by this vulnerability.

Patches

v1.15.3

Workarounds

Do not use FLUENT_OJ_OPTION_MODE=object.

References

GHSL-2022-067

No officially reported memory leakage issues detected.

This gem version does not have any officially reported memory leaked issues.

No license issues detected.

This gem version has a license in the gemspec.

This gem version is available.

This gem version has not been yanked and is still available for usage.