fluentd 1.15.2-x86-mingw32
Fluent Fluentd and Fluent-ui use default password
high severity CVE-2020-21514An issue was discovered in Fluent Fluentd v.1.8.0 and Fluent-ui v.1.2.2 that allows attackers to gain escilated privileges and execute arbitrary code due to use of a default password.
fluentd vulnerable to remote code execution due to insecure deserialization (in non-default configuration)
low severity CVE-2022-39379>= 1.15.3
< 1.13.2
Impact
A remote code execution (RCE) vulnerability in non-default configurations of Fluentd allows unauthenticated attackers to execute arbitrary code via specially crafted JSON payloads.
Fluentd setups are only affected if the environment variable
FLUENT_OJ_OPTION_MODE
is explicitly set to object
.
Please note: The option FLUENT_OJ_OPTION_MODE was introduced in Fluentd version 1.13.2. Earlier versions of Fluentd are not affected by this vulnerability.
Patches
v1.15.3
Workarounds
Do not use FLUENT_OJ_OPTION_MODE=object
.
References
- GHSL-2022-067
No officially reported memory leakage issues detected.
This gem version does not have any officially reported memory leaked issues.
No license issues detected.
This gem version has a license in the gemspec.
This gem version is available.
This gem version has not been yanked and is still available for usage.