fluentd 1.6.2
Fluent Fluentd and Fluent-ui use default password
high severity CVE-2020-21514<= 1.8.0
An issue was discovered in Fluent Fluentd v.1.8.0 and Fluent-ui v.1.2.2 that allows attackers to gain escilated privileges and execute arbitrary code due to use of a default password.
ReDoS vulnerability in parser_apache2
medium severity CVE-2021-41186>= 1.14.2
< 0.14.14
Impact
parser_apache2 plugin in Fluentd v0.14.14 to v1.14.1 suffers from a regular expression denial of service (ReDoS) vulnerability. A broken apache log with a certain pattern of string can spend too much time in a regular expression, resulting in the potential for a DoS attack.
Patches
v1.14.2
Workarounds
Either of the following:
- Don't use parser_apache2 for parsing logs which cannot guarantee generated by Apache.
- Put patched version of parser_apache2.rb into /etc/fluent/plugin directory (or any other directories specified by the environment variable
FLUENT_PLUGIN
or--plugin
option of fluentd).
No officially reported memory leakage issues detected.
This gem version does not have any officially reported memory leaked issues.
No license issues detected.
This gem version has a license in the gemspec.
This gem version is available.
This gem version has not been yanked and is still available for usage.