CVE-2022-39379

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2022-39379
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-39379.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2022-39379
Aliases
Downstream
Published
2022-11-02T00:00:00Z
Modified
2025-10-30T20:16:17.485803Z
Severity
  • 3.1 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
Fluentd vulnerable to remote code execution due to insecure deserialization (in non-default configuration)
Details

Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. A remote code execution (RCE) vulnerability in non-default configurations of Fluentd allows unauthenticated attackers to execute arbitrary code via specially crafted JSON payloads. Fluentd setups are only affected if the environment variable FLUENT_OJ_OPTION_MODE is explicitly set to object. Please note: The option FLUENTOJOPTION_MODE was introduced in Fluentd version 1.13.2. Earlier versions of Fluentd are not affected by this vulnerability. This issue was patched in version 1.15.3. As a workaround do not use FLUENT_OJ_OPTION_MODE=object.

Database specific 
{
    "cwe_ids": [
        "CWE-502"
    ]
}
References

Affected packages

Git / github.com/fluent/fluentd

Affected ranges

Type
GIT
Repo
https://github.com/fluent/fluentd
Events
Introduced
f73c601ecf822a0b38f2c898db6b0da87305925d
Fixed
e89092ce1132a933c12bb23fe8c9323c07ca81f5

Affected versions

v1.*

v1.13.2
v1.13.3
v1.14.0
v1.14.0.rc
v1.14.1
v1.14.2
v1.14.3
v1.14.4
v1.14.5
v1.14.6
v1.15.0
v1.15.1
v1.15.2