GHSA-fppq-mj76-fpj2

Suggest an improvement
Source
https://github.com/advisories/GHSA-fppq-mj76-fpj2
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-fppq-mj76-fpj2/GHSA-fppq-mj76-fpj2.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-fppq-mj76-fpj2
Aliases
Published
2022-11-02T18:15:35Z
Modified
2024-02-21T05:27:14.591327Z
Severity
  • 3.1 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
fluentd vulnerable to remote code execution due to insecure deserialization (in non-default configuration)
Details

Impact

A remote code execution (RCE) vulnerability in non-default configurations of Fluentd allows unauthenticated attackers to execute arbitrary code via specially crafted JSON payloads.

Fluentd setups are only affected if the environment variable FLUENT_OJ_OPTION_MODE is explicitly set to object.

Please note: The option FLUENTOJOPTION_MODE was introduced in Fluentd version 1.13.2. Earlier versions of Fluentd are not affected by this vulnerability.

Patches

v1.15.3

Workarounds

Do not use FLUENT_OJ_OPTION_MODE=object.

References

  • GHSL-2022-067
Database specific
{
    "nvd_published_at": "2022-11-02T13:15:00Z",
    "cwe_ids": [
        "CWE-502"
    ],
    "severity": "LOW",
    "github_reviewed": true,
    "github_reviewed_at": "2022-11-02T18:15:35Z"
}
References

Affected packages

RubyGems / fluentd

Package

Name
fluentd
Purl
pkg:gem/fluentd

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.13.2
Fixed
1.15.3

Affected versions

1.*

1.13.2
1.13.3
1.14.0.rc
1.14.0
1.14.1
1.14.2
1.14.3
1.14.4
1.14.5
1.14.6
1.15.0
1.15.1
1.15.2