OESA-2025-2320

See a problem?
Please try reporting it to the source first.

Source

https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2025-2320

Import Source

https://repo.openeuler.org/security/data/osv/OESA-2025-2320.json

JSON Data

https://api.test.osv.dev/v1/vulns/OESA-2025-2320

Upstream

CVE-2022-39379

Published

2025-09-19T13:13:37Z

Modified

2025-09-19T15:31:53.086532Z

Summary

rubygem-fluentd security update

Details

Fluentd is an open source data collector designed to scale and simplify log management. It can collect, process and ship many kinds of data in near real-time.

Security Fix(es):

Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. A remote code execution (RCE) vulnerability in non-default configurations of Fluentd allows unauthenticated attackers to execute arbitrary code via specially crafted JSON payloads. Fluentd setups are only affected if the environment variable FLUENT_OJ_OPTION_MODE is explicitly set to object. Please note: The option FLUENTOJOPTION_MODE was introduced in Fluentd version 1.13.2. Earlier versions of Fluentd are not affected by this vulnerability. This issue was patched in version 1.15.3. As a workaround do not use FLUENT_OJ_OPTION_MODE=object.(CVE-2022-39379)

Database specific

{
    "severity": "Critical"
}

References

Affected packages

openEuler:22.03-LTS-SP4 / rubygem-fluentd

Package

Name: rubygem-fluentd
Purl: pkg:rpm/openEuler/rubygem-fluentd&distro=openEuler-22.03-LTS-SP4

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.14.5-3.oe2203sp4

Ecosystem specific

{
    "src": [
        "rubygem-fluentd-1.14.5-3.oe2203sp4.src.rpm"
    ],
    "noarch": [
        "rubygem-fluentd-1.14.5-3.oe2203sp4.noarch.rpm",
        "rubygem-fluentd-help-1.14.5-3.oe2203sp4.noarch.rpm"
    ]
}