9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.024 Low
EPSS
Percentile
90.1%
A remote code execution (RCE) vulnerability in non-default configurations of Fluentd allows unauthenticated attackers to execute arbitrary code via specially crafted JSON payloads.
Fluentd setups are only affected if the environment variable FLUENT_OJ_OPTION_MODE
is explicitly set to object
.
Please note: The option FLUENT_OJ_OPTION_MODE was introduced in Fluentd version 1.13.2. Earlier versions of Fluentd are not affected by this vulnerability.
v1.15.3
Do not use FLUENT_OJ_OPTION_MODE=object
.
github.com/advisories/GHSA-fppq-mj76-fpj2
github.com/fluent/fluentd/commit/48e5b85dab1b6d4c273090d538fc11b3f2fd8135
github.com/fluent/fluentd/security/advisories/GHSA-fppq-mj76-fpj2
github.com/rubysec/ruby-advisory-db/blob/master/gems/fluentd/CVE-2022-39379.yml
lists.fedoraproject.org/archives/list/[email protected]/message/MYD5QV66OLDHES6IKVYYM3Y3YID3VVCO/
nvd.nist.gov/vuln/detail/CVE-2022-39379