An issue was discovered in Fluent Bit 3.1.9. When the Prometheus Remote Write input plugin is running and listening on an IP address and port, one can send a packet with Content-Length: 0 and it crashes the server. Improper handling of the case when Content-Length is 0 allows a user (with access to the endpoint) to perform a remote Denial of service attack. The crash happens because of a NULL pointer dereference when 0 (from the Content-Length) is passed to the function cfl_sds_len, which in turn tries to cast a NULL pointer into struct cfl_sds. This is related to process_payload_metrics_ng() at prom_rw_prot.c.

...

The vulnerability of the Prometheus Remote Write plugin for collecting and processing Fluent Bit logs, related to the assignment of a zero pointer, allows a malicious actor to trigger a service failure.

The vulnerability of the Prometheus Remote Write plugin for collecting and processing Fluent Bit logs is related to the assignment of a null pointer. Exploiting this vulnerability could allow an attacker to cause a service failure by sending a specially crafted HTTP request...

CVE-2024-50608

An issue was discovered in Fluent Bit 3.1.9. When the Prometheus Remote Write input plugin is running and listening on an IP address and port, one can send a packet with Content-Length: 0 and it crashes the server. Improper handling of the case when Content-Length is 0 allows a user with access t...

CVE-2024-50608

An issue was discovered in Fluent Bit 3.1.9. When the Prometheus Remote Write input plugin is running and listening on an IP address and port, one can send a packet with Content-Length: 0 and it crashes the server. Improper handling of the case when Content-Length is 0 allows a user with access t...

CVE-2024-50608

An issue was discovered in Fluent Bit 3.1.9. When the Prometheus Remote Write input plugin is running and listening on an IP address and port, one can send a packet with Content-Length: 0 and it crashes the server. Improper handling of the case when Content-Length is 0 allows a user with access t...

AZL-57074 CVE-2024-50608 affecting package fluent-bit for versions less than 3.1.9-3

An issue was discovered in Fluent Bit 3.1.9. When the Prometheus Remote Write input plugin is running and listening on an IP address and port, one can send a packet with Content-Length: 0 and it crashes the server. Improper handling of the case when Content-Length is 0 allows a user with access t...

AZL-57092 CVE-2024-50608 affecting package fluent-bit for versions less than 3.0.6-2

An issue was discovered in Fluent Bit 3.1.9. When the Prometheus Remote Write input plugin is running and listening on an IP address and port, one can send a packet with Content-Length: 0 and it crashes the server. Improper handling of the case when Content-Length is 0 allows a user with access t...

CVE-2024-50608

Fluent Bit 3.1.9 is affected by CVE-2024-50608 (Prometheus Remote Write input) and CVE-2024-50609 (OpenTelemetry input). In both cases, sending a crafted HTTP request with Content-Length: 0 triggers a NULL pointer dereference in the server (via cfl_sds_len) and can cause remote DoS. Connected adv...

Security update for SUSE Manager Client Tools

This update fixes the following issues: golang-github-prometheus-prometheus was updated from version 2.45.6 to 2.53.3 jscPED-11649: Security issues fixed: CVE-2024-51744: Updated golang-jwt to version 5.0 to fix bad error handling bsc1232970 Highlights of other changes: Performance: Significant...

CVE-2020-11551

An issue was discovered on NETGEAR Orbi Tri-Band Business WiFi Add-on Satellite SRS60 AC3000 V2.5.1.106, Outdoor Satellite RBS50Y V2.5.1.106, and Pro Tri-Band Business WiFi Router SRR60 AC3000 V2.5.1.106. The administrative SOAP interface allows an unauthenticated remote write of arbitrary Wi-Fi...

The vulnerability of the application programming interface of the Skipper server on the Spring Cloud Data Flow microservices platform allows a perpetrator to write a file to any directory in the system using a specially crafted API request.

The vulnerability of the application programming interface of the Skipper server in the Spring Cloud Data Flow microservices platform is related to improper code generation management. Exploiting this vulnerability allows an attacker, operating remotely, to write a file to any directory in the...

SUSE-SU-2024:3288-1 Security update for golang-github-prometheus-prometheus

This update for golang-github-prometheus-prometheus fixes the following issues: - Require Go 1.20 for building - Bump go-retryablehttp to version 0.7.7 CVE-2024-6104, bsc1227038 - Migrate from disabled to manual service mode - Add0003-Bump-go-retryablehttp.patch - Update to 2.45.6 jscPED-3577:...

The vulnerability of the “Document Approval Service” software lies in the improper limitation of the path name to the catalog, which allows a violator to gain access to read and write local files.

The vulnerability of the “Service for Document Approval” software is related to incorrect restrictions on the path to the catalog. Exploiting this vulnerability can allow an attacker who operates remotely to gain read and write access to local files...

SUSE CVE-2024-4761

Out of bounds write in V8 in Google Chrome prior to 124.0.6367.207 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. Chromium security severity: High...

The vulnerability of the Apache Airflow network software, related to improper saving of permissions, allows a malicious actor to gain access to write arbitrary files to the file system.

The vulnerability of the Apache Airflow network software is related to the improper storage of permissions. Exploiting this vulnerability can allow a malicious actor to gain access to and modify any files in the file system remotely...

PT-2023-6408 · Spring · Spring Amqp

Name of the Vulnerable Software and Affected Versions: Spring AMQP versions 1.0.0 through 2.4.16 Spring AMQP versions 3.0.0 through 3.0.9 Description: The issue is related to shortcomings in the deserialization mechanism of the Spring AMQP RabbitMQ application. This could allow a remote attacker ...

OESA-2023-1714 firefox security update

Mozilla Firefox is a standalone web browser, designed for standards compliance and performance. Its functionality can be enhanced via a plethora of extensions. Security Fixes: Heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a remote attacker to...

Heap buffer overflow in libwebp (CVE-2023-4863)

Heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. Products Confirmed Not Affected No Brocade Fibre Channel products from Broadcom are known to be affected by this...

AZL-29758 CVE-2023-4863 affecting package libwebp for versions less than 1.3.2-1

Heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. Chromium security severity: Critical...

UBUNTU-CVE-2023-4863

Heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. Chromium security severity: Critical...