Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    14 vulnerabilities by fluentd

    CVE-2026-44161 (GCVE-0-2026-44161)

    Vulnerability from nvd – Published: 2026-07-08 21:25 – Updated: 2026-07-09 14:40
    VLAI
    Title
    Fluentd: Server-Side Request Forgery (SSRF) via Placeholder Expansion in `out_http`
    Summary
    Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. Prior to 1.19.3, the Fluentd out_http output plugin allows placeholders such as ${tag} in the endpoint configuration parameter, and if a placeholder value is derived from untrusted input an attacker can control the destination hostname of outbound HTTP requests and force requests to arbitrary internal services. This issue is fixed in version 1.19.3.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-918 - Server-Side Request Forgery (SSRF)
    Assigner
    Impacted products
    Vendor Product Version
    fluent fluentd Affected: < 1.19.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-44161",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-09T14:37:57.811738Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-09T14:40:31.700Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "fluentd",
              "vendor": "fluent",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.19.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. Prior to 1.19.3, the Fluentd out_http output plugin allows placeholders such as ${tag} in the endpoint configuration parameter, and if a placeholder value is derived from untrusted input an attacker can control the destination hostname of outbound HTTP requests and force requests to arbitrary internal services. This issue is fixed in version 1.19.3."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "CWE-918: Server-Side Request Forgery (SSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T21:25:43.892Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/fluent/fluentd/security/advisories/GHSA-72f5-rr8c-r6gr",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/fluent/fluentd/security/advisories/GHSA-72f5-rr8c-r6gr"
            },
            {
              "name": "https://github.com/fluent/fluentd/pull/5394",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/fluent/fluentd/pull/5394"
            },
            {
              "name": "https://github.com/fluent/fluentd/commit/c6a01ea2e0ea01977f8d615f7c6dbfae4cba88c9",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/fluent/fluentd/commit/c6a01ea2e0ea01977f8d615f7c6dbfae4cba88c9"
            },
            {
              "name": "https://github.com/fluent/fluentd/releases/tag/v1.19.3",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/fluent/fluentd/releases/tag/v1.19.3"
            }
          ],
          "source": {
            "advisory": "GHSA-72f5-rr8c-r6gr",
            "discovery": "UNKNOWN"
          },
          "title": "Fluentd: Server-Side Request Forgery (SSRF) via Placeholder Expansion in `out_http`"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-44161",
        "datePublished": "2026-07-08T21:25:43.892Z",
        "dateReserved": "2026-05-05T14:39:34.922Z",
        "dateUpdated": "2026-07-09T14:40:31.700Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-44160 (GCVE-0-2026-44160)

    Vulnerability from nvd – Published: 2026-07-08 21:24 – Updated: 2026-07-09 19:34
    VLAI
    Title
    Fluentd: Denial of Service (DoS) via Gzip Decompression Bomb in `in_http` and `in_forward`
    Summary
    Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. Prior to 1.19.3, Fluentd's in_http and in_forward plugins support gzip-compressed data but enforce limits only on compressed payloads through settings such as body_size_limit and chunk_size_limit, allowing crafted compressed payloads to decompress in memory to an excessive size and cause denial of service through memory exhaustion. This issue is fixed in version 1.19.3.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-409 - Improper Handling of Highly Compressed Data (Data Amplification)
    Assigner
    Impacted products
    Vendor Product Version
    fluent fluentd Affected: < 1.19.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-44160",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-09T19:34:49.901088Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-09T19:34:55.352Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "fluentd",
              "vendor": "fluent",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.19.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. Prior to 1.19.3, Fluentd\u0027s in_http and in_forward plugins support gzip-compressed data but enforce limits only on compressed payloads through settings such as body_size_limit and chunk_size_limit, allowing crafted compressed payloads to decompress in memory to an excessive size and cause denial of service through memory exhaustion. This issue is fixed in version 1.19.3."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-409",
                  "description": "CWE-409: Improper Handling of Highly Compressed Data (Data Amplification)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T21:24:28.346Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/fluent/fluentd/security/advisories/GHSA-j9cw-hwqf-85w7",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/fluent/fluentd/security/advisories/GHSA-j9cw-hwqf-85w7"
            },
            {
              "name": "https://github.com/fluent/fluentd/pull/5393",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/fluent/fluentd/pull/5393"
            },
            {
              "name": "https://github.com/fluent/fluentd/commit/f5f2b7cddf8aab3932e6dec9fa367a5f3eb27e10",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/fluent/fluentd/commit/f5f2b7cddf8aab3932e6dec9fa367a5f3eb27e10"
            },
            {
              "name": "https://github.com/fluent/fluentd/releases/tag/v1.19.3",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/fluent/fluentd/releases/tag/v1.19.3"
            }
          ],
          "source": {
            "advisory": "GHSA-j9cw-hwqf-85w7",
            "discovery": "UNKNOWN"
          },
          "title": "Fluentd: Denial of Service (DoS) via Gzip Decompression Bomb in `in_http` and `in_forward`"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-44160",
        "datePublished": "2026-07-08T21:24:28.346Z",
        "dateReserved": "2026-05-05T14:39:34.922Z",
        "dateUpdated": "2026-07-09T19:34:55.352Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-44024 (GCVE-0-2026-44024)

    Vulnerability from nvd – Published: 2026-07-08 21:20 – Updated: 2026-07-10 03:55
    VLAI
    Title
    Fluentd: Remote Code Execution (RCE) via Arbitrary File Write in `${tag}` Placeholder
    Summary
    Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. Prior to 1.19.3, Fluentd allows dynamically constructing file paths using the ${tag} placeholder, and insufficient validation of ${tag} in file configurations such as the path parameter of the out_file plugin allows attackers sending untrusted tags containing path traversal characters to write or overwrite arbitrary files and potentially achieve remote code execution. This issue is fixed in version 1.19.3.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Assigner
    Impacted products
    Vendor Product Version
    fluent fluentd Affected: < 1.19.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-44024",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-09T00:00:00+00:00",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-10T03:55:45.194Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "fluentd",
              "vendor": "fluent",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.19.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. Prior to 1.19.3, Fluentd allows dynamically constructing file paths using the ${tag} placeholder, and insufficient validation of ${tag} in file configurations such as the path parameter of the out_file plugin allows attackers sending untrusted tags containing path traversal characters to write or overwrite arbitrary files and potentially achieve remote code execution. This issue is fixed in version 1.19.3."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T21:20:29.598Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/fluent/fluentd/security/advisories/GHSA-44hj-4m45-frj3",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/fluent/fluentd/security/advisories/GHSA-44hj-4m45-frj3"
            },
            {
              "name": "https://github.com/fluent/fluentd/pull/5391",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/fluent/fluentd/pull/5391"
            },
            {
              "name": "https://github.com/fluent/fluentd/commit/45c87a81f3ac0b72b3f9dcfe8cfb5f9038f81437",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/fluent/fluentd/commit/45c87a81f3ac0b72b3f9dcfe8cfb5f9038f81437"
            },
            {
              "name": "https://github.com/fluent/fluentd/releases/tag/v1.19.3",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/fluent/fluentd/releases/tag/v1.19.3"
            }
          ],
          "source": {
            "advisory": "GHSA-44hj-4m45-frj3",
            "discovery": "UNKNOWN"
          },
          "title": "Fluentd: Remote Code Execution (RCE) via Arbitrary File Write in `${tag}` Placeholder"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-44024",
        "datePublished": "2026-07-08T21:20:29.598Z",
        "dateReserved": "2026-05-04T21:24:36.506Z",
        "dateUpdated": "2026-07-10T03:55:45.194Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2020-21514 (GCVE-0-2020-21514)

    Vulnerability from nvd – Published: 2023-04-04 00:00 – Updated: 2025-06-09 14:00
    VLAI
    Summary
    An issue was discovered in Fluent-ui v.1.2.2 allows attackers to gain escalated privileges and execute arbitrary code due to a default password.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • n/a
    • CWE-276 - Incorrect Default Permissions
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T14:30:32.511Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/fluent/fluentd/issues/2722"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 8.8,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2020-21514",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-13T16:31:57.231242Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-276",
                    "description": "CWE-276 Incorrect Default Permissions",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-13T16:33:07.831Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "An issue was discovered in Fluent-ui v.1.2.2 allows attackers to gain escalated privileges and execute arbitrary code due to a default password."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-06-09T14:00:49.654Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://github.com/fluent/fluentd/issues/2722"
            },
            {
              "url": "https://github.com/fluent/fluentd-ui/issues/295"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2020-21514",
        "datePublished": "2023-04-04T00:00:00.000Z",
        "dateReserved": "2020-08-13T00:00:00.000Z",
        "dateUpdated": "2025-06-09T14:00:49.654Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-39379 (GCVE-0-2022-39379)

    Vulnerability from nvd – Published: 2022-11-02 00:00 – Updated: 2025-04-23 16:41
    VLAI
    Title
    Fluentd vulnerable to remote code execution due to insecure deserialization (in non-default configuration)
    Summary
    Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. A remote code execution (RCE) vulnerability in non-default configurations of Fluentd allows unauthenticated attackers to execute arbitrary code via specially crafted JSON payloads. Fluentd setups are only affected if the environment variable `FLUENT_OJ_OPTION_MODE` is explicitly set to `object`. Please note: The option FLUENT_OJ_OPTION_MODE was introduced in Fluentd version 1.13.2. Earlier versions of Fluentd are not affected by this vulnerability. This issue was patched in version 1.15.3. As a workaround do not use `FLUENT_OJ_OPTION_MODE=object`.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-502 - Deserialization of Untrusted Data
    Assigner
    Impacted products
    Vendor Product Version
    fluent fluentd Affected: >= 1.13.2, < 1.15.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T12:00:44.172Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/fluent/fluentd/security/advisories/GHSA-fppq-mj76-fpj2"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/fluent/fluentd/commit/48e5b85dab1b6d4c273090d538fc11b3f2fd8135"
              },
              {
                "name": "FEDORA-2023-6b9e2a6534",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MYD5QV66OLDHES6IKVYYM3Y3YID3VVCO/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-39379",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-23T13:55:24.123262Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-23T16:41:33.585Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "fluentd",
              "vendor": "fluent",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 1.13.2, \u003c 1.15.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. A remote code execution (RCE) vulnerability in non-default configurations of Fluentd allows unauthenticated attackers to execute arbitrary code via specially crafted JSON payloads. Fluentd setups are only affected if the environment variable `FLUENT_OJ_OPTION_MODE` is explicitly set to `object`. Please note: The option FLUENT_OJ_OPTION_MODE was introduced in Fluentd version 1.13.2. Earlier versions of Fluentd are not affected by this vulnerability. This issue was patched in version 1.15.3. As a workaround do not use `FLUENT_OJ_OPTION_MODE=object`."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 3.1,
                "baseSeverity": "LOW",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-502",
                  "description": "CWE-502: Deserialization of Untrusted Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-01-11T00:00:00.000Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "url": "https://github.com/fluent/fluentd/security/advisories/GHSA-fppq-mj76-fpj2"
            },
            {
              "url": "https://github.com/fluent/fluentd/commit/48e5b85dab1b6d4c273090d538fc11b3f2fd8135"
            },
            {
              "name": "FEDORA-2023-6b9e2a6534",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MYD5QV66OLDHES6IKVYYM3Y3YID3VVCO/"
            }
          ],
          "source": {
            "advisory": "GHSA-fppq-mj76-fpj2",
            "discovery": "UNKNOWN"
          },
          "title": "Fluentd vulnerable to remote code execution due to insecure deserialization (in non-default configuration)"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2022-39379",
        "datePublished": "2022-11-02T00:00:00.000Z",
        "dateReserved": "2022-09-02T00:00:00.000Z",
        "dateUpdated": "2025-04-23T16:41:33.585Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-41186 (GCVE-0-2021-41186)

    Vulnerability from nvd – Published: 2021-10-29 13:40 – Updated: 2024-08-04 03:08
    VLAI
    Title
    ReDoS vulnerability in parser_apache2
    Summary
    Fluentd collects events from various data sources and writes them to files to help unify logging infrastructure. The parser_apache2 plugin in Fluentd v0.14.14 to v1.14.1 suffers from a regular expression denial of service (ReDoS) vulnerability. A broken apache log with a certain pattern of string can spend too much time in a regular expression, resulting in the potential for a DoS attack. This issue is patched in version 1.14.2 There are two workarounds available. Either don't use parser_apache2 for parsing logs (which cannot guarantee generated by Apache), or put patched version of parser_apache2.rb into /etc/fluent/plugin directory (or any other directories specified by the environment variable `FLUENT_PLUGIN` or `--plugin` option of fluentd).
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    Impacted products
    Vendor Product Version
    fluent fluentd Affected: >= 0.14.14, < 1.14.2
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T03:08:31.511Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/fluent/fluentd/security/advisories/GHSA-hwhf-64mh-r662"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/fluent/fluentd/blob/master/CHANGELOG.md#v1142"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/github/securitylab-vulnerabilities/blob/52dc4a2a828c6dc24231967c2937ad92038184a9/vendor_reports/GHSL-2021-102-fluent-fluentd.md"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "fluentd",
              "vendor": "fluent",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 0.14.14, \u003c 1.14.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Fluentd collects events from various data sources and writes them to files to help unify logging infrastructure. The parser_apache2 plugin in Fluentd v0.14.14 to v1.14.1 suffers from a regular expression denial of service (ReDoS) vulnerability. A broken apache log with a certain pattern of string can spend too much time in a regular expression, resulting in the potential for a DoS attack. This issue is patched in version 1.14.2 There are two workarounds available. Either don\u0027t use parser_apache2 for parsing logs (which cannot guarantee generated by Apache), or put patched version of parser_apache2.rb into /etc/fluent/plugin directory (or any other directories specified by the environment variable `FLUENT_PLUGIN` or `--plugin` option of fluentd)."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400: Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-10-29T13:40:10.000Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/fluent/fluentd/security/advisories/GHSA-hwhf-64mh-r662"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/fluent/fluentd/blob/master/CHANGELOG.md#v1142"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/github/securitylab-vulnerabilities/blob/52dc4a2a828c6dc24231967c2937ad92038184a9/vendor_reports/GHSL-2021-102-fluent-fluentd.md"
            }
          ],
          "source": {
            "advisory": "GHSA-hwhf-64mh-r662",
            "discovery": "UNKNOWN"
          },
          "title": "ReDoS vulnerability in parser_apache2",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security-advisories@github.com",
              "ID": "CVE-2021-41186",
              "STATE": "PUBLIC",
              "TITLE": "ReDoS vulnerability in parser_apache2"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "fluentd",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "\u003e= 0.14.14, \u003c 1.14.2"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "fluent"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Fluentd collects events from various data sources and writes them to files to help unify logging infrastructure. The parser_apache2 plugin in Fluentd v0.14.14 to v1.14.1 suffers from a regular expression denial of service (ReDoS) vulnerability. A broken apache log with a certain pattern of string can spend too much time in a regular expression, resulting in the potential for a DoS attack. This issue is patched in version 1.14.2 There are two workarounds available. Either don\u0027t use parser_apache2 for parsing logs (which cannot guarantee generated by Apache), or put patched version of parser_apache2.rb into /etc/fluent/plugin directory (or any other directories specified by the environment variable `FLUENT_PLUGIN` or `--plugin` option of fluentd)."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-400: Uncontrolled Resource Consumption"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/fluent/fluentd/security/advisories/GHSA-hwhf-64mh-r662",
                  "refsource": "CONFIRM",
                  "url": "https://github.com/fluent/fluentd/security/advisories/GHSA-hwhf-64mh-r662"
                },
                {
                  "name": "https://github.com/fluent/fluentd/blob/master/CHANGELOG.md#v1142",
                  "refsource": "MISC",
                  "url": "https://github.com/fluent/fluentd/blob/master/CHANGELOG.md#v1142"
                },
                {
                  "name": "https://github.com/github/securitylab-vulnerabilities/blob/52dc4a2a828c6dc24231967c2937ad92038184a9/vendor_reports/GHSL-2021-102-fluent-fluentd.md",
                  "refsource": "MISC",
                  "url": "https://github.com/github/securitylab-vulnerabilities/blob/52dc4a2a828c6dc24231967c2937ad92038184a9/vendor_reports/GHSL-2021-102-fluent-fluentd.md"
                }
              ]
            },
            "source": {
              "advisory": "GHSA-hwhf-64mh-r662",
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2021-41186",
        "datePublished": "2021-10-29T13:40:10.000Z",
        "dateReserved": "2021-09-15T00:00:00.000Z",
        "dateUpdated": "2024-08-04T03:08:31.511Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2017-10906 (GCVE-0-2017-10906)

    Vulnerability from nvd – Published: 2017-12-08 15:00 – Updated: 2024-08-05 17:50
    VLAI
    Summary
    Escape sequence injection vulnerability in Fluentd versions 0.12.29 through 0.12.40 may allow an attacker to change the terminal UI or execute arbitrary commands on the device via unspecified vectors.
    Severity
    No CVSS data available.
    CWE
    • Escape Sequence Injection
    Assigner
    References
    Impacted products
    Vendor Product Version
    Cloud Native Computing Foundation (CNCF) Fluentd Affected: 0.12.29 through 0.12.40
    Create a notification for this product.
    Date Public
    2017-12-08 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T17:50:12.579Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "RHSA-2018:2225",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:2225"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jvn.jp/en/vu/JVNVU95124098/index.html"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/fluent/fluentd/blob/v0.12/CHANGELOG.md#bug-fixes"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/fluent/fluentd/pull/1733"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Fluentd",
              "vendor": "Cloud Native Computing Foundation (CNCF)",
              "versions": [
                {
                  "status": "affected",
                  "version": "0.12.29 through 0.12.40"
                }
              ]
            }
          ],
          "datePublic": "2017-12-08T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Escape sequence injection vulnerability in Fluentd versions 0.12.29 through 0.12.40 may allow an attacker to change the terminal UI or execute arbitrary commands on the device via unspecified vectors."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Escape Sequence Injection",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-07-20T09:57:01.000Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "name": "RHSA-2018:2225",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:2225"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jvn.jp/en/vu/JVNVU95124098/index.html"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/fluent/fluentd/blob/v0.12/CHANGELOG.md#bug-fixes"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/fluent/fluentd/pull/1733"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "vultures@jpcert.or.jp",
              "ID": "CVE-2017-10906",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Fluentd",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "0.12.29 through 0.12.40"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Cloud Native Computing Foundation (CNCF)"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Escape sequence injection vulnerability in Fluentd versions 0.12.29 through 0.12.40 may allow an attacker to change the terminal UI or execute arbitrary commands on the device via unspecified vectors."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Escape Sequence Injection"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "RHSA-2018:2225",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:2225"
                },
                {
                  "name": "https://jvn.jp/en/vu/JVNVU95124098/index.html",
                  "refsource": "MISC",
                  "url": "https://jvn.jp/en/vu/JVNVU95124098/index.html"
                },
                {
                  "name": "https://github.com/fluent/fluentd/blob/v0.12/CHANGELOG.md#bug-fixes",
                  "refsource": "CONFIRM",
                  "url": "https://github.com/fluent/fluentd/blob/v0.12/CHANGELOG.md#bug-fixes"
                },
                {
                  "name": "https://github.com/fluent/fluentd/pull/1733",
                  "refsource": "CONFIRM",
                  "url": "https://github.com/fluent/fluentd/pull/1733"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2017-10906",
        "datePublished": "2017-12-08T15:00:00.000Z",
        "dateReserved": "2017-07-04T00:00:00.000Z",
        "dateUpdated": "2024-08-05T17:50:12.579Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2026-44161 (GCVE-0-2026-44161)

    Vulnerability from cvelistv5 – Published: 2026-07-08 21:25 – Updated: 2026-07-09 14:40
    VLAI
    Title
    Fluentd: Server-Side Request Forgery (SSRF) via Placeholder Expansion in `out_http`
    Summary
    Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. Prior to 1.19.3, the Fluentd out_http output plugin allows placeholders such as ${tag} in the endpoint configuration parameter, and if a placeholder value is derived from untrusted input an attacker can control the destination hostname of outbound HTTP requests and force requests to arbitrary internal services. This issue is fixed in version 1.19.3.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-918 - Server-Side Request Forgery (SSRF)
    Assigner
    Impacted products
    Vendor Product Version
    fluent fluentd Affected: < 1.19.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-44161",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-09T14:37:57.811738Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-09T14:40:31.700Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "fluentd",
              "vendor": "fluent",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.19.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. Prior to 1.19.3, the Fluentd out_http output plugin allows placeholders such as ${tag} in the endpoint configuration parameter, and if a placeholder value is derived from untrusted input an attacker can control the destination hostname of outbound HTTP requests and force requests to arbitrary internal services. This issue is fixed in version 1.19.3."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "CWE-918: Server-Side Request Forgery (SSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T21:25:43.892Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/fluent/fluentd/security/advisories/GHSA-72f5-rr8c-r6gr",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/fluent/fluentd/security/advisories/GHSA-72f5-rr8c-r6gr"
            },
            {
              "name": "https://github.com/fluent/fluentd/pull/5394",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/fluent/fluentd/pull/5394"
            },
            {
              "name": "https://github.com/fluent/fluentd/commit/c6a01ea2e0ea01977f8d615f7c6dbfae4cba88c9",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/fluent/fluentd/commit/c6a01ea2e0ea01977f8d615f7c6dbfae4cba88c9"
            },
            {
              "name": "https://github.com/fluent/fluentd/releases/tag/v1.19.3",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/fluent/fluentd/releases/tag/v1.19.3"
            }
          ],
          "source": {
            "advisory": "GHSA-72f5-rr8c-r6gr",
            "discovery": "UNKNOWN"
          },
          "title": "Fluentd: Server-Side Request Forgery (SSRF) via Placeholder Expansion in `out_http`"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-44161",
        "datePublished": "2026-07-08T21:25:43.892Z",
        "dateReserved": "2026-05-05T14:39:34.922Z",
        "dateUpdated": "2026-07-09T14:40:31.700Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-44160 (GCVE-0-2026-44160)

    Vulnerability from cvelistv5 – Published: 2026-07-08 21:24 – Updated: 2026-07-09 19:34
    VLAI
    Title
    Fluentd: Denial of Service (DoS) via Gzip Decompression Bomb in `in_http` and `in_forward`
    Summary
    Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. Prior to 1.19.3, Fluentd's in_http and in_forward plugins support gzip-compressed data but enforce limits only on compressed payloads through settings such as body_size_limit and chunk_size_limit, allowing crafted compressed payloads to decompress in memory to an excessive size and cause denial of service through memory exhaustion. This issue is fixed in version 1.19.3.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-409 - Improper Handling of Highly Compressed Data (Data Amplification)
    Assigner
    Impacted products
    Vendor Product Version
    fluent fluentd Affected: < 1.19.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-44160",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-09T19:34:49.901088Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-09T19:34:55.352Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "fluentd",
              "vendor": "fluent",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.19.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. Prior to 1.19.3, Fluentd\u0027s in_http and in_forward plugins support gzip-compressed data but enforce limits only on compressed payloads through settings such as body_size_limit and chunk_size_limit, allowing crafted compressed payloads to decompress in memory to an excessive size and cause denial of service through memory exhaustion. This issue is fixed in version 1.19.3."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-409",
                  "description": "CWE-409: Improper Handling of Highly Compressed Data (Data Amplification)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T21:24:28.346Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/fluent/fluentd/security/advisories/GHSA-j9cw-hwqf-85w7",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/fluent/fluentd/security/advisories/GHSA-j9cw-hwqf-85w7"
            },
            {
              "name": "https://github.com/fluent/fluentd/pull/5393",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/fluent/fluentd/pull/5393"
            },
            {
              "name": "https://github.com/fluent/fluentd/commit/f5f2b7cddf8aab3932e6dec9fa367a5f3eb27e10",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/fluent/fluentd/commit/f5f2b7cddf8aab3932e6dec9fa367a5f3eb27e10"
            },
            {
              "name": "https://github.com/fluent/fluentd/releases/tag/v1.19.3",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/fluent/fluentd/releases/tag/v1.19.3"
            }
          ],
          "source": {
            "advisory": "GHSA-j9cw-hwqf-85w7",
            "discovery": "UNKNOWN"
          },
          "title": "Fluentd: Denial of Service (DoS) via Gzip Decompression Bomb in `in_http` and `in_forward`"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-44160",
        "datePublished": "2026-07-08T21:24:28.346Z",
        "dateReserved": "2026-05-05T14:39:34.922Z",
        "dateUpdated": "2026-07-09T19:34:55.352Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-44024 (GCVE-0-2026-44024)

    Vulnerability from cvelistv5 – Published: 2026-07-08 21:20 – Updated: 2026-07-10 03:55
    VLAI
    Title
    Fluentd: Remote Code Execution (RCE) via Arbitrary File Write in `${tag}` Placeholder
    Summary
    Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. Prior to 1.19.3, Fluentd allows dynamically constructing file paths using the ${tag} placeholder, and insufficient validation of ${tag} in file configurations such as the path parameter of the out_file plugin allows attackers sending untrusted tags containing path traversal characters to write or overwrite arbitrary files and potentially achieve remote code execution. This issue is fixed in version 1.19.3.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Assigner
    Impacted products
    Vendor Product Version
    fluent fluentd Affected: < 1.19.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-44024",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-09T00:00:00+00:00",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-10T03:55:45.194Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "fluentd",
              "vendor": "fluent",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.19.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. Prior to 1.19.3, Fluentd allows dynamically constructing file paths using the ${tag} placeholder, and insufficient validation of ${tag} in file configurations such as the path parameter of the out_file plugin allows attackers sending untrusted tags containing path traversal characters to write or overwrite arbitrary files and potentially achieve remote code execution. This issue is fixed in version 1.19.3."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T21:20:29.598Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/fluent/fluentd/security/advisories/GHSA-44hj-4m45-frj3",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/fluent/fluentd/security/advisories/GHSA-44hj-4m45-frj3"
            },
            {
              "name": "https://github.com/fluent/fluentd/pull/5391",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/fluent/fluentd/pull/5391"
            },
            {
              "name": "https://github.com/fluent/fluentd/commit/45c87a81f3ac0b72b3f9dcfe8cfb5f9038f81437",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/fluent/fluentd/commit/45c87a81f3ac0b72b3f9dcfe8cfb5f9038f81437"
            },
            {
              "name": "https://github.com/fluent/fluentd/releases/tag/v1.19.3",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/fluent/fluentd/releases/tag/v1.19.3"
            }
          ],
          "source": {
            "advisory": "GHSA-44hj-4m45-frj3",
            "discovery": "UNKNOWN"
          },
          "title": "Fluentd: Remote Code Execution (RCE) via Arbitrary File Write in `${tag}` Placeholder"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-44024",
        "datePublished": "2026-07-08T21:20:29.598Z",
        "dateReserved": "2026-05-04T21:24:36.506Z",
        "dateUpdated": "2026-07-10T03:55:45.194Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2020-21514 (GCVE-0-2020-21514)

    Vulnerability from cvelistv5 – Published: 2023-04-04 00:00 – Updated: 2025-06-09 14:00
    VLAI
    Summary
    An issue was discovered in Fluent-ui v.1.2.2 allows attackers to gain escalated privileges and execute arbitrary code due to a default password.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • n/a
    • CWE-276 - Incorrect Default Permissions
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T14:30:32.511Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/fluent/fluentd/issues/2722"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 8.8,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2020-21514",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-13T16:31:57.231242Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-276",
                    "description": "CWE-276 Incorrect Default Permissions",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-13T16:33:07.831Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "An issue was discovered in Fluent-ui v.1.2.2 allows attackers to gain escalated privileges and execute arbitrary code due to a default password."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-06-09T14:00:49.654Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://github.com/fluent/fluentd/issues/2722"
            },
            {
              "url": "https://github.com/fluent/fluentd-ui/issues/295"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2020-21514",
        "datePublished": "2023-04-04T00:00:00.000Z",
        "dateReserved": "2020-08-13T00:00:00.000Z",
        "dateUpdated": "2025-06-09T14:00:49.654Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-39379 (GCVE-0-2022-39379)

    Vulnerability from cvelistv5 – Published: 2022-11-02 00:00 – Updated: 2025-04-23 16:41
    VLAI
    Title
    Fluentd vulnerable to remote code execution due to insecure deserialization (in non-default configuration)
    Summary
    Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. A remote code execution (RCE) vulnerability in non-default configurations of Fluentd allows unauthenticated attackers to execute arbitrary code via specially crafted JSON payloads. Fluentd setups are only affected if the environment variable `FLUENT_OJ_OPTION_MODE` is explicitly set to `object`. Please note: The option FLUENT_OJ_OPTION_MODE was introduced in Fluentd version 1.13.2. Earlier versions of Fluentd are not affected by this vulnerability. This issue was patched in version 1.15.3. As a workaround do not use `FLUENT_OJ_OPTION_MODE=object`.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-502 - Deserialization of Untrusted Data
    Assigner
    Impacted products
    Vendor Product Version
    fluent fluentd Affected: >= 1.13.2, < 1.15.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T12:00:44.172Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/fluent/fluentd/security/advisories/GHSA-fppq-mj76-fpj2"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/fluent/fluentd/commit/48e5b85dab1b6d4c273090d538fc11b3f2fd8135"
              },
              {
                "name": "FEDORA-2023-6b9e2a6534",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MYD5QV66OLDHES6IKVYYM3Y3YID3VVCO/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-39379",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-23T13:55:24.123262Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-23T16:41:33.585Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "fluentd",
              "vendor": "fluent",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 1.13.2, \u003c 1.15.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. A remote code execution (RCE) vulnerability in non-default configurations of Fluentd allows unauthenticated attackers to execute arbitrary code via specially crafted JSON payloads. Fluentd setups are only affected if the environment variable `FLUENT_OJ_OPTION_MODE` is explicitly set to `object`. Please note: The option FLUENT_OJ_OPTION_MODE was introduced in Fluentd version 1.13.2. Earlier versions of Fluentd are not affected by this vulnerability. This issue was patched in version 1.15.3. As a workaround do not use `FLUENT_OJ_OPTION_MODE=object`."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 3.1,
                "baseSeverity": "LOW",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-502",
                  "description": "CWE-502: Deserialization of Untrusted Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-01-11T00:00:00.000Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "url": "https://github.com/fluent/fluentd/security/advisories/GHSA-fppq-mj76-fpj2"
            },
            {
              "url": "https://github.com/fluent/fluentd/commit/48e5b85dab1b6d4c273090d538fc11b3f2fd8135"
            },
            {
              "name": "FEDORA-2023-6b9e2a6534",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MYD5QV66OLDHES6IKVYYM3Y3YID3VVCO/"
            }
          ],
          "source": {
            "advisory": "GHSA-fppq-mj76-fpj2",
            "discovery": "UNKNOWN"
          },
          "title": "Fluentd vulnerable to remote code execution due to insecure deserialization (in non-default configuration)"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2022-39379",
        "datePublished": "2022-11-02T00:00:00.000Z",
        "dateReserved": "2022-09-02T00:00:00.000Z",
        "dateUpdated": "2025-04-23T16:41:33.585Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-41186 (GCVE-0-2021-41186)

    Vulnerability from cvelistv5 – Published: 2021-10-29 13:40 – Updated: 2024-08-04 03:08
    VLAI
    Title
    ReDoS vulnerability in parser_apache2
    Summary
    Fluentd collects events from various data sources and writes them to files to help unify logging infrastructure. The parser_apache2 plugin in Fluentd v0.14.14 to v1.14.1 suffers from a regular expression denial of service (ReDoS) vulnerability. A broken apache log with a certain pattern of string can spend too much time in a regular expression, resulting in the potential for a DoS attack. This issue is patched in version 1.14.2 There are two workarounds available. Either don't use parser_apache2 for parsing logs (which cannot guarantee generated by Apache), or put patched version of parser_apache2.rb into /etc/fluent/plugin directory (or any other directories specified by the environment variable `FLUENT_PLUGIN` or `--plugin` option of fluentd).
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    Impacted products
    Vendor Product Version
    fluent fluentd Affected: >= 0.14.14, < 1.14.2
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T03:08:31.511Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/fluent/fluentd/security/advisories/GHSA-hwhf-64mh-r662"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/fluent/fluentd/blob/master/CHANGELOG.md#v1142"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/github/securitylab-vulnerabilities/blob/52dc4a2a828c6dc24231967c2937ad92038184a9/vendor_reports/GHSL-2021-102-fluent-fluentd.md"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "fluentd",
              "vendor": "fluent",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 0.14.14, \u003c 1.14.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Fluentd collects events from various data sources and writes them to files to help unify logging infrastructure. The parser_apache2 plugin in Fluentd v0.14.14 to v1.14.1 suffers from a regular expression denial of service (ReDoS) vulnerability. A broken apache log with a certain pattern of string can spend too much time in a regular expression, resulting in the potential for a DoS attack. This issue is patched in version 1.14.2 There are two workarounds available. Either don\u0027t use parser_apache2 for parsing logs (which cannot guarantee generated by Apache), or put patched version of parser_apache2.rb into /etc/fluent/plugin directory (or any other directories specified by the environment variable `FLUENT_PLUGIN` or `--plugin` option of fluentd)."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400: Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-10-29T13:40:10.000Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/fluent/fluentd/security/advisories/GHSA-hwhf-64mh-r662"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/fluent/fluentd/blob/master/CHANGELOG.md#v1142"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/github/securitylab-vulnerabilities/blob/52dc4a2a828c6dc24231967c2937ad92038184a9/vendor_reports/GHSL-2021-102-fluent-fluentd.md"
            }
          ],
          "source": {
            "advisory": "GHSA-hwhf-64mh-r662",
            "discovery": "UNKNOWN"
          },
          "title": "ReDoS vulnerability in parser_apache2",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security-advisories@github.com",
              "ID": "CVE-2021-41186",
              "STATE": "PUBLIC",
              "TITLE": "ReDoS vulnerability in parser_apache2"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "fluentd",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "\u003e= 0.14.14, \u003c 1.14.2"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "fluent"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Fluentd collects events from various data sources and writes them to files to help unify logging infrastructure. The parser_apache2 plugin in Fluentd v0.14.14 to v1.14.1 suffers from a regular expression denial of service (ReDoS) vulnerability. A broken apache log with a certain pattern of string can spend too much time in a regular expression, resulting in the potential for a DoS attack. This issue is patched in version 1.14.2 There are two workarounds available. Either don\u0027t use parser_apache2 for parsing logs (which cannot guarantee generated by Apache), or put patched version of parser_apache2.rb into /etc/fluent/plugin directory (or any other directories specified by the environment variable `FLUENT_PLUGIN` or `--plugin` option of fluentd)."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-400: Uncontrolled Resource Consumption"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/fluent/fluentd/security/advisories/GHSA-hwhf-64mh-r662",
                  "refsource": "CONFIRM",
                  "url": "https://github.com/fluent/fluentd/security/advisories/GHSA-hwhf-64mh-r662"
                },
                {
                  "name": "https://github.com/fluent/fluentd/blob/master/CHANGELOG.md#v1142",
                  "refsource": "MISC",
                  "url": "https://github.com/fluent/fluentd/blob/master/CHANGELOG.md#v1142"
                },
                {
                  "name": "https://github.com/github/securitylab-vulnerabilities/blob/52dc4a2a828c6dc24231967c2937ad92038184a9/vendor_reports/GHSL-2021-102-fluent-fluentd.md",
                  "refsource": "MISC",
                  "url": "https://github.com/github/securitylab-vulnerabilities/blob/52dc4a2a828c6dc24231967c2937ad92038184a9/vendor_reports/GHSL-2021-102-fluent-fluentd.md"
                }
              ]
            },
            "source": {
              "advisory": "GHSA-hwhf-64mh-r662",
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2021-41186",
        "datePublished": "2021-10-29T13:40:10.000Z",
        "dateReserved": "2021-09-15T00:00:00.000Z",
        "dateUpdated": "2024-08-04T03:08:31.511Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2017-10906 (GCVE-0-2017-10906)

    Vulnerability from cvelistv5 – Published: 2017-12-08 15:00 – Updated: 2024-08-05 17:50
    VLAI
    Summary
    Escape sequence injection vulnerability in Fluentd versions 0.12.29 through 0.12.40 may allow an attacker to change the terminal UI or execute arbitrary commands on the device via unspecified vectors.
    Severity
    No CVSS data available.
    CWE
    • Escape Sequence Injection
    Assigner
    References
    Impacted products
    Vendor Product Version
    Cloud Native Computing Foundation (CNCF) Fluentd Affected: 0.12.29 through 0.12.40
    Create a notification for this product.
    Date Public
    2017-12-08 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T17:50:12.579Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "RHSA-2018:2225",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:2225"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jvn.jp/en/vu/JVNVU95124098/index.html"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/fluent/fluentd/blob/v0.12/CHANGELOG.md#bug-fixes"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/fluent/fluentd/pull/1733"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Fluentd",
              "vendor": "Cloud Native Computing Foundation (CNCF)",
              "versions": [
                {
                  "status": "affected",
                  "version": "0.12.29 through 0.12.40"
                }
              ]
            }
          ],
          "datePublic": "2017-12-08T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Escape sequence injection vulnerability in Fluentd versions 0.12.29 through 0.12.40 may allow an attacker to change the terminal UI or execute arbitrary commands on the device via unspecified vectors."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Escape Sequence Injection",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-07-20T09:57:01.000Z",
            "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
            "shortName": "jpcert"
          },
          "references": [
            {
              "name": "RHSA-2018:2225",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:2225"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jvn.jp/en/vu/JVNVU95124098/index.html"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/fluent/fluentd/blob/v0.12/CHANGELOG.md#bug-fixes"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/fluent/fluentd/pull/1733"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "vultures@jpcert.or.jp",
              "ID": "CVE-2017-10906",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Fluentd",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "0.12.29 through 0.12.40"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Cloud Native Computing Foundation (CNCF)"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Escape sequence injection vulnerability in Fluentd versions 0.12.29 through 0.12.40 may allow an attacker to change the terminal UI or execute arbitrary commands on the device via unspecified vectors."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Escape Sequence Injection"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "RHSA-2018:2225",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:2225"
                },
                {
                  "name": "https://jvn.jp/en/vu/JVNVU95124098/index.html",
                  "refsource": "MISC",
                  "url": "https://jvn.jp/en/vu/JVNVU95124098/index.html"
                },
                {
                  "name": "https://github.com/fluent/fluentd/blob/v0.12/CHANGELOG.md#bug-fixes",
                  "refsource": "CONFIRM",
                  "url": "https://github.com/fluent/fluentd/blob/v0.12/CHANGELOG.md#bug-fixes"
                },
                {
                  "name": "https://github.com/fluent/fluentd/pull/1733",
                  "refsource": "CONFIRM",
                  "url": "https://github.com/fluent/fluentd/pull/1733"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "assignerShortName": "jpcert",
        "cveId": "CVE-2017-10906",
        "datePublished": "2017-12-08T15:00:00.000Z",
        "dateReserved": "2017-07-04T00:00:00.000Z",
        "dateUpdated": "2024-08-05T17:50:12.579Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }