Vulnerabilities > CVE-2022-39379 - Deserialization of Untrusted Data vulnerability in multiple products

CVSS 9.8 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

fluentd

fedoraproject

CWE-502

critical

NVD

Published: 2022-11-02

Updated: 2023-11-07

Summary

Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. A remote code execution (RCE) vulnerability in non-default configurations of Fluentd allows unauthenticated attackers to execute arbitrary code via specially crafted JSON payloads. Fluentd setups are only affected if the environment variable `FLUENT_OJ_OPTION_MODE` is explicitly set to `object`. Please note: The option FLUENT_OJ_OPTION_MODE was introduced in Fluentd version 1.13.2. Earlier versions of Fluentd are not affected by this vulnerability. This issue was patched in version 1.15.3. As a workaround do not use `FLUENT_OJ_OPTION_MODE=object`.

Vulnerable Configurations

Part	Description	Count
Application	Fluentd Fluentd Fluentd 1.13.2 Fluentd Fluentd 1.13.3 Fluentd Fluentd 1.14.1 Fluentd Fluentd 1.14.2 Fluentd Fluentd 1.14.3 Fluentd Fluentd 1.14.4 Fluentd Fluentd 1.14.5 Fluentd Fluentd 1.14.6 Fluentd Fluentd 1.15.0 Fluentd Fluentd 1.15.1 Fluentd Fluentd 1.15.2	11
OS	Fedoraproject Fedoraproject Fedora 37	1

Common Weakness Enumeration (CWE)

CWE-502 - Deserialization of Untrusted Data

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

References