Fluentd allows dynamic file path construction using the `${tag}` placeholder. Insufficient validation of this placeholder enables attackers to inject path traversal sequences (e.g., `../`) when Fluentd receives logs from untrusted sources and uses `${tag}` in output file paths (such as in the `out_file` plugin's `path` parameter). This leads to arbitrary file write capability, which can be escalated to remote code execution by overwriting critical system files, injecting malicious plugins, or modifying configuration files. The vulnerability affects Fluentd versions before 1.19.3 and has a CVSS 3.1 vector indicating network attack vector, low attack complexity, no privileges or user interaction required, and high impact on confidentiality, integrity, and availability. No known exploits are reported in the wild. The vendor has released version 1.19.3 to address this issue.

This vulnerability allows an unauthenticated attacker to write arbitrary files on the system running Fluentd by exploiting insufficient validation of the `${tag}` placeholder. This arbitrary file write can be leveraged to achieve remote code execution by overwriting critical system files, injecting executable plugins, or modifying configuration files. The impact is critical as it can lead to full system compromise depending on Fluentd's configuration and the privileges of the Fluentd process.

A patch is available in Fluentd version 1.19.3 and users are strongly advised to upgrade to this version. If immediate upgrade is not possible, apply the following mitigations: restrict network access to Fluentd input ports to trusted networks only; run Fluentd as a non-root user to limit file write permissions; avoid using the `${tag}` placeholder in output file path configurations when tags come from untrusted sources; and filter incoming tags to block characters such as '.' or '/' that enable path traversal, for example by using the `fluent-plugin-rewrite-tag-filter` plugin.