Threats Tagged 'rubygems'

Fluentd versions prior to 1.19.3 are vulnerable to a critical remote code execution (RCE) vulnerability via arbitrary file write through insufficient validation of the `${tag}` placeholder in file path configurations. An attacker sending logs with crafted tags containing path traversal characters can write or overwrite files on the system, potentially leading to full system compromise. This vulnerability requires no authentication and depends on Fluentd's configuration and process privileges. A patch is available in version 1.19.3. Mitigations include restricting network access, running Fluentd as a non-root user, avoiding use of `${tag}` in file paths from untrusted sources, and filtering incoming tags to block malicious characters.

Fluentd's Monitor Agent plugin exposes internal plugin instance variables via its REST API, potentially leaking sensitive information such as database passwords or API keys. This vulnerability affects versions prior to 1.19.3. An attacker with network access to the Monitor Agent port (default 24220) can retrieve this sensitive data. The severity depends on network exposure and plugin configuration. A patch is available in version 1.19.3. Until patched, restricting Monitor Agent access to localhost or blocking the port with firewall rules mitigates the risk.

Fluentd versions prior to 1.19.3 have a vulnerability in the `in_http` and `in_forward` plugins where gzip-compressed data decompression is not limited in size. This allows an attacker to send a maliciously crafted compressed payload that expands to an excessive size in memory, causing a denial of service (DoS) via memory exhaustion. The attack can cause the Fluentd process to be killed by the operating system, disrupting log collection and forwarding.

Fluentd's out_http plugin is vulnerable to Server-Side Request Forgery (SSRF) via placeholder expansion in the endpoint configuration. An attacker can manipulate the destination hostname of outbound HTTP requests if the placeholder value is derived from untrusted input. This allows unauthenticated attackers to make Fluentd send requests to arbitrary internal services, potentially accessing internal APIs or cloud metadata endpoints. The vulnerability affects Fluentd versions prior to 1.19.3. A patch is available in version 1.19.3. Workarounds include avoiding dynamic hostnames in endpoints, restricting network access to sensitive internal IPs, and filtering allowed hosts in placeholders.

The fluent-plugin-s3's in_s3 input plugin decompresses files from Amazon S3 without enforcing strict size limits on the decompressed payload. This allows an attacker with write permissions to upload a maliciously crafted compressed file that expands excessively in memory, causing a denial of service via memory exhaustion. The vulnerability can lead to the Fluentd process being killed by the operating system, disrupting log collection. A fixed version 1.8.5 is available. Until upgraded, strict IAM controls on S3 bucket write access can mitigate the risk.

The fluent-plugin-opentelemetry's in_opentelemetry HTTP input lacks strict size limits on incoming requests, allowing attackers to send excessively large or highly compressed payloads. This can cause the plugin to consume excessive memory during decompression, leading to a Denial of Service (DoS) by exhausting system resources and potentially crashing the Fluentd process. The vulnerability affects versions prior to 0.5.3. Mitigations include restricting network access to trusted sources and using a reverse proxy to enforce size limits and handle decompression. An official patch is available in version 0.5.3.