diff --git a/gems/fluentd/CVE-2026-44024.yml b/gems/fluentd/CVE-2026-44024.yml new file mode 100644 index 0000000000..dd7c62544a --- /dev/null +++ b/gems/fluentd/CVE-2026-44024.yml @@ -0,0 +1,43 @@ +--- +gem: fluentd +cve: 2026-44024 +ghsa: 44hj-4m45-frj3 +url: https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-44024 +title: Fluentd is Vulnerable to Remote Code Execution (RCE) via Arbitrary + File Write in `${tag}` Placeholder +date: 2026-06-26 +description: |- + Fluentd allows dynamically constructing file paths using the `${tag}` + placeholder. It was discovered that validation for this placeholder + was insufficient. + + If a Fluentd instance is configured to receive logs from untrusted + sources and uses the `${tag}` placeholder in file configurations + (such as the `path` parameter in the `out_file` plugin), an attacker + can inject path traversal characters (e.g., `../`). + + When combined with certain formatting options, this vulnerability allows + an attacker to write arbitrary files or overwrite existing files on + the system with attacker-controlled content, bypassing intended + directory restrictions. + + ### Impact + + This vulnerability allows for **Arbitrary File Write**, which can be + directly escalated to full **Remote Code Execution (RCE)**. + An attacker could achieve RCE by overwriting critical system files, + injecting executable plugins, or modifying configuration files. + The impact is Critical as it can lead to full system compromise without + any authentication, depending on the Fluentd configuration and the + privileges of the Fluentd process. +cvss_v3: 9.8 +patched_versions: + - ">= 1.19.3" +related: + url: + - https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-44024 + - https://github.com/fluent/fluentd/releases/tag/v1.19.3 + - https://github.com/advisories/GHSA-44hj-4m45-frj3 + - https://github.com/fluent/fluentd/security/advisories/GHSA-44hj-4m45-frj3 +notes: | + - CVE is reserved, but not published so no non-GHSA cvss values. diff --git a/gems/fluentd/CVE-2026-44025.yml b/gems/fluentd/CVE-2026-44025.yml new file mode 100644 index 0000000000..7d95c08611 --- /dev/null +++ b/gems/fluentd/CVE-2026-44025.yml @@ -0,0 +1,39 @@ +--- +gem: fluentd +cve: 2026-44025 +ghsa: pr7j-96cj-549h +url: https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-44025 +title: Fluentd is Vulnerable to Exposure of Sensitive Information + via Monitor Agent API +date: 2026-06-26 +description: | + Fluentd's Monitor Agent plugin (`in_monitor_agent`) exposes internal + metrics and plugin information via a REST API. + It was discovered that the API response (`/api/plugins.json` and + related endpoints) unintentionally includes internal instance + variables of loaded plugins. + + If any plugins store sensitive information—such as database passwords, + API keys, or cloud credentials—in its instance variables, this + information may be exposed in plain text to any user or system + that has HTTP access to the Monitor Agent API. + + ### Impact + + This vulnerability allows for unauthorized information disclosure. An + attacker who can reach the Monitor Agent API port (default: `24220`) + can potentially extract sensitive credentials used by other Fluentd plugins. + The impact severity depends highly on the network configuration (whether + the Monitor Agent port is exposed to untrusted networks) and the + specific plugins configured in the Fluentd instance. +cvss_v3: 7.5 +patched_versions: + - ">= 1.19.3" +related: + url: + - https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-44025 + - https://github.com/fluent/fluentd/releases/tag/v1.19.3 + - https://github.com/advisories/GHSA-pr7j-96cj-549h + - https://github.com/fluent/fluentd/security/advisories/GHSA-pr7j-96cj-549h +notes: | + - CVE is reserved, but not published so no non-GHSA cvss values. diff --git a/gems/fluentd/CVE-2026-44160.yml b/gems/fluentd/CVE-2026-44160.yml new file mode 100644 index 0000000000..e5b73f7071 --- /dev/null +++ b/gems/fluentd/CVE-2026-44160.yml @@ -0,0 +1,39 @@ +--- +gem: fluentd +cve: 2026-44160 +ghsa: j9cw-hwqf-85w7 +url: https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-44160 +title: Fluentd is Vulnerable to Denial of Service (DoS) via Gzip + Decompression Bomb in `in_http` and `in_forward` +date: 2026-06-26 +description: | + Fluentd's `in_http` and `in_forward` plugins support receiving + gzip-compressed data. + + While Fluentd correctly enforces size limits on the incoming + compressed payloads (e.g., via `body_size_limit` or `chunk_size_limit`), + it was discovered that there is no limit enforced on the size of the + decompressed data. If a Fluentd instance is exposed to untrusted + networks, an attacker can send a maliciously crafted, highly + compressed payload. When Fluentd attempts to decompress this payload + in memory, it will expand to an excessive size, completely bypassing + the intended payload size limits. + + ### Impact + + This vulnerability allows for a **Denial of Service (DoS)** attack + via memory exhaustion. The rapid memory consumption during decompression + can easily lead to an Out-of-Memory kill of the Fluentd process by + the operating system. This results in the disruption of all log + collection and forwarding capabilities on the affected node. +cvss_v3: 7.5 +patched_versions: + - ">= 1.19.3" +related: + url: + - https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-44160 + - https://github.com/fluent/fluentd/releases/tag/v1.19.3 + - https://github.com/advisories/GHSA-j9cw-hwqf-85w7 + - https://github.com/fluent/fluentd/security/advisories/GHSA-j9cw-hwqf-85w7 +notes: | + - CVE is reserved, but not published so no non-GHSA cvss values. diff --git a/gems/fluentd/CVE-2026-44161.yml b/gems/fluentd/CVE-2026-44161.yml new file mode 100644 index 0000000000..524e89ab56 --- /dev/null +++ b/gems/fluentd/CVE-2026-44161.yml @@ -0,0 +1,33 @@ +--- +gem: fluentd +cve: 2026-44161 +ghsa: 72f5-rr8c-r6gr +url: https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-44161 +title: Fluentd is Vulnerable to Server-Side Request Forgery (SSRF) + via Placeholder Expansion in `out_http` +date: 2026-06-26 +description: | + The `out_http` output plugin allows the use of placeholders (such as + `${tag}`) in the `endpoint` configuration parameter. It was discovered + that if the placeholder value is derived from untrusted user input, + an attacker can maliciously control the destination hostname of the + outbound HTTP requests made by Fluentd. + + ## Impact + + This vulnerability allows for a **Server-Side Request Forgery (SSRF)** + attack. An unauthenticated attacker can force the Fluentd node to send + HTTP requests to arbitrary internal services. This can lead to + unauthorized access to internal APIs, data exfiltration, or the + compromise of cloud metadata endpoints (e.g., AWS IMDS `169.254.169.254`). +cvss_v3: 7.2 +patched_versions: + - ">= 1.19.3" +related: + url: + - https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-44161 + - https://github.com/fluent/fluentd/releases/tag/v1.19.3 + - https://github.com/advisories/GHSA-72f5-rr8c-r6gr + - https://github.com/fluent/fluentd/security/advisories/GHSA-72f5-rr8c-r6gr +notes: | + - CVE is reserved, but not published so no non-GHSA cvss values.