Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
43 changes: 43 additions & 0 deletions gems/fluentd/CVE-2026-44024.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
---
gem: fluentd
cve: 2026-44024
ghsa: 44hj-4m45-frj3
url: https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-44024
title: Fluentd is Vulnerable to Remote Code Execution (RCE) via Arbitrary
File Write in `${tag}` Placeholder
date: 2026-06-26
description: |-
Fluentd allows dynamically constructing file paths using the `${tag}`
placeholder. It was discovered that validation for this placeholder
was insufficient.

If a Fluentd instance is configured to receive logs from untrusted
sources and uses the `${tag}` placeholder in file configurations
(such as the `path` parameter in the `out_file` plugin), an attacker
can inject path traversal characters (e.g., `../`).

When combined with certain formatting options, this vulnerability allows
an attacker to write arbitrary files or overwrite existing files on
the system with attacker-controlled content, bypassing intended
directory restrictions.

### Impact

This vulnerability allows for **Arbitrary File Write**, which can be
directly escalated to full **Remote Code Execution (RCE)**.
An attacker could achieve RCE by overwriting critical system files,
injecting executable plugins, or modifying configuration files.
The impact is Critical as it can lead to full system compromise without
any authentication, depending on the Fluentd configuration and the
privileges of the Fluentd process.
cvss_v3: 9.8
patched_versions:
- ">= 1.19.3"
related:
url:
- https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-44024
- https://github.com/fluent/fluentd/releases/tag/v1.19.3
- https://github.com/advisories/GHSA-44hj-4m45-frj3
- https://github.com/fluent/fluentd/security/advisories/GHSA-44hj-4m45-frj3
notes: |
- CVE is reserved, but not published so no non-GHSA cvss values.
39 changes: 39 additions & 0 deletions gems/fluentd/CVE-2026-44025.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
---
gem: fluentd
cve: 2026-44025
ghsa: pr7j-96cj-549h
url: https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-44025
title: Fluentd is Vulnerable to Exposure of Sensitive Information
via Monitor Agent API
date: 2026-06-26
description: |
Fluentd's Monitor Agent plugin (`in_monitor_agent`) exposes internal
metrics and plugin information via a REST API.
It was discovered that the API response (`/api/plugins.json` and
related endpoints) unintentionally includes internal instance
variables of loaded plugins.

If any plugins store sensitive information—such as database passwords,
API keys, or cloud credentials—in its instance variables, this
information may be exposed in plain text to any user or system
that has HTTP access to the Monitor Agent API.

### Impact

This vulnerability allows for unauthorized information disclosure. An
attacker who can reach the Monitor Agent API port (default: `24220`)
can potentially extract sensitive credentials used by other Fluentd plugins.
The impact severity depends highly on the network configuration (whether
the Monitor Agent port is exposed to untrusted networks) and the
specific plugins configured in the Fluentd instance.
cvss_v3: 7.5
patched_versions:
- ">= 1.19.3"
related:
url:
- https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-44025
- https://github.com/fluent/fluentd/releases/tag/v1.19.3
- https://github.com/advisories/GHSA-pr7j-96cj-549h
- https://github.com/fluent/fluentd/security/advisories/GHSA-pr7j-96cj-549h
notes: |
- CVE is reserved, but not published so no non-GHSA cvss values.
39 changes: 39 additions & 0 deletions gems/fluentd/CVE-2026-44160.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
---
gem: fluentd
cve: 2026-44160
ghsa: j9cw-hwqf-85w7
url: https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-44160
title: Fluentd is Vulnerable to Denial of Service (DoS) via Gzip
Decompression Bomb in `in_http` and `in_forward`
date: 2026-06-26
description: |
Fluentd's `in_http` and `in_forward` plugins support receiving
gzip-compressed data.

While Fluentd correctly enforces size limits on the incoming
compressed payloads (e.g., via `body_size_limit` or `chunk_size_limit`),
it was discovered that there is no limit enforced on the size of the
decompressed data. If a Fluentd instance is exposed to untrusted
networks, an attacker can send a maliciously crafted, highly
compressed payload. When Fluentd attempts to decompress this payload
in memory, it will expand to an excessive size, completely bypassing
the intended payload size limits.

### Impact

This vulnerability allows for a **Denial of Service (DoS)** attack
via memory exhaustion. The rapid memory consumption during decompression
can easily lead to an Out-of-Memory kill of the Fluentd process by
the operating system. This results in the disruption of all log
collection and forwarding capabilities on the affected node.
cvss_v3: 7.5
patched_versions:
- ">= 1.19.3"
related:
url:
- https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-44160
- https://github.com/fluent/fluentd/releases/tag/v1.19.3
- https://github.com/advisories/GHSA-j9cw-hwqf-85w7
- https://github.com/fluent/fluentd/security/advisories/GHSA-j9cw-hwqf-85w7
notes: |
- CVE is reserved, but not published so no non-GHSA cvss values.
33 changes: 33 additions & 0 deletions gems/fluentd/CVE-2026-44161.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
---
gem: fluentd
cve: 2026-44161
ghsa: 72f5-rr8c-r6gr
url: https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-44161
title: Fluentd is Vulnerable to Server-Side Request Forgery (SSRF)
via Placeholder Expansion in `out_http`
date: 2026-06-26
description: |
The `out_http` output plugin allows the use of placeholders (such as
`${tag}`) in the `endpoint` configuration parameter. It was discovered
that if the placeholder value is derived from untrusted user input,
an attacker can maliciously control the destination hostname of the
outbound HTTP requests made by Fluentd.

## Impact

This vulnerability allows for a **Server-Side Request Forgery (SSRF)**
attack. An unauthenticated attacker can force the Fluentd node to send
HTTP requests to arbitrary internal services. This can lead to
unauthorized access to internal APIs, data exfiltration, or the
compromise of cloud metadata endpoints (e.g., AWS IMDS `169.254.169.254`).
cvss_v3: 7.2
patched_versions:
- ">= 1.19.3"
related:
url:
- https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-44161
- https://github.com/fluent/fluentd/releases/tag/v1.19.3
- https://github.com/advisories/GHSA-72f5-rr8c-r6gr
- https://github.com/fluent/fluentd/security/advisories/GHSA-72f5-rr8c-r6gr
notes: |
- CVE is reserved, but not published so no non-GHSA cvss values.