Search criteria
1 vulnerability by Fluent Bit
CVE-2024-4323 (GCVE-0-2024-4323)
Vulnerability from cvelistv5 – Published: 2024-05-20 12:06 – Updated: 2024-08-19 07:47
VLAI?
Summary
A memory corruption vulnerability in Fluent Bit versions 2.0.7 thru 3.0.3. This issue lies in the embedded http server’s parsing of trace requests and may result in denial of service conditions, information disclosure, or remote code execution.
Severity ?
9.8 (Critical)
CWE
- CWE-122 - Heap-based Buffer Overflow
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Fluent Bit | Fluent Bit |
Affected:
2.0.7 , ≤ 3.0.3
(semver)
|
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:treasuredata:fluent_bit:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "fluent_bit",
"vendor": "treasuredata",
"versions": [
{
"lessThanOrEqual": "3.0.3",
"status": "affected",
"version": "2.0.7",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-4323",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-20T14:38:35.183635Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:54:53.868Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-19T07:47:45.924Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://tenable.com/security/research/tra-2024-17"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/fluent/fluent-bit/commit/9311b43a258352797af40749ab31a63c32acfd04"
},
{
"url": "https://www.vicarius.io/vsociety/posts/linguistic-lumberjack-memory-corruption-in-fluent-bit-cve-2024-4323"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Fluent Bit",
"repo": "https://github.com/fluent/fluent-bit",
"vendor": "Fluent Bit",
"versions": [
{
"lessThanOrEqual": "3.0.3",
"status": "affected",
"version": "2.0.7",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A memory corruption vulnerability in Fluent Bit versions 2.0.7 thru 3.0.3. This issue lies in the embedded http server\u2019s parsing of trace requests and may result in denial of service conditions, information disclosure, or remote code execution."
}
],
"value": "A memory corruption vulnerability in Fluent Bit versions 2.0.7 thru 3.0.3. This issue lies in the embedded http server\u2019s parsing of trace requests and may result in denial of service conditions, information disclosure, or remote code execution."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "CWE-122 Heap-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-01T17:07:24.703Z",
"orgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be",
"shortName": "tenable"
},
"references": [
{
"url": "https://tenable.com/security/research/tra-2024-17"
},
{
"url": "https://github.com/fluent/fluent-bit/commit/9311b43a258352797af40749ab31a63c32acfd04"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A fix for this issue is introduced in versions 2.2.3 and 3.0.4.\u003cbr\u003e"
}
],
"value": "A fix for this issue is introduced in versions 2.2.3 and 3.0.4."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Fluent Bit Memory Corruption Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be",
"assignerShortName": "tenable",
"cveId": "CVE-2024-4323",
"datePublished": "2024-05-20T12:06:21.696Z",
"dateReserved": "2024-04-29T18:39:50.531Z",
"dateUpdated": "2024-08-19T07:47:45.924Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}