CRITICAL🇵🇱 Wersja polska

CVE-2024-4323

CVSS 9.8v3.1pub. 2024-05-20upd. 2025-05-05

A memory corruption vulnerability in Fluent Bit versions 2.0.7 thru 3.0.3. This issue lies in the embedded http server’s parsing of trace requests and may result in denial of service conditions, information disclosure, or remote code execution.

🤖 AI Analysis
How it works

The bug lies in the trace request parsing mechanism of Fluent Bit's built-in HTTP server. Improper input data processing leads to memory corruption (memory corruption) in the heap area (heap), which is classified as a heap buffer overflow. An attacker can send a specially crafted network request to the exposed HTTP server without the need for any privileges or authentication. Depending on the context and payload used, the result may be process crash, memory content leak, or code execution control takeover.

Impact

An attacker can remotely execute arbitrary code (RCE) in the context of the Fluent Bit process, gain access to sensitive data processed in the process memory, or completely disable the service (DoS), which in log collection environments may result in loss of visibility of security events.

Mitigation & patch

Fluent Bit should be updated to a version higher than 3.0.3, applying patches available in the vendor's repository (commit 9311b43a258352797af40749ab31a63c32acfd04). If immediate update is not possible, consider disabling the built-in HTTP server or restricting access to it at the firewall level to trusted hosts only.

Who is affected

Fluent Bit (Treasuredata) versions 2.0.7 to 3.0.3 inclusive, with the built-in HTTP server enabled.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Treasuredata Fluent Bit

    APP
    Treasuredata
    2.0.7 – 2.2.3 (bez)3.0.0 – 3.0.4 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCEDoS
CWE
References

Related vulnerabilities

CVE-2025-12977CRITICAL9.1PL ✓ten sam produkt

Fluent Bit: brak sanityzacji tag_key umożliwia path traversal i wstrzyknięcie danych

CVE-2021-36088CRITICAL9.8ten sam produkt

Fluent Bit (aka fluent-bit) 1.7.0 through 1.7.4 has a double free in flb_free (called from flb_parser_json_do ...

CVE-2025-12970HIGH8.8ten sam produkt

The extract_name function in Fluent Bit in_docker input plugin copies container names into a fixed size stack ...

CVE-2024-50608HIGH7.5ten sam produkt

An issue was discovered in Fluent Bit 3.1.9. When the Prometheus Remote Write input plugin is running and list...

CVE-2024-50609HIGH7.5ten sam produkt

An issue was discovered in Fluent Bit 3.1.9. When the OpenTelemetry input plugin is running and listening on a...