CVE-2024-4323

Published May 20, 2024

Last updated a month ago

CVSS critical 9.8

Overview

Description: A memory corruption vulnerability in Fluent Bit versions 2.0.7 thru 3.0.3. This issue lies in the embedded http server’s parsing of trace requests and may result in denial of service conditions, information disclosure, or remote code execution.
Source: vulnreport@tenable.com
NVD status: Analyzed

Risk scores

CVSS 3.1

Type: Primary
Base score: 9.8
Impact score: 5.9
Exploitability score: 3.9
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity: CRITICAL

Weaknesses

vulnreport@tenable.com: CWE-122
nvd@nist.gov: CWE-787

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:treasuredata:fluent_bit:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "991D24B7-FA94-42A6-80A8-D9E6DE71D9C3",
            "versionEndExcluding": "2.2.3",
            "versionStartIncluding": "2.0.7"
          },
          {
            "criteria": "cpe:2.3:a:treasuredata:fluent_bit:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "EF85ED4D-A6E9-4117-A91B-43644AF45CA9",
            "versionEndExcluding": "3.0.4",
            "versionStartIncluding": "3.0.0"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

References

Sources include official advisories and independent security research.

Overview

Risk scores

CVSS 3.1

Weaknesses

Social media

Configurations

References