VYPR
Low severityNVD Advisory· Published Nov 2, 2022· Updated Apr 23, 2025

Fluentd vulnerable to remote code execution due to insecure deserialization (in non-default configuration)

CVE-2022-39379

Description

Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. A remote code execution (RCE) vulnerability in non-default configurations of Fluentd allows unauthenticated attackers to execute arbitrary code via specially crafted JSON payloads. Fluentd setups are only affected if the environment variable FLUENT_OJ_OPTION_MODE is explicitly set to object. Please note: The option FLUENT_OJ_OPTION_MODE was introduced in Fluentd version 1.13.2. Earlier versions of Fluentd are not affected by this vulnerability. This issue was patched in version 1.15.3. As a workaround do not use FLUENT_OJ_OPTION_MODE=object.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
fluentdRubyGems
>= 1.13.2, < 1.15.31.15.3

Affected products

3
  • osv-coords2 versions
    >= 1.13.2, < 1.15.3+ 1 more
    • (no CPE)range: >= 1.13.2, < 1.15.3
    • (no CPE)range: >= 1.13.2, < 1.15.3
  • fluent/fluentdv5
    Range: >= 1.13.2, < 1.15.3

Patches

Vulnerability mechanics

References

7

News mentions

0

No linked articles in our index yet.