7.2 HIGH
- CVSS version (CVSS): 3.1
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): None (N)
- User Interaction (UI): None (N)
- Scope (S): Changed (C)
- Confidentiality (C): Low (L)
- Integrity (I): None (N)
- Availability (A): Low (L)
- Modified Attack Vector (MAV): Network (N)
- Modified Attack Complexity (MAC): Low (L)
- Modified Privileges Required (MPR): None (N)
- Modified User Interaction (MUI): None (N)
- Modified Confidentiality (MC): Low (L)
- Modified Scope (MS): Changed (C)
- Modified Integrity (MI): None (N)
- Modified Availability (MA): Low (L)
Activity log
- Created suggestion
Fluentd: Server-Side Request Forgery (SSRF) via Placeholder Expansion in `out_http`
Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. Prior to 1.19.3, the Fluentd out_http output plugin allows placeholders such as ${tag} in the endpoint configuration parameter, and if a placeholder value is derived from untrusted input an attacker can control the destination hostname of outbound HTTP requests and force requests to arbitrary internal services. This issue is fixed in version 1.19.3.
References
-
https://github.com/fluent/fluentd/security/advisories/GHSA-72f5-rr8c-r6gr x_refsource_CONFIRM
-
https://github.com/fluent/fluentd/pull/5394 x_refsource_MISC
-
https://github.com/fluent/fluentd/releases/tag/v1.19.3 x_refsource_MISC
Affected products
- ==< 1.19.3
Package maintainers
-
@nicknovitski Nick Novitski <nixpkgs@nicknovitski.com>