Sync with GitHub Security Advisories

reedloden · reedloden · commit d97d6c7eacab · 2022-11-05T17:39:19.000-07:00
* Add CVE-2022-39379 for fluentd
diff --git a/gems/fluentd/CVE-2022-39379.yml b/gems/fluentd/CVE-2022-39379.yml
@@ -0,0 +1,38 @@
+---
+gem: fluentd
+cve: 2022-39379
+ghsa: fppq-mj76-fpj2
+url: https://github.com/fluent/fluentd/security/advisories/GHSA-fppq-mj76-fpj2
+title: fluentd vulnerable to remote code execution due to insecure deserialization
+  (in non-default configuration)
+date: 2022-11-02
+description: |
+  ### Impact
+  A remote code execution (RCE) vulnerability in non-default configurations of
+  Fluentd allows unauthenticated attackers to execute arbitrary code via
+  specially crafted JSON payloads.
+
+  Fluentd setups are only affected if the environment variable
+  `FLUENT_OJ_OPTION_MODE` is explicitly set to `object`.
+
+  Please note: The option FLUENT_OJ_OPTION_MODE was introduced in Fluentd
+  version 1.13.2. Earlier versions of Fluentd are not affected by this
+  vulnerability.
+
+  ### Patches
+  v1.15.3
+
+  ### Workarounds
+  Do not use `FLUENT_OJ_OPTION_MODE=object`.
+
+  ### References
+  * GHSL-2022-067
+cvss_v3: 3.1
+unaffected_versions:
+- "< 1.13.2"
+patched_versions:
+- ">= 1.15.3"
+related:
+  url:
+  - https://securitylab.github.com/advisories/GHSL-2022-067_fluentd/
+  - https://github.com/fluent/fluentd/commit/48e5b85dab1b6d4c273090d538fc11b3f2fd8135
