7.5

CVE-2024-50608

Exploit

EPSS 0.48%
Veröffentlicht 18.02.2025 18:15:25
Zuletzt bearbeitet 22.04.2025 14:54:16
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

An issue was discovered in Fluent Bit 3.1.9. When the Prometheus Remote Write input plugin is running and listening on an IP address and port, one can send a packet with Content-Length: 0 and it crashes the server. Improper handling of the case when Content-Length is 0 allows a user (with access to the endpoint) to perform a remote Denial of service attack. The crash happens because of a NULL pointer dereference when 0 (from the Content-Length) is passed to the function cfl_sds_len, which in turn tries to cast a NULL pointer into struct cfl_sds. This is related to process_payload_metrics_ng() at prom_rw_prot.c.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Treasuredata ≫ Fluent Bit Version3.1.9

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.48%	0.645

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-476 NULL Pointer Dereference

The product dereferences a pointer that it expects to be valid but is NULL.

https://fluentbit.io/announcements/

Product

https://github.com/fluent/fluent-bit/releases

Release Notes

https://www.ebryx.com/blogs/exploring-cve-2024-50608-and-cve-2024-50609

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2024-50608

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-50608

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-50608

EUVD