CVE-2021-46878
published 2023-04-11CVE-2021-46878: An issue was discovered in Treasure Data Fluent Bit 1.7.1, erroneous parsing in flb_pack_msgpack_to_json_format leads to type confusion bug that interprets…
PriorityP339high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
EPSS
0.35%
26.9th percentile
An issue was discovered in Treasure Data Fluent Bit 1.7.1, erroneous parsing in flb_pack_msgpack_to_json_format leads to type confusion bug that interprets whatever is on the stack as msgpack maps and arrays, leading to use-after-free. This can be used by an attacker to craft a specially craft file and trick the victim opening it using the affect software, triggering use-after-free and execute arbitrary code on the target system.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| msrc | cbl_mariner_1.0_arm | — | — |
| msrc | cbl_mariner_1.0_x64 | — | — |
| msrc | cm1_fluent-bit_1.5.2-3_on_cbl_mariner_1.0 | — | — |
| treasuredata | fluent_bit | — | — |
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vendor_msrc7.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-r3hq-4h29-qfq9: An issue was discovered in Treasure Data Fluent Bit 1
ghsa_unreviewed·2023-04-11
CVE-2021-46878 [HIGH] CWE-843 GHSA-r3hq-4h29-qfq9: An issue was discovered in Treasure Data Fluent Bit 1
An issue was discovered in Treasure Data Fluent Bit 1.7.1, erroneous parsing in flb_pack_msgpack_to_json_format leads to type confusion bug that interprets whatever is on the stack as msgpack maps and arrays, leading to use-after-free. This can be used by an attacker to craft a specially craft file and trick the victim opening it using the affect software, triggering use-after-free and execute arbitrary code on the target system.
Microsoft
An issue was discovered in Treasure Data Fluent Bit 1.7.1 erroneous parsing in flb_pack_msgpack_to_json_format leads to type confusion bug that interprets whatever is on the stack as msgpack maps and
vendor_msrc·2023-04-11·CVSS 7.8
CVE-2021-46878 [HIGH] CWE-843 An issue was discovered in Treasure Data Fluent Bit 1.7.1 erroneous parsing in flb_pack_msgpack_to_json_format leads to type confusion bug that interprets whatever is on the stack as msgpack maps and
An issue was discovered in Treasure Data Fluent Bit 1.7.1 erroneous parsing in flb_pack_msgpack_to_json_format leads to type confusion bug that interprets whatever is on the stack as msgpack maps and arrays leading to use-after-free. This can be used by an attacker to craft a specially craft file and trick the victim opening it using the affect software triggering use-after-free and execute arbitrary code on the target system.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro i
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2023-04-11
Published