cbcvebase.
CVE-2024-4323
published 2024-05-20

CVE-2024-4323: A memory corruption vulnerability in Fluent Bit versions 2.0.7 thru 3.0.3. This issue lies in the embedded http server’s parsing of trace requests and may…

PriorityP269critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
28.31%
97.9th percentile
A memory corruption vulnerability in Fluent Bit versions 2.0.7 thru 3.0.3. This issue lies in the embedded http server’s parsing of trace requests and may result in denial of service conditions, information disclosure, or remote code execution.

Affected

11 ranges
VendorProductVersion rangeFixed in
fluent_bitfluent_bit2.0.7 – 3.0.3
msrcazl3_fluent-bit_3.0.3-1_on_azure_linux_3.0
msrcazl3_fluent-bit_3.0.6-1_on_azure_linux_3.0
msrcazure_linux_3.0_arm
msrcazure_linux_3.0_x64
msrccbl2_fluent-bit_2.2.3-1_on_cbl_mariner_2.0
msrccbl2_fluent-bit_2.2.3-7_on_cbl_mariner_2.0
msrccbl_mariner_2.0_arm
msrccbl_mariner_2.0_x64
treasuredatafluent_bit>= 2.0.7 < 2.2.32.2.3
treasuredatafluent_bit>= 3.0.0 < 3.0.43.0.4

Detection & IOCsextracted from sources · hover to see the quote

commandpython3 -c 'print("{\"output\":\"stdout\", \"params\": {\"format\": \"json\"},\"inputs\":[\"" + "A"*8 + "\"," + str(0xffffffff) + ", \"" + "B"*500 + "\"]}")' > test
commandcurl -v http://<host>:2020/api/v1/traces/ -H "Content-Type: application/json" -H "Expect: " --data "@test"
port2020
urlhttps://github.com/fluent/fluent-bit/commit/9311b43a258352797af40749ab31a63c32acfd04
  • Alert on Fluent Bit process crashes or unexpected restarts, which may indicate active DoS exploitation via heap-buffer-overflow triggered by the traces endpoint.
  • Look for large or anomalous Content-Length values in requests to port 2020 (Fluent Bit's default monitoring API port), particularly with Content-Type: application/json headers targeting the traces endpoint.
  • Identify Fluent Bit versions 2.0.7 through 3.0.3 in your environment as vulnerable; version 3.0.4 contains the fix.
  • ·If the /api/v1/traces endpoint is not in use, disabling it entirely removes the attack surface.
  • ·Even without active exploitation, unauthenticated access to Fluent Bit monitoring endpoints alone can result in cross-tenant information leakage in cloud environments.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_msrc9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.