CVE-2024-50608 — NULL Pointer Dereference in Fluent BIT

CWE-476 — NULL Pointer Dereference3 documents3 sources

Severity

7.5HIGHNVD

EPSS

0.5%

top 32.03%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Treasuredata Fluent BIT Msrc Azl3 Fluent-bit 3.1.9-3 ON Azure Linux 3.0 Msrc Azl3 Fluent-bit 3.1.9-4 ON Azure Linux 3.0 +1 more

Timeline

PublishedFeb 18

Description

An issue was discovered in Fluent Bit 3.1.9. When the Prometheus Remote Write input plugin is running and listening on an IP address and port, one can send a packet with Content-Length: 0 and it crashes the server. Improper handling of the case when Content-Length is 0 allows a user (with access to the endpoint) to perform a remote Denial of service attack. The crash happens because of a NULL pointer dereference when 0 (from the Content-Length) is passed to the function cfl_sds_len, which in tur…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶NVDtreasuredata/fluent_bit3.1.9

▶msrcmsrc/azl3_fluent-bit_3.1.9-3_on_azure_linux_3.0

▶msrcmsrc/azl3_fluent-bit_3.1.9-4_on_azure_linux_3.0

▶msrcmsrc/cbl2_fluent-bit_3.0.6-2_on_cbl_mariner_2.0

🔴Vulnerability Details

GHSA

GHSA-x9j4-33qm-hgjp: An issue was discovered in Fluent Bit 3↗2025-02-18

▶

📋Vendor Advisories

Microsoft

▶