CVE-2017-10906 (fluentd): Fluentd Escape Sequence Injection Vulnerability

Fluentd Escape Sequence Injection Vulnerability

Published: May 13, 2022

SECURITY IDENTIFIERS

CVE: CVE-2017-10906 (NVD)
GHSA: GHSA-5jrp-w8fr-mrww
Vendor Advisory: https://github.com/fluent/fluentd/pull/1733

GEM

fluentd

SEVERITY

CVSS v3.x: 9.8 (Critical)

UNAFFECTED VERSIONS

< 0.12.29

PATCHED VERSIONS

>= 0.12.41

DESCRIPTION

Escape sequence injection vulnerability in Fluentd versions 0.12.29 through 0.12.40 may allow an attacker to change the terminal UI or execute arbitrary commands on the device via unspecified vectors.

https://access.redhat.com/errata/RHSA-2018:2225
https://github.com/fluent/fluentd/blob/v0.12/CHANGELOG.md#bug-fixes
https://jvn.jp/en/vu/JVNVU95124098/index.html

RubySec