Updated advisory posts against rubysec/ruby-advisory-db@8ad79ee

Author: simi

advisories/_posts/2026-06-26-CVE-2026-44024.md

@@ -0,0 +1,50 @@
+---
+layout: advisory
+title: 'CVE-2026-44024 (fluentd): Fluentd is Vulnerable to Remote Code Execution (RCE)
+  via Arbitrary File Write in `${tag}` Placeholder'
+comments: false
+categories:
+- fluentd
+advisory:
+  gem: fluentd
+  cve: 2026-44024
+  ghsa: 44hj-4m45-frj3
+  url: https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-44024
+  title: Fluentd is Vulnerable to Remote Code Execution (RCE) via Arbitrary File Write
+    in `${tag}` Placeholder
+  date: 2026-06-26
+  description: |-
+    Fluentd allows dynamically constructing file paths using the `${tag}`
+    placeholder. It was discovered that validation for this placeholder
+    was insufficient.
+
+    If a Fluentd instance is configured to receive logs from untrusted
+    sources and uses the `${tag}` placeholder in file configurations
+    (such as the `path` parameter in the `out_file` plugin), an attacker
+    can inject path traversal characters (e.g., `../`).
+
+    When combined with certain formatting options, this vulnerability allows
+    an attacker to write arbitrary files or overwrite existing files on
+    the system with attacker-controlled content, bypassing intended
+    directory restrictions.
+
+    ### Impact
+
+    This vulnerability allows for **Arbitrary File Write**, which can be
+    directly escalated to full **Remote Code Execution (RCE)**.
+    An attacker could achieve RCE by overwriting critical system files,
+    injecting executable plugins, or modifying configuration files.
+    The impact is Critical as it can lead to full system compromise without
+    any authentication, depending on the Fluentd configuration and the
+    privileges of the Fluentd process.
+  cvss_v3: 9.8
+  patched_versions:
+  - ">= 1.19.3"
+  related:
+    url:
+    - https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-44024
+    - https://github.com/fluent/fluentd/releases/tag/v1.19.3
+    - https://github.com/advisories/GHSA-44hj-4m45-frj3
+    - https://github.com/fluent/fluentd/security/advisories/GHSA-44hj-4m45-frj3
+  notes: "- CVE is reserved, but not published so no non-GHSA cvss values.\n"
+---

advisories/_posts/2026-06-26-CVE-2026-44025.md

@@ -0,0 +1,46 @@
+---
+layout: advisory
+title: 'CVE-2026-44025 (fluentd): Fluentd is Vulnerable to Exposure of Sensitive Information
+  via Monitor Agent API'
+comments: false
+categories:
+- fluentd
+advisory:
+  gem: fluentd
+  cve: 2026-44025
+  ghsa: pr7j-96cj-549h
+  url: https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-44025
+  title: Fluentd is Vulnerable to Exposure of Sensitive Information via Monitor Agent
+    API
+  date: 2026-06-26
+  description: |-
+    Fluentd's Monitor Agent plugin (`in_monitor_agent`) exposes internal
+    metrics and plugin information via a REST API.
+    It was discovered that the API response (`/api/plugins.json` and
+    related endpoints) unintentionally includes internal instance
+    variables of loaded plugins.
+
+    If any plugins store sensitive information—such as database passwords,
+    API keys, or cloud credentials—in its instance variables, this
+    information may be exposed in plain text to any user or system
+    that has HTTP access to the Monitor Agent API.
+
+    ### Impact
+
+    This vulnerability allows for unauthorized information disclosure. An
+    attacker who can reach the Monitor Agent API port (default: `24220`)
+    can potentially extract sensitive credentials used by other Fluentd plugins.
+    The impact severity depends highly on the network configuration (whether
+    the Monitor Agent port is exposed to untrusted networks) and the
+    specific plugins configured in the Fluentd instance.
+  cvss_v3: 7.5
+  patched_versions:
+  - ">= 1.19.3"
+  related:
+    url:
+    - https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-44025
+    - https://github.com/fluent/fluentd/releases/tag/v1.19.3
+    - https://github.com/advisories/GHSA-pr7j-96cj-549h
+    - https://github.com/fluent/fluentd/security/advisories/GHSA-pr7j-96cj-549h
+  notes: "- CVE is reserved, but not published so no non-GHSA cvss values.\n"
+---

advisories/_posts/2026-06-26-CVE-2026-44160.md

@@ -0,0 +1,46 @@
+---
+layout: advisory
+title: 'CVE-2026-44160 (fluentd): Fluentd is Vulnerable to Denial of Service (DoS)
+  via Gzip Decompression Bomb in `in_http` and `in_forward`'
+comments: false
+categories:
+- fluentd
+advisory:
+  gem: fluentd
+  cve: 2026-44160
+  ghsa: j9cw-hwqf-85w7
+  url: https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-44160
+  title: Fluentd is Vulnerable to Denial of Service (DoS) via Gzip Decompression Bomb
+    in `in_http` and `in_forward`
+  date: 2026-06-26
+  description: |-
+    Fluentd's `in_http` and `in_forward` plugins support receiving
+    gzip-compressed data.
+
+    While Fluentd correctly enforces size limits on the incoming
+    compressed payloads (e.g., via `body_size_limit` or `chunk_size_limit`),
+    it was discovered that there is no limit enforced on the size of the
+    decompressed data. If a Fluentd instance is exposed to untrusted
+    networks, an attacker can send a maliciously crafted, highly
+    compressed payload. When Fluentd attempts to decompress this payload
+    in memory, it will expand to an excessive size, completely bypassing
+    the intended payload size limits.
+
+    ### Impact
+
+    This vulnerability allows for a **Denial of Service (DoS)** attack
+    via memory exhaustion. The rapid memory consumption during decompression
+    can easily lead to an Out-of-Memory kill of the Fluentd process by
+    the operating  system. This results in the disruption of all log
+    collection and forwarding capabilities on the affected node.
+  cvss_v3: 7.5
+  patched_versions:
+  - ">= 1.19.3"
+  related:
+    url:
+    - https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-44160
+    - https://github.com/fluent/fluentd/releases/tag/v1.19.3
+    - https://github.com/advisories/GHSA-j9cw-hwqf-85w7
+    - https://github.com/fluent/fluentd/security/advisories/GHSA-j9cw-hwqf-85w7
+  notes: "- CVE is reserved, but not published so no non-GHSA cvss values.\n"
+---

advisories/_posts/2026-06-26-CVE-2026-44161.md

@@ -0,0 +1,40 @@
+---
+layout: advisory
+title: 'CVE-2026-44161 (fluentd): Fluentd is Vulnerable to Server-Side Request Forgery
+  (SSRF) via Placeholder Expansion in `out_http`'
+comments: false
+categories:
+- fluentd
+advisory:
+  gem: fluentd
+  cve: 2026-44161
+  ghsa: 72f5-rr8c-r6gr
+  url: https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-44161
+  title: Fluentd is Vulnerable to Server-Side Request Forgery (SSRF) via Placeholder
+    Expansion in `out_http`
+  date: 2026-06-26
+  description: |-
+    The `out_http` output plugin allows the use of placeholders (such as
+    `${tag}`) in the `endpoint` configuration parameter. It was discovered
+    that if the placeholder value is derived from untrusted user input,
+    an attacker can maliciously control the destination hostname of the
+    outbound HTTP requests made by Fluentd.
+
+    ## Impact
+
+    This vulnerability allows for a **Server-Side Request Forgery (SSRF)**
+    attack. An unauthenticated attacker can force the Fluentd node to send
+    HTTP requests to arbitrary internal services. This can lead to
+    unauthorized access to internal APIs, data exfiltration, or the
+    compromise of cloud metadata endpoints (e.g., AWS IMDS `169.254.169.254`).
+  cvss_v3: 7.2
+  patched_versions:
+  - ">= 1.19.3"
+  related:
+    url:
+    - https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-44161
+    - https://github.com/fluent/fluentd/releases/tag/v1.19.3
+    - https://github.com/advisories/GHSA-72f5-rr8c-r6gr
+    - https://github.com/fluent/fluentd/security/advisories/GHSA-72f5-rr8c-r6gr
+  notes: "- CVE is reserved, but not published so no non-GHSA cvss values.\n"
+---