CVE-2024-4323 — Fluent Bit Memory Corruption Vulnerability

Description

A memory corruption vulnerability in Fluent Bit versions 2.0.7 thru 3.0.3. This issue lies in the embedded http server’s parsing of trace requests and may result in denial of service conditions, information disclosure, or remote code execution.

How to fix CVE-2024-4323

To remediate CVE-2024-4323, upgrade the affected package to a fixed version below.

Bitnami/fluent-bit—upgrade to 3.0.4 or later

Is CVE-2024-4323 being exploited?

Likely — EPSS is 84.6%, placing CVE-2024-4323 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (1)

>= 2.0.7, < 3.0.4

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (6)

WEBfluentbit.io/announcements/v3.0.4/
WEBfluentbit.io/blog/2024/05/21/statement-on-cve-2024-4323-and-its-fix/
WEBgithub.com/fluent/fluent-bit/commit/9311b43a258352797af40749ab31a63c32acfd04
WEBnvd.nist.gov/vuln/detail/CVE-2024-4323