
PEACH
Un cadre d’isolation des locataires
CVE-2026-44024 is a path traversal vulnerability in Fluentd that enables unauthenticated remote attackers to write arbitrary files, which can be escalated to full Remote Code Execution (RCE). The flaw exists in Fluentd's ${tag} placeholder used for dynamically constructing file paths, where insufficient validation allows injection of path traversal sequences (e.g., ../). All versions up to and including 1.19.2 are affected; the issue was disclosed and patched on June 26, 2026 with the release of v1.19.3. It carries a CVSS v3.1 base score of 9.8 (Critical) (GitHub Advisory, Fluentd Release).
The root cause is insufficient input validation of the ${tag} placeholder when constructing file paths in output plugins such as out_file (CWE-22: Path Traversal; CWE-94: Code Injection). When Fluentd is configured to accept logs from untrusted sources and uses ${tag} in the path parameter, an attacker can craft a log tag containing ../ sequences to escape the intended output directory. Combined with certain formatting options, this allows the attacker to write attacker-controlled content to arbitrary filesystem locations, including sensitive system files or Fluentd plugin directories. The fix was implemented in PR #5391 (output: enforce strict path boundary validation for tag) included in v1.19.3 (GitHub Advisory, Fluentd Release).
Successful exploitation allows an unauthenticated attacker to write or overwrite arbitrary files on the host system with attacker-controlled content, bypassing directory restrictions. This arbitrary file write primitive can be directly escalated to RCE by overwriting critical system files (e.g., /etc/cron.d/, /etc/passwd), injecting malicious Fluentd plugins, or modifying configuration files — resulting in full system compromise. The severity is amplified when Fluentd runs as root, as is common in containerized and Kubernetes logging pipelines, potentially exposing millions of cloud and Kubernetes deployments to complete confidentiality, integrity, and availability loss (GitHub Advisory, SecureBulletin).
in_forward port 24224/TCP) using tools like Shodan, Censys, or Masscan, targeting versions ≤ 1.19.2.${tag} placeholder in an output plugin's path parameter (e.g., out_file with path /var/log/fluentd/${tag}.log).../../etc/cron.d/backdoor or ../../tmp/malicious_plugin.rb, combined with attacker-controlled log content.in_forward listener (e.g., using fluent-cat or a raw TCP client implementing the MessagePack-based forward protocol).in_forward port (default 24224) from untrusted or external IP addresses; unusual volume of log forwarding traffic from unknown sources./etc/cron.d/, /etc/, /tmp/, or Fluentd plugin directories); modification timestamps on system files coinciding with Fluentd activity.../, ..%2F, or other path traversal sequences; errors or warnings related to file path boundary violations in Fluentd's output logs.curl, wget, reverse shell processes); new cron jobs or scheduled tasks created around the time of suspicious Fluentd activity (GitHub Advisory).Upgrade Fluentd to v1.19.3 or later, which enforces strict path boundary validation for the ${tag} placeholder (PR #5391) (Fluentd Release). If an immediate upgrade is not possible, apply the following mitigations in priority order:
iptables, AWS Security Groups) to block untrusted sources from reaching Fluentd input ports (default 24224/TCP)./etc/, significantly limiting RCE escalation potential.${tag} from the path parameter of output plugins (out_file, etc.) when tags may originate from untrusted sources.fluent-plugin-rewrite-tag-filter to drop any tags containing . or / characters at the input layer (GitHub Advisory).The vulnerability received broad coverage from security media outlets including CyberSecurityNews, CyberPress, VPNCentral, and SecureBulletin, with several articles highlighting the risk to cloud and Kubernetes logging pipelines (SecureBulletin, CyberSecurityNews). Belgium's Centre for Cybersecurity (CCB) issued a formal advisory warning about the critical RCE flaw (CCB Advisory). Tenable added detection coverage for the vulnerability in their container security and cloud security plugins. The Fluentd maintainer (Watson1978) published the advisory and patch simultaneously, and the reporter credited is "everping" (GitHub Advisory).
Source: Ce rapport a été généré à l’aide de l’IA
Évaluation gratuite des vulnérabilités
Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.
Obtenez une démo personnalisée
"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."