CVE-2021-46878: 
CBL Mariner vulnerability analysis and mitigation

An issue was discovered in Treasure Data Fluent Bit 1.7.1, involving erroneous parsing in flbpackmsgpacktojson_format that leads to a type confusion vulnerability. The bug causes the system to incorrectly interpret stack data as msgpack maps and arrays, resulting in use-after-free conditions (NVD, OSS-Fuzz).

The vulnerability stems from missing type checking of msgpack objects in the flbpackmsgpacktojson_format function. This oversight leads to type confusion vulnerabilities where the system incorrectly interprets arbitrary stack data as msgpack maps and arrays. The issue has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating local attack vector, low attack complexity, no privileges required, and user interaction required (NVD).

The vulnerability can allow an attacker to execute arbitrary code on the target system by crafting a specially designed file and tricking a victim into opening it with the affected software. The impact includes potential unauthorized code execution, system compromise, and data breach due to the use-after-free condition (NVD).

A fix for this vulnerability was submitted through a pull request (#3115) to the Fluent Bit repository. The patch addresses the type confusion bugs by implementing proper type checking of msgpack objects in the affected function (GitHub PR).