Fuzzztf

**Name of the Vulnerable Software and Affected Versions** Fleet versions prior to 4.80.1 **Description** An issue in the IP extraction logic allows unauthenticated attackers to bypass API rate limiting by spoofing client IP headers. The software extracts client IP addresses from request headers (`True-Client-IP`, `X-Real-IP`, `X-Forwarded-For`) without validating if they originate from a trusted proxy. Since the extracted IP serves as the key for rate limiting and IP ban decisions, an attacker can rotate these header values to make each request appear as if it comes from a different client. This enables unrestricted brute-force or credential stuffing attacks against sensitive endpoints, such as the login API. This primarily affects instances exposed to the public internet without a reverse proxy that overwrites forwarded-IP headers. **Recommendations** Update to version 4.80.1. Deploy the software behind a reverse proxy that overwrites `X-Forwarded-For` with the true client IP and apply rate limiting at the proxy or WAF layer.

**Name of the Vulnerable Software and Affected Versions** Fleet versions prior to 4.80.1 **Description** Fleet trusted client-supplied IP address headers when determining the source IP for incoming requests. This allowed authenticated and unauthenticated clients to spoof their apparent IP address and bypass per-IP rate limiting controls. The software determines a client’s public IP address using HTTP headers such as "X-Forwarded-For", "X-Real-IP", and "True-Client-IP", which were trusted without validation. An attacker could supply arbitrary values in these headers, causing the system to treat each request as originating from a different IP address, thereby increasing the effectiveness of brute-force or password-spraying attempts against authentication endpoints. **Recommendations** Update to version 4.80.1. Run Fleet behind a trusted reverse proxy or load balancer that overwrites client IP headers.

**Name of the Vulnerable Software and Affected Versions** Fleet versions prior to 4.81.0 **Description** A denial-of-service (DoS) issue exists in the gRPC Launcher "PublishLogs" endpoint. Certain unexpected input values are not handled gracefully, which can cause the server process to terminate while processing an authenticated request from an enrolled Launcher host. An authenticated attacker with access to any enrolled Launcher node key can cause a complete denial of service by sending a single gRPC request to the "PublishLogs" endpoint. This issue impacts availability only, with no exposure of sensitive data, authentication bypass, privilege escalation, or integrity impact. **Recommendations** Update to version 4.81.0. Restrict network access to the Fleet gRPC endpoint by limiting inbound access to known host IP ranges. Deploy Fleet behind infrastructure that terminates or filters gRPC traffic if Launcher log ingestion is not required. Monitor for repeated process crashes or unexpected restarts.

**Name of the Vulnerable Software and Affected Versions** Fleet versions prior to 4.81.0 **Description** Fleet, an open-source device management software, contains a flaw in its gRPC Launcher endpoint. An authenticated host can exploit this to cause a denial-of-service condition, leading to the termination of the entire Fleet server process. This disruption impacts all connected hosts, Mobile Device Management (MDM) enrollments, and API consumers by sending an unexpected log type value to the `gRPC Launcher` endpoint. **Recommendations** Update to version 4.81.0 or later.

**Name of the Vulnerable Software and Affected Versions** Fleet versions prior to 4.81.1 **Description** Fleet, an open source device management software, contains an issue in its Windows MDM command processing. A malicious enrolled device can access MDM commands intended for other devices. This could expose sensitive configuration data, including WiFi credentials, VPN secrets, and certificate payloads, across the entire Windows fleet. **Recommendations** Update to version 4.81.1 or later.

**Name of the Vulnerable Software and Affected Versions** Fleet versions prior to 4.81.0 **Description** Fleet, an open source device management software, had a flaw in how user invitations were handled. Specifically, the email address entered when accepting an invitation wasn’t checked against the email address linked to the original invitation. This allowed an attacker with a valid invite token to create an account using any email address and gain the role assigned to the invitation, potentially including global administrator privileges. **Recommendations** Update to version 4.81.0 or later.

**Name of the Vulnerable Software and Affected Versions** Fleet versions prior to 4.81.0 **Description** Fleet’s password management logic had a flaw that allowed previously issued password reset tokens to remain valid even after a user changed their password. This meant a stale token could be reused to reset the account password after a defensive password change. Exploitation requires prior compromise of a password reset token and is limited by the token’s 24-hour expiration period. The issue does not allow discovery of reset tokens, does not bypass authentication on its own, and does not affect accounts without an existing valid reset token. **Recommendations** Versions prior to 4.81.0 should be updated to version 4.81.0 or later. As a temporary workaround, users who believe a password reset token may have been exposed should wait for the token to expire before reusing the account, or contact a Fleet administrator to invalidate active sessions.

**Name of the Vulnerable Software and Affected Versions** Fleet versions prior to 4.81.0 **Description** Fleet, an open source device management software, has multiple unauthenticated HTTP endpoints that do not enforce a size limit when reading request bodies. An unauthenticated attacker can exploit this by sending large or repeated HTTP payloads, leading to excessive memory allocation and a denial-of-service (DoS) condition. The issue impacts availability only, with no exposure of sensitive data, authentication bypass, privilege escalation, or integrity impact. **Recommendations** Versions prior to 4.81.0 should be upgraded to version 4.81.0 or later. As a temporary workaround, apply request body size limits at a reverse proxy or load balancer (e.g., NGINX, Envoy). Restrict network access to the endpoints to known IP ranges where feasible. Monitor memory usage and restart frequency for abnormal patterns.

**Name of the Vulnerable Software and Affected Versions** Fleet versions prior to 4.80.1 **Description** Fleet is open source device management software. A SQL injection issue exists due to unsafe use of `goqu.I()` when constructing the `ORDER BY` clause. This allows authenticated users to inject arbitrary SQL expressions via the `order key` query parameter. An authenticated attacker with access to the affected endpoint could inject SQL expressions into the underlying MySQL query. Although the injection occurs in an `ORDER BY` context, it is sufficient to enable blind SQL injection techniques that can disclose database information through conditional expressions that affect result ordering. Crafted expressions may also cause excessive computation or query failures, potentially leading to degraded performance or denial of service. The vulnerable parameter is `order key`. **Recommendations** Upgrade to Fleet version 4.80.1 or later. If an immediate upgrade is not possible, restrict access to the affected endpoint to trusted roles only. Ensure that any user-supplied sort or column parameters are strictly allow-listed at the application or proxy layer.