Yong Tang

Name of the Vulnerable Software and Affected Versions: Fluent Bit version 1.6.10 Description: The issue is related to a NULL pointer dereference that occurs when the return value of `flb malloc` is not validated by `flb avro.c` or `http server/api/v1/metrics.c`. This can lead to a crash or potentially allow an attacker to execute arbitrary code. The `http server/api/v1/metrics.c` file is specifically mentioned as a vulnerable component, with the `/api/v1/metrics` endpoint being a point of interest. Recommendations: For Fluent Bit version 1.6.10, consider disabling the `flb avro.c` and `http server/api/v1/metrics.c` components until a patch is available. Restrict access to the `/api/v1/metrics` endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.