CVE-2021-21296

Name of the Vulnerable Software and Affected Versions: Fleet versions prior to 3.7.0

Description: The issue allows a malicious actor with a valid node key to send a badly formatted request, causing the Fleet server to exit and resulting in denial of service. This is only possible while a live query is ongoing. The impact is considered low due to the requirement of a valid node key. There is no information disclosure, privilege escalation, or code execution.

Recommendations: For versions prior to 3.7.0, update to Fleet 3.7.0 to resolve the issue. As a temporary workaround, consider restricting access to the Fleet server to minimize the risk of exploitation.