CVE-2021-27186

Name of the Vulnerable Software and Affected Versions: Fluent Bit version 1.6.10

Description: The issue is related to a NULL pointer dereference that occurs when the return value of flb malloc is not validated by flb avro.c or http server/api/v1/metrics.c. This can lead to a crash or potentially allow an attacker to execute arbitrary code. The http server/api/v1/metrics.c file is specifically mentioned as a vulnerable component, with the /api/v1/metrics endpoint being a point of interest.

Recommendations: For Fluent Bit version 1.6.10, consider disabling the flb avro.c and http server/api/v1/metrics.c components until a patch is available. Restrict access to the /api/v1/metrics endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.