CVE-2021-46878

Name of the Vulnerable Software and Affected Versions Treasure Data Fluent Bit version 1.7.1

Description An issue was discovered in Treasure Data Fluent Bit, where erroneous parsing in flb pack msgpack to json format leads to a type confusion bug. This bug interprets whatever is on the stack as msgpack maps and arrays, leading to use-after-free. An attacker can craft a specially crafted file and trick the victim into opening it using the affected software, triggering use-after-free and executing arbitrary code on the target system.

Recommendations For Treasure Data Fluent Bit version 1.7.1, consider disabling the flb pack msgpack to json format function until a patch is available to prevent exploitation. Restrict access to potentially vulnerable files to minimize the risk of triggering the use-after-free bug. At the moment, there is no information about a newer version that contains a fix for this vulnerability.