Description

An issue was discovered in Fluent Bit 3.1.9. When the OpenTelemetry input plugin is running and listening on an IP address and port, one can send a packet with Content-Length: 0 and it crashes the server. Improper handling of the case when Content-Length is 0 allows a user (with access to the endpoint) to perform a remote Denial of service attack. The crash happens because of a NULL pointer dereference when 0 (from the Content-Length) is passed to the function cfl_sds_len, which in turn tries to cast a NULL pointer into struct cfl_sds. This is related to process_payload_traces_proto_ng() at opentelemetry_prot.c.

INFO

Published Date :

2025-02-18T00:00:00.000Z

Last Modified :

2025-02-19T14:58:22.328Z

Source :

mitre
AFFECTED PRODUCTS

The following products are affected by CVE-2024-50609 vulnerability.

Vendors Products
Treasuredata
  • Fluent Bit
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-50609.

URL Resource
https://fluentbit.io/announcements/ cve-icon cve-icon
https://github.com/fluent/fluent-bit/releases cve-icon cve-icon
https://www.ebryx.com/blogs/exploring-cve-2024-50608-and-cve-2024-50609 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact