diff --git a/gems/fluent-plugin-opentelemetry/CVE-2026-44163.yml b/gems/fluent-plugin-opentelemetry/CVE-2026-44163.yml new file mode 100644 index 0000000000..de3cf36d9d --- /dev/null +++ b/gems/fluent-plugin-opentelemetry/CVE-2026-44163.yml @@ -0,0 +1,41 @@ +--- +gem: fluent-plugin-opentelemetry +cve: 2026-44163 +ghsa: 2jc5-xhx8-qj6h +url: https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-44163 +title: fluent-plugin-opentelemetry Has Denial of Service (DoS) via + Large Payloads and Decompression Bombs in `in_opentelemetry` +date: 2026-06-25 +description: | + The `fluent-plugin-opentelemetry` plugin (specifically the + `in_opentelemetry` HTTP input) lacked strict size limits on incoming + requests. It was discovered that the plugin read the entire request + body and decompressed payloads into memory without enforcing maximum + size thresholds. If the OpenTelemetry ingestion endpoint is exposed to + untrusted networks, an attacker can send an excessively large HTTP + request or a maliciously crafted, highly compressed payload. + When the plugin attempts to read or decompress this payload, it will + expand to an excessive size and it will consume significant system resources. + + ### Impact + + This vulnerability allows for a **Denial of Service (DoS)** attack + via memory exhaustion. The rapid memory consumption during decompression + can easily lead to an Out-of-Memory kill of the Fluentd process by the + operating system. This results in the disruption of all log collection + and forwarding capabilities on the affected node. +cvss_v3: 5.3 +patched_versions: + - ">= 0.5.3" +related: + url: + - https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-44163 + - https://rubygems.org/gems/fluent-plugin-opentelemetry/versions/0.5.3 + - https://github.com/fluent-plugins-nursery/fluent-plugin-opentelemetry/blob/main/CHANGELOG.md#053---2026-06-25 + - https://github.com/fluent-plugins-nursery/fluent-plugin-opentelemetry/commit/ce6c1f2a7741592c8a79afbe75fded9e8ebfa92d + - https://advisories.gitlab.com/gem/fluent-plugin-opentelemetry/CVE-2026-44163 + - https://github.com/advisories/GHSA-2jc5-xhx8-qj6h + - https://github.com/fluent-plugins-nursery/fluent-plugin-opentelemetry/security/advisories/GHSA-2jc5-xhx8-qj6h +notes: | + - CVE is reserved, but not published so no non-GHSA cvss values. + - `date` value cames from Rubygems.org URL release date. diff --git a/gems/fluent-plugin-s3/CVE-2026-44162.yml b/gems/fluent-plugin-s3/CVE-2026-44162.yml new file mode 100644 index 0000000000..313e62d634 --- /dev/null +++ b/gems/fluent-plugin-s3/CVE-2026-44162.yml @@ -0,0 +1,45 @@ +--- +gem: fluent-plugin-s3 +cve: 2026-44162 +ghsa: xv9w-7v6q-hpjh +url: https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-44162 +title: fluent-plugin-s3 Vulnerable to Denial of Service (DoS) via + Decompression Bomb in `in_s3` +date: 2026-06-25 +description: | + "The `fluent-plugin-s3` plugin (specifically the `in_s3` input plugin) + supports reading and decompressing heavily compressed files (such as + `gzip`, `lzma2`, and `lzop`) from Amazon S3. It was discovered that + the plugin read the entire decompressed payload into memory at once + without enforcing a strict size limit. + + If an attacker has sufficient permissions to upload files to the + monitored S3 bucket, they can upload a maliciously crafted, highly + compressed file. When Fluentd attempts to decompress this file, it + will expand to an excessive size and it will consume significant + system resources. + + ## Impact + + This vulnerability allows for a **Denial of Service (DoS)** attack + via memory exhaustion. The rapid memory consumption during decompression + can lead to an Out-of-Memory kill of the Fluentd process by the + operating system, This results in the disruption of all log collection + on the affected node. +cvss_v3: 2.7 +unaffected_versions: + - "< 0.7.0" +patched_versions: + - ">= 1.8.5" +related: + url: + - https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-44162 + - https://rubygems.org/gems/fluent-plugin-s3/versions/1.8.5 + - https://github.com/fluent/fluent-plugin-s3/blob/master/ChangeLog + - https://github.com/fluent/fluent-plugin-s3/commit/e085aee001d15bcc4bd073507e74075e30550fd0 + - https://advisories.gitlab.com/gem/fluent-plugin-opentelemetry/CVE-2026-44163 + - https://github.com/fluent/fluent-plugin-s3/security/advisories/GHSA-xv9w-7v6q-hpjh + - https://github.com/advisories/GHSA-xv9w-7v6q-hpjh +notes: | + - CVE is reserved, but not published so no non-GHSA cvss values. + - `date` value cames from Rubygems.org URL release date. diff --git a/gems/yard/CVE-2026-49342.yml b/gems/yard/CVE-2026-49342.yml new file mode 100644 index 0000000000..ad402d9a4b --- /dev/null +++ b/gems/yard/CVE-2026-49342.yml @@ -0,0 +1,33 @@ +--- +gem: yard +cve: 2026-49342 +ghsa: pxcc-8665-phx8 +url: https://nvd.nist.gov/vuln/detail/CVE-2026-49342 +title: YARD static cache reads raw traversal paths before router sanitization +date: 2026-06-23 +description: | + ## Summary + + YARD's static cache lookup reads a request path before the router's + path cleanup runs. When a server is configured with a document root, + a traversal path such as `/../yard-cache-secret.html` is joined + against that root and can return a readable sibling `.html` file + outside the intended static tree. + + The potential security risk seems low, as only html-ending files can + be read, but still the risk of reading arbitrary html files is a + confiendtiality issue in itself, which is why we decided to report. + Please let us know if this is out of your project's scope. +cvss_v3: 5.3 +patched_versions: + - ">= 0.9.44" +related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2026-49342 + - https://rubygems.org/gems/yard/versions/0.9.44 + - https://github.com/lsegal/yard/compare/v0.9.43...v0.9.44 + - https://github.com/lsegal/yard/commit/f78c19f0dd33a407085b4ed181bb60c0aa0078b4 + - https://github.com/advisories/GHSA-pxcc-8665-phx8 + - https://github.com/lsegal/yard/security/advisories/GHSA-pxcc-8665-phx8 +notes: | + - `date` value came from nvd.nist.gov web site.