Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
41 changes: 41 additions & 0 deletions gems/fluent-plugin-opentelemetry/CVE-2026-44163.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
---
gem: fluent-plugin-opentelemetry
cve: 2026-44163
ghsa: 2jc5-xhx8-qj6h
url: https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-44163
title: fluent-plugin-opentelemetry Has Denial of Service (DoS) via
Large Payloads and Decompression Bombs in `in_opentelemetry`
date: 2026-06-25
description: |
The `fluent-plugin-opentelemetry` plugin (specifically the
`in_opentelemetry` HTTP input) lacked strict size limits on incoming
requests. It was discovered that the plugin read the entire request
body and decompressed payloads into memory without enforcing maximum
size thresholds. If the OpenTelemetry ingestion endpoint is exposed to
untrusted networks, an attacker can send an excessively large HTTP
request or a maliciously crafted, highly compressed payload.
When the plugin attempts to read or decompress this payload, it will
expand to an excessive size and it will consume significant system resources.

### Impact

This vulnerability allows for a **Denial of Service (DoS)** attack
via memory exhaustion. The rapid memory consumption during decompression
can easily lead to an Out-of-Memory kill of the Fluentd process by the
operating system. This results in the disruption of all log collection
and forwarding capabilities on the affected node.
cvss_v3: 5.3
patched_versions:
- ">= 0.5.3"
related:
url:
- https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-44163
- https://rubygems.org/gems/fluent-plugin-opentelemetry/versions/0.5.3
- https://github.com/fluent-plugins-nursery/fluent-plugin-opentelemetry/blob/main/CHANGELOG.md#053---2026-06-25
- https://github.com/fluent-plugins-nursery/fluent-plugin-opentelemetry/commit/ce6c1f2a7741592c8a79afbe75fded9e8ebfa92d
- https://advisories.gitlab.com/gem/fluent-plugin-opentelemetry/CVE-2026-44163
- https://github.com/advisories/GHSA-2jc5-xhx8-qj6h
- https://github.com/fluent-plugins-nursery/fluent-plugin-opentelemetry/security/advisories/GHSA-2jc5-xhx8-qj6h
notes: |
- CVE is reserved, but not published so no non-GHSA cvss values.
- `date` value cames from Rubygems.org URL release date.
45 changes: 45 additions & 0 deletions gems/fluent-plugin-s3/CVE-2026-44162.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
---
gem: fluent-plugin-s3
cve: 2026-44162
ghsa: xv9w-7v6q-hpjh
url: https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-44162
title: fluent-plugin-s3 Vulnerable to Denial of Service (DoS) via
Decompression Bomb in `in_s3`
date: 2026-06-25
description: |
"The `fluent-plugin-s3` plugin (specifically the `in_s3` input plugin)
supports reading and decompressing heavily compressed files (such as
`gzip`, `lzma2`, and `lzop`) from Amazon S3. It was discovered that
the plugin read the entire decompressed payload into memory at once
without enforcing a strict size limit.

If an attacker has sufficient permissions to upload files to the
monitored S3 bucket, they can upload a maliciously crafted, highly
compressed file. When Fluentd attempts to decompress this file, it
will expand to an excessive size and it will consume significant
system resources.

## Impact

This vulnerability allows for a **Denial of Service (DoS)** attack
via memory exhaustion. The rapid memory consumption during decompression
can lead to an Out-of-Memory kill of the Fluentd process by the
operating system, This results in the disruption of all log collection
on the affected node.
cvss_v3: 2.7
unaffected_versions:
- "< 0.7.0"
patched_versions:
- ">= 1.8.5"
related:
url:
- https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-44162
- https://rubygems.org/gems/fluent-plugin-s3/versions/1.8.5
- https://github.com/fluent/fluent-plugin-s3/blob/master/ChangeLog
- https://github.com/fluent/fluent-plugin-s3/commit/e085aee001d15bcc4bd073507e74075e30550fd0
- https://advisories.gitlab.com/gem/fluent-plugin-opentelemetry/CVE-2026-44163
- https://github.com/fluent/fluent-plugin-s3/security/advisories/GHSA-xv9w-7v6q-hpjh
- https://github.com/advisories/GHSA-xv9w-7v6q-hpjh
notes: |
- CVE is reserved, but not published so no non-GHSA cvss values.
- `date` value cames from Rubygems.org URL release date.
33 changes: 33 additions & 0 deletions gems/yard/CVE-2026-49342.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
---
gem: yard
cve: 2026-49342
ghsa: pxcc-8665-phx8
url: https://nvd.nist.gov/vuln/detail/CVE-2026-49342
title: YARD static cache reads raw traversal paths before router sanitization
date: 2026-06-23
description: |
## Summary

YARD's static cache lookup reads a request path before the router's
path cleanup runs. When a server is configured with a document root,
a traversal path such as `/../yard-cache-secret.html` is joined
against that root and can return a readable sibling `.html` file
outside the intended static tree.

The potential security risk seems low, as only html-ending files can
be read, but still the risk of reading arbitrary html files is a
confiendtiality issue in itself, which is why we decided to report.
Please let us know if this is out of your project's scope.
cvss_v3: 5.3
patched_versions:
- ">= 0.9.44"
related:
url:
- https://nvd.nist.gov/vuln/detail/CVE-2026-49342
- https://rubygems.org/gems/yard/versions/0.9.44
- https://github.com/lsegal/yard/compare/v0.9.43...v0.9.44
- https://github.com/lsegal/yard/commit/f78c19f0dd33a407085b4ed181bb60c0aa0078b4
- https://github.com/advisories/GHSA-pxcc-8665-phx8
- https://github.com/lsegal/yard/security/advisories/GHSA-pxcc-8665-phx8
notes: |
- `date` value came from nvd.nist.gov web site.