Vulnerability CVE-2021-21296
Published: 2021-02-10

Description:
Fleet is an open source osquery manager. In Fleet before version 3.7.0 a malicious actor with a valid node key can send a badly formatted request that causes the Fleet server to exit, resulting in denial of service. This is possible only while a live query is currently ongoing. We believe the impact of this vulnerability to be low given the requirement that the actor has a valid node key. There is no information disclosure, privilege escalation, or code execution. The issue is fixed in Fleet 3.7.0.

Type:

CWE-400

 (Uncontrolled Resource Consumption ('Resource Exhaustion'))

CVSS2 => (AV:N/AC:L/Au:S/C:N/I:N/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
4/10
2.9/10
8/10
Exploit range
Attack complexity
Authentication
Remote
Low
Single time
Confidentiality impact
Integrity impact
Availability impact
None
None
Partial
Affected software
Fleetdm -> Fleet 

 References:
https://github.com/fleetdm/fleet/commit/f68f4238e83b45b2164e4ed05df14af0f06eaf40
https://github.com/fleetdm/fleet/security/advisories/GHSA-xwh8-9p3f-3x45
https://www.npmjs.com/package/fleetctl
Copyright 2024, cxsecurity.com

 

Back to Top