VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-8hsx-rzd7-gqe2

Essentials
Severities (23)
References (12)
Severity details (19)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-8hsx-rzd7-gqe2
Aliases	CVE-2022-39379 GHSA-fppq-mj76-fpj2
Summary	fluentd vulnerable to remote code execution due to insecure deserialization (in non-default configuration) ### Impact A remote code execution (RCE) vulnerability in non-default configurations of Fluentd allows unauthenticated attackers to execute arbitrary code via specially crafted JSON payloads. Fluentd setups are only affected if the environment variable `FLUENT_OJ_OPTION_MODE` is explicitly set to `object`. Please note: The option FLUENT_OJ_OPTION_MODE was introduced in Fluentd version 1.13.2. Earlier versions of Fluentd are not affected by this vulnerability. ### Patches v1.15.3 ### Workarounds Do not use `FLUENT_OJ_OPTION_MODE=object`. ### References * GHSL-2022-067
Status	Published
Exploitability	0.5
Weighted Severity	7.3
Risk	3.6
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-502	Deserialization of Untrusted Data
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3	8.1	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-39379.json
epss	0.06003	https://api.first.org/data/v1/epss?cve=CVE-2022-39379
epss	0.06003	https://api.first.org/data/v1/epss?cve=CVE-2022-39379
epss	0.06003	https://api.first.org/data/v1/epss?cve=CVE-2022-39379
cvssv3.1_qr	LOW	https://github.com/advisories/GHSA-fppq-mj76-fpj2
cvssv3.1	3.1	https://github.com/fluent/fluentd
generic_textual	LOW	https://github.com/fluent/fluentd
cvssv3.1	3.1	https://github.com/fluent/fluentd/commit/48e5b85dab1b6d4c273090d538fc11b3f2fd8135
generic_textual	LOW	https://github.com/fluent/fluentd/commit/48e5b85dab1b6d4c273090d538fc11b3f2fd8135
ssvc	Track	https://github.com/fluent/fluentd/commit/48e5b85dab1b6d4c273090d538fc11b3f2fd8135
cvssv3	3.1	https://github.com/fluent/fluentd/security/advisories/GHSA-fppq-mj76-fpj2
cvssv3.1	3.1	https://github.com/fluent/fluentd/security/advisories/GHSA-fppq-mj76-fpj2
cvssv3.1_qr	LOW	https://github.com/fluent/fluentd/security/advisories/GHSA-fppq-mj76-fpj2
generic_textual	LOW	https://github.com/fluent/fluentd/security/advisories/GHSA-fppq-mj76-fpj2
ssvc	Track	https://github.com/fluent/fluentd/security/advisories/GHSA-fppq-mj76-fpj2
cvssv3.1	3.1	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/fluentd/CVE-2022-39379.yml
generic_textual	LOW	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/fluentd/CVE-2022-39379.yml
cvssv3.1	3.1	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MYD5QV66OLDHES6IKVYYM3Y3YID3VVCO/
ssvc	Track	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MYD5QV66OLDHES6IKVYYM3Y3YID3VVCO/
cvssv3.1	3.1	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MYD5QV66OLDHES6IKVYYM3Y3YID3VVCO
generic_textual	LOW	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MYD5QV66OLDHES6IKVYYM3Y3YID3VVCO
cvssv3.1	3.1	https://nvd.nist.gov/vuln/detail/CVE-2022-39379
generic_textual	LOW	https://nvd.nist.gov/vuln/detail/CVE-2022-39379

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-39379.json
		https://api.first.org/data/v1/epss?cve=CVE-2022-39379
		https://github.com/fluent/fluentd
		https://github.com/fluent/fluentd/commit/48e5b85dab1b6d4c273090d538fc11b3f2fd8135
		https://github.com/fluent/fluentd/security/advisories/GHSA-fppq-mj76-fpj2
		https://github.com/rubysec/ruby-advisory-db/blob/master/gems/fluentd/CVE-2022-39379.yml
		https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MYD5QV66OLDHES6IKVYYM3Y3YID3VVCO
		https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MYD5QV66OLDHES6IKVYYM3Y3YID3VVCO/
		https://nvd.nist.gov/vuln/detail/CVE-2022-39379
2142460		https://bugzilla.redhat.com/show_bug.cgi?id=2142460
GHSA-fppq-mj76-fpj2		https://github.com/advisories/GHSA-fppq-mj76-fpj2
MYD5QV66OLDHES6IKVYYM3Y3YID3VVCO		https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MYD5QV66OLDHES6IKVYYM3Y3YID3VVCO/

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-39379.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N Found at https://github.com/fluent/fluentd

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N Found at https://github.com/fluent/fluentd/commit/48e5b85dab1b6d4c273090d538fc11b3f2fd8135

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T13:55:24Z/ Found at https://github.com/fluent/fluentd/commit/48e5b85dab1b6d4c273090d538fc11b3f2fd8135

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N Found at https://github.com/fluent/fluentd/security/advisories/GHSA-fppq-mj76-fpj2

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T13:55:24Z/ Found at https://github.com/fluent/fluentd/security/advisories/GHSA-fppq-mj76-fpj2

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N Found at https://github.com/rubysec/ruby-advisory-db/blob/master/gems/fluentd/CVE-2022-39379.yml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N Found at https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MYD5QV66OLDHES6IKVYYM3Y3YID3VVCO/

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T13:55:24Z/ Found at https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MYD5QV66OLDHES6IKVYYM3Y3YID3VVCO/

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N Found at https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MYD5QV66OLDHES6IKVYYM3Y3YID3VVCO

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2022-39379

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.9085
EPSS Score	0.06003
Published At	June 4, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-04T16:14:48.025084+00:00	Ruby Importer	Import	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/fluentd/CVE-2022-39379.yml	38.6.0