Skip to main content

Fleet CVE-2021-21296

LOW
Uncontrolled Resource Consumption (CWE-400)
2021-02-10 security-advisories@github.com
2.7
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
2.7 LOW
AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

1
CVE Published
Feb 10, 2021 - 20:15 nvd
LOW 2.7

DescriptionNVD

Fleet is an open source osquery manager. In Fleet before version 3.7.0 a malicious actor with a valid node key can send a badly formatted request that causes the Fleet server to exit, resulting in denial of service. This is possible only while a live query is currently ongoing. We believe the impact of this vulnerability to be low given the requirement that the actor has a valid node key. There is no information disclosure, privilege escalation, or code execution. The issue is fixed in Fleet 3.7.0.

AnalysisAI

Fleet is an open source osquery manager. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Technical ContextAI

This vulnerability is classified as Uncontrolled Resource Consumption (CWE-400), which allows attackers to cause denial of service by exhausting system resources. Fleet is an open source osquery manager. In Fleet before version 3.7.0 a malicious actor with a valid node key can send a badly formatted request that causes the Fleet server to exit, resulting in denial of service. This is possible only while a live query is currently ongoing. We believe the impact of this vulnerability to be low given the requirement that the actor has a valid node key. There is no information disclosure, privilege escalation, or code execution. The issue is fixed in Fleet 3.7.0. Affected products include: Fleetdm Fleet. Version information: version 3.7.0.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Implement rate limiting, set resource quotas, validate input sizes, use timeouts.

More in Fleet

View all
CVE-2026-23518 CRITICAL
9.8 Jan 21

Fleet device management software has a signature verification bypass that allows attackers to install malicious firmware

CVE-2020-26276 CRITICAL
9.8 Dec 17

Fleet is an open source osquery manager. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,

CVE-2026-26186 HIGH
8.8 Feb 26

SQL injection in Fleet device management software before version 4.80.1 allows authenticated users to manipulate the ord

CVE-2026-23517 HIGH
8.1 Jan 21

Fleet device management software versions prior to 4.78.3 suffer from broken access control that permits any authenticat

CVE-2022-24841 HIGH
8.1 Apr 18

fleetdm/fleet is an open source device management, built on osquery. Rated high severity (CVSS 8.1), this vulnerability

CVE-2019-1020009 HIGH
7.5 Jul 29

Fleet before 2.1.2 allows exposure of SMTP credentials. Rated high severity (CVSS 7.5), this vulnerability is remotely e

CVE-2026-27465 MEDIUM
6.5 Feb 26

Fleet versions up to 4.80.1 contains a vulnerability that allows attackers to unauthorized access to Google Calendar res

CVE-2026-25963 MEDIUM
6.5 Feb 26

Fleet device management software versions before 4.80.1 contain an authorization bypass in the certificate template dele

CVE-2026-23999 MEDIUM
5.5 Feb 26

Fleet's device lock and wipe PIN generation relies on predictable timestamps without additional entropy, allowing attack

CVE-2026-22808 MEDIUM
5.4 Jan 21

fleetdm/fleet is open source device management software. [CVSS 5.4 MEDIUM]

CVE-2026-24004 MEDIUM
5.3 Feb 26

Fleet's Android MDM Pub/Sub endpoint fails to authenticate requests prior to version 4.80.1, allowing unauthenticated at

Share

CVE-2021-21296 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy