Fleet
CVE-2021-21296
LOW
Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
1DescriptionNVD
Fleet is an open source osquery manager. In Fleet before version 3.7.0 a malicious actor with a valid node key can send a badly formatted request that causes the Fleet server to exit, resulting in denial of service. This is possible only while a live query is currently ongoing. We believe the impact of this vulnerability to be low given the requirement that the actor has a valid node key. There is no information disclosure, privilege escalation, or code execution. The issue is fixed in Fleet 3.7.0.
AnalysisAI
Fleet is an open source osquery manager. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.
Technical ContextAI
This vulnerability is classified as Uncontrolled Resource Consumption (CWE-400), which allows attackers to cause denial of service by exhausting system resources. Fleet is an open source osquery manager. In Fleet before version 3.7.0 a malicious actor with a valid node key can send a badly formatted request that causes the Fleet server to exit, resulting in denial of service. This is possible only while a live query is currently ongoing. We believe the impact of this vulnerability to be low given the requirement that the actor has a valid node key. There is no information disclosure, privilege escalation, or code execution. The issue is fixed in Fleet 3.7.0. Affected products include: Fleetdm Fleet. Version information: version 3.7.0.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Implement rate limiting, set resource quotas, validate input sizes, use timeouts.
Fleet device management software has a signature verification bypass that allows attackers to install malicious firmware
Fleet is an open source osquery manager. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,
SQL injection in Fleet device management software before version 4.80.1 allows authenticated users to manipulate the ord
Fleet device management software versions prior to 4.78.3 suffer from broken access control that permits any authenticat
fleetdm/fleet is an open source device management, built on osquery. Rated high severity (CVSS 8.1), this vulnerability
Fleet before 2.1.2 allows exposure of SMTP credentials. Rated high severity (CVSS 7.5), this vulnerability is remotely e
Fleet versions up to 4.80.1 contains a vulnerability that allows attackers to unauthorized access to Google Calendar res
Fleet device management software versions before 4.80.1 contain an authorization bypass in the certificate template dele
Fleet's device lock and wipe PIN generation relies on predictable timestamps without additional entropy, allowing attack
fleetdm/fleet is open source device management software. [CVSS 5.4 MEDIUM]
Fleet's Android MDM Pub/Sub endpoint fails to authenticate requests prior to version 4.80.1, allowing unauthenticated at
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today