CVE-2020-21514: Fluent Fluentd and Fluent-ui use default password
8.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.26215%
CWE
Published
4/4/2023
Updated
2/13/2025
KEV Status
No
Technology
Ruby
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| fluentd | rubygems | <= 1.8.0 | |
| fluentd-ui | rubygems | <= 1.2.2 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from the use of a default password ('admin'/'changeme') in Fluentd-ui, which is not enforced to be changed post-deployment. While the advisory doesn't explicitly name specific functions, the presence of this flaw implies that the user initialization or authentication setup code in Fluentd-ui is responsible for creating/administering the default credentials. Attackers leverage this to gain access and exploit functionalities like the in_exec plugin (enabled by default in Fluentd) for code execution. The CWE-276 (Incorrect Default Permissions) further supports this analysis, as the system ships with insecure default authentication settings.