Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
githubGitHub Advisory DatabaseGHSA-CG3Q-J54F-5P7P
HistoryFeb 16, 2022 - 10:26 p.m.

Uncontrolled Resource Consumption in promhttp

2022-02-1622:26:35
CWE-400
CWE-772
GitHub Advisory Database
github.com
57

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.005 Low

EPSS

Percentile

75.4%

JSON

This is the Go client library for Prometheus. It has two separate parts, one for instrumenting application code, and one for creating clients that talk to the Prometheus HTTP API. client_golang is the instrumentation library for Go applications in Prometheus, and the promhttp package in client_golang provides tooling around HTTP servers and clients.

Impact

HTTP server susceptible to a Denial of Service through unbounded cardinality, and potential memory exhaustion, when handling requests with non-standard HTTP methods.

Affected Configuration

In order to be affected, an instrumented software must

  • Use any of promhttp.InstrumentHandler* middleware except RequestsInFlight.
  • Do not filter any specific methods (e.g GET) before middleware.
  • Pass metric with method label name to our middleware.
  • Not have any firewall/LB/proxy that filters away requests with unknown method.

Patches

Workarounds

If you cannot upgrade to v1.11.1 or above, in order to stop being affected you can:

  • Remove method label name from counter/gauge you use in the InstrumentHandler.
  • Turn off affected promhttp handlers.
  • Add custom middleware before promhttp handler that will sanitize the request method given by Go http.Request.
  • Use a reverse proxy or web application firewall, configured to only allow a limited set of methods.

For more information

If you have any questions or comments about this advisory:

References

Related

prion 1
nessus 21
cbl_mariner 14
suse 7
openvas 62
wolfi 1
fedora 60
redhatcve 1
debiancve 1
redhat 13
ubuntucve 1
alpinelinux 1
cve 1
mageia 1
veracode 1
cgr 1
osv 9
ibm 2
almalinux 1
prion
prion
Design/Logic Flaw
2022-02-15 16:15:00
nessus
nessus
CBL Mariner 2.0 Security Update: kured (CVE-2022-21698)
2023-11-19 00:00:00
Fedora 35 : golang-github-distribution-3 (2022-739c7a0058)
2022-12-22 00:00:00
Fedora 39 : golang-github-prometheus-alertmanager (2023-0c6723004f)
2023-11-07 00:00:00
cbl_mariner
cbl_mariner
CVE-2022-21698 affecting package local-path-provisioner 0.0.21-13
2024-02-02 20:37:47
CVE-2022-21698 affecting package prometheus-node-exporter 1.3.1-21
2024-02-09 19:07:07
CVE-2022-21698 affecting package node-problem-detector 0.8.10-17
2024-02-14 17:05:34
suse
suse
Security update for node_exporter (important)
2022-06-20 00:00:00
Security update for golang-github-prometheus-alertmanager (important)
2022-06-20 00:00:00
Security update for golang-github-prometheus-node_exporter (moderate)
2022-10-26 00:00:00
openvas
openvas
SUSE: Security Advisory (SUSE-SU-2022:2137-1)
2022-06-21 00:00:00
openSUSE: Security Advisory for node_exporter (SUSE-SU-2022:2140-1)
2022-06-21 00:00:00
Fedora: Security Advisory for skopeo (FEDORA-2022-6043a7b938)
2022-04-03 00:00:00
wolfi
wolfi
CVE-2022-21698 vulnerabilities
2024-04-29 16:00:10
fedora
fedora
[SECURITY] Fedora 34 Update: stargz-snapshotter-0.10.2-1.fc34
2022-04-14 16:06:55
[SECURITY] Fedora 36 Update: skopeo-1.7.0-1.fc36
2022-03-29 00:20:58
[SECURITY] Fedora 34 Update: skopeo-1.7.0-1.fc34
2022-04-02 01:57:12
redhatcve
redhatcve
CVE-2022-21698
2022-02-15 17:20:06
debiancve
debiancve
CVE-2022-21698
2022-02-15 16:15:00
redhat
redhat
(RHSA-2022:4667) Moderate: OpenShift Virtualization 4.10.1 RPMs security and bug fix update
2022-05-18 15:34:20
(RHSA-2023:2014) Moderate: OpenShift Container Platform 4.11.39 bug fix and security update
2023-05-02 01:50:20
(RHSA-2023:0566) Moderate: OpenShift Container Platform 4.11.26 security update
2023-02-07 06:16:07
ubuntucve
ubuntucve
CVE-2022-21698
2022-02-15 00:00:00
alpinelinux
alpinelinux
CVE-2022-21698
2022-02-15 16:15:00
cve
cve
CVE-2022-21698
2022-02-15 16:15:00
mageia
mageia
Updated golang-github-prometheus-client packages fix security vulnerability
2022-05-15 13:06:40
veracode
veracode
Denial Of Service (DoS)
2022-02-16 07:17:26
cgr
cgr
CVE-2022-21698 vulnerabilities
2024-04-29 15:59:53
osv
osv
Memory exhaustion in go.opentelemetry.io/contrib/instrumentation
2023-10-16 19:30:55
OpenTelemetry-Go Contrib vulnerable to denial of service in otelhttp due to unbound cardinality metrics
2023-10-16 14:01:54
CVE-2023-45142
2023-10-12 17:15:09
ibm
ibm
Security Bulletin: CVE-2022-27664, CVE-2022-21698, CVE-2021-43565 and CVE-2022-27191 may affect IBM CICS TX Standard
2023-03-29 19:03:37
Security Bulletin: Multiple Security Vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak
2022-08-20 18:32:48
almalinux
almalinux
Important: container-tools:rhel8 security, bug fix, and enhancement update
2022-05-10 00:00:00

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.005 Low

EPSS

Percentile

75.4%

JSON
Related for GHSA-CG3Q-J54F-5P7P
prion1nessus21cbl_mariner14suse7openvas62wolfi1fedora60redhatcve1debiancve1redhat13ubuntucve1alpinelinux1cve1mageia1veracode1cgr1osv9ibm2almalinux1