7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.005 Low
EPSS
Percentile
75.4%
This is the Go client library for Prometheus. It has two separate parts, one for instrumenting application code, and one for creating clients that talk to the Prometheus HTTP API. client_golang is the instrumentation library for Go applications in Prometheus, and the promhttp package in client_golang provides tooling around HTTP servers and clients.
HTTP server susceptible to a Denial of Service through unbounded cardinality, and potential memory exhaustion, when handling requests with non-standard HTTP methods.
In order to be affected, an instrumented software must
promhttp.InstrumentHandler*
middleware except RequestsInFlight
.method
label name to our middleware.method
.If you cannot upgrade to v1.11.1 or above, in order to stop being affected you can:
method
label name from counter/gauge you use in the InstrumentHandler.If you have any questions or comments about this advisory:
[email protected]
CPE | Name | Operator | Version |
---|---|---|---|
github.com/prometheus/client_golang | lt | 1.11.1 |
github.com/advisories/GHSA-cg3q-j54f-5p7p
github.com/prometheus/client_golang/pull/962
github.com/prometheus/client_golang/pull/987
github.com/prometheus/client_golang/releases/tag/v1.11.1
github.com/prometheus/client_golang/security/advisories/GHSA-cg3q-j54f-5p7p
lists.fedoraproject.org/archives/list/[email protected]/message/2IK53GWZ475OQ6ENABKMJMTOBZG6LXUR/
lists.fedoraproject.org/archives/list/[email protected]/message/2PFW6Q2LXXWTFRTMTRN4ZGADFRQPKJ3D/
lists.fedoraproject.org/archives/list/[email protected]/message/36GUEPA5TPSC57DZTPYPBL6T7UPQ2FRH/
lists.fedoraproject.org/archives/list/[email protected]/message/3L6GDN5S5QZSCFKWD3GKL2RDZQ6B4UWA/
lists.fedoraproject.org/archives/list/[email protected]/message/4KDETHL5XCT6RZN2BBNOCEXRZ2W3SFU3/
lists.fedoraproject.org/archives/list/[email protected]/message/5OGNAFVXSMTTT2UPH6CS3IH6L3KM42Q7/
lists.fedoraproject.org/archives/list/[email protected]/message/7V7I72LSQ3IET3QJR6QPAVGJZ4CBDLN5/
lists.fedoraproject.org/archives/list/[email protected]/message/AK7CJBCGERCRXYUR2EWDSSDVAQMTAZGX/
lists.fedoraproject.org/archives/list/[email protected]/message/DLUJZV3HBP56ADXU6QH2V7RNYUPMVBXQ/
lists.fedoraproject.org/archives/list/[email protected]/message/FY3N7H6VSDZM37B4SKM2PFFCUWU7QYWN/
lists.fedoraproject.org/archives/list/[email protected]/message/HLAQRRGNSO5MYCPAXGPH2OCSHOGHSQMQ/
lists.fedoraproject.org/archives/list/[email protected]/message/J5WPM42UR6XIBQNQPNQHM32X7S4LJTRX/
lists.fedoraproject.org/archives/list/[email protected]/message/KBMVIQFKQDSSTHVVJWJ4QH6TW3JVB7XZ/
lists.fedoraproject.org/archives/list/[email protected]/message/MH6ALXEQXIFQRQFNJ5Y2MJ5DFPIX76VN/
lists.fedoraproject.org/archives/list/[email protected]/message/RN7JGC2LVHPEGSJYODFUV5FEKPBVG4D7/
lists.fedoraproject.org/archives/list/[email protected]/message/SASRKYHT5ZFSVMJUQUG3UAEQRJYGJKAR/
lists.fedoraproject.org/archives/list/[email protected]/message/ZKORFJTRRDJCWBTJPISKKCVMMMJBIRLG/
lists.fedoraproject.org/archives/list/[email protected]/message/ZY2SLWOQR4ZURQ7UBRZ7JIX6H6F5JHJR/
nvd.nist.gov/vuln/detail/CVE-2022-21698
pkg.go.dev/vuln/GO-2022-0322
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.005 Low
EPSS
Percentile
75.4%