Lucene search

[email protected]NVD:CVE-2024-28867

HistoryMar 29, 2024 - 3:15 p.m.

CVE-2024-28867

2024-03-2915:15:11

CWE-74

[email protected]

web.nvd.nist.gov

cve-2024-28867

unsanitized string values

metric names

labels

attack

query parameter

server memory usage

stored metrics

vulnerability

swift prometheus

prometheus

monitoring system

bogus metrics

alpha version

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

5.7 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.0%

JSON

Swift Prometheus is a Swift client for the Prometheus monitoring system, supporting counters, gauges and histograms. In code which applies un-sanitized string values into metric names or labels, an attacker could make use of this and send a ?lang query parameter containing newlines, } or similar characters which can lead to the attacker taking over the exported format – including creating unbounded numbers of stored metrics, inflating server memory usage, or causing “bogus” metrics. This vulnerability is fixed in2.0.0-alpha.2.

References

github.com/swift-server/swift-prometheus/commit/bfcd4bbfabe11aae4b035424ee9724582e288501

github.com/swift-server/swift-prometheus/security/advisories/GHSA-x768-cvr2-345r

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

5.7 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.0%

JSON

Related for NVD:CVE-2024-28867

osv2 cve1 cvelist1 github1