CVE-2024-28867

2024-03-2915:15:11

Google

osv.dev

swift prometheus

monitoring system

un-sanitized strings

metrics

memory usage

5.7 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

8.7%

JSON

Swift Prometheus is a Swift client for the Prometheus monitoring system, supporting counters, gauges and histograms. In code which applies un-sanitized string values into metric names or labels, an attacker could make use of this and send a ?lang query parameter containing newlines, } or similar characters which can lead to the attacker taking over the exported format – including creating unbounded numbers of stored metrics, inflating server memory usage, or causing “bogus” metrics. This vulnerability is fixed in2.0.0-alpha.2.

CPENameOperatorVersion
swift-prometheuseq0.1.3
swift-prometheuseq1.0.0-alpha.1
swift-prometheuseq1.0.0-alpha.4
swift-prometheuseq0.1.1
swift-prometheuseq1.0.0-alpha.6
swift-prometheuseq1.0.1
swift-prometheuseq1.0.0-alpha.10
swift-prometheuseq1.0.0-alpha.13
swift-prometheuseq1.0.2
swift-prometheuseq1.0.0-alpha.2

Name	Operator	Version
swift-prometheus	eq	0.1.3
swift-prometheus	eq	1.0.0-alpha.1
swift-prometheus	eq	1.0.0-alpha.4
swift-prometheus	eq	0.1.1
swift-prometheus	eq	1.0.0-alpha.6
swift-prometheus	eq	1.0.1
swift-prometheus	eq	1.0.0-alpha.10
swift-prometheus	eq	1.0.0-alpha.13
swift-prometheus	eq	1.0.2
swift-prometheus	eq	1.0.0-alpha.2