7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.005 Low
EPSS
Percentile
75.4%
This is the Go client library for Prometheus. It has two separate parts, one for instrumenting application code, and one for creating clients that talk to the Prometheus HTTP API. client_golang is the instrumentation library for Go applications in Prometheus, and the promhttp package in client_golang provides tooling around HTTP servers and clients.
HTTP server susceptible to a Denial of Service through unbounded cardinality, and potential memory exhaustion, when handling requests with non-standard HTTP methods.
In order to be affected, an instrumented software must
promhttp.InstrumentHandler*
middleware except RequestsInFlight
.method
label name to our middleware.method
.If you cannot upgrade to v1.11.1 or above, in order to stop being affected you can:
method
label name from counter/gauge you use in the InstrumentHandler.If you have any questions or comments about this advisory:
[email protected]
CPE | Name | Operator | Version |
---|---|---|---|
github.com/prometheus/client_golang | lt | 1.11.1 |
github.com/prometheus/client_golang
github.com/prometheus/client_golang/pull/962
github.com/prometheus/client_golang/pull/987
github.com/prometheus/client_golang/releases/tag/v1.11.1
github.com/prometheus/client_golang/security/advisories/GHSA-cg3q-j54f-5p7p
lists.fedoraproject.org/archives/list/[email protected]/message/2IK53GWZ475OQ6ENABKMJMTOBZG6LXUR
lists.fedoraproject.org/archives/list/[email protected]/message/2PFW6Q2LXXWTFRTMTRN4ZGADFRQPKJ3D
lists.fedoraproject.org/archives/list/[email protected]/message/36GUEPA5TPSC57DZTPYPBL6T7UPQ2FRH
lists.fedoraproject.org/archives/list/[email protected]/message/3L6GDN5S5QZSCFKWD3GKL2RDZQ6B4UWA
lists.fedoraproject.org/archives/list/[email protected]/message/4KDETHL5XCT6RZN2BBNOCEXRZ2W3SFU3
lists.fedoraproject.org/archives/list/[email protected]/message/5OGNAFVXSMTTT2UPH6CS3IH6L3KM42Q7
lists.fedoraproject.org/archives/list/[email protected]/message/7V7I72LSQ3IET3QJR6QPAVGJZ4CBDLN5
lists.fedoraproject.org/archives/list/[email protected]/message/AK7CJBCGERCRXYUR2EWDSSDVAQMTAZGX
lists.fedoraproject.org/archives/list/[email protected]/message/DLUJZV3HBP56ADXU6QH2V7RNYUPMVBXQ
lists.fedoraproject.org/archives/list/[email protected]/message/FY3N7H6VSDZM37B4SKM2PFFCUWU7QYWN
lists.fedoraproject.org/archives/list/[email protected]/message/HLAQRRGNSO5MYCPAXGPH2OCSHOGHSQMQ
lists.fedoraproject.org/archives/list/[email protected]/message/J5WPM42UR6XIBQNQPNQHM32X7S4LJTRX
lists.fedoraproject.org/archives/list/[email protected]/message/KBMVIQFKQDSSTHVVJWJ4QH6TW3JVB7XZ
lists.fedoraproject.org/archives/list/[email protected]/message/MH6ALXEQXIFQRQFNJ5Y2MJ5DFPIX76VN
lists.fedoraproject.org/archives/list/[email protected]/message/RN7JGC2LVHPEGSJYODFUV5FEKPBVG4D7
lists.fedoraproject.org/archives/list/[email protected]/message/SASRKYHT5ZFSVMJUQUG3UAEQRJYGJKAR
lists.fedoraproject.org/archives/list/[email protected]/message/ZKORFJTRRDJCWBTJPISKKCVMMMJBIRLG
lists.fedoraproject.org/archives/list/[email protected]/message/ZY2SLWOQR4ZURQ7UBRZ7JIX6H6F5JHJR
nvd.nist.gov/vuln/detail/CVE-2022-21698
pkg.go.dev/vuln/GO-2022-0322
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.005 Low
EPSS
Percentile
75.4%