Lucene search
+L

7 matches found

CVE
CVE
added 2 days ago26 views

CVE-2026-49835

CVE-2026-49835 affects Sigstore Timestamp Authority. The issue arises from the legacy wrapMetrics middleware, which records raw HTTP path and method as Prometheus labels for latency and request count, enabling an unauthenticated attacker to issue requests with arbitrary paths/methods and create u...

5.9CVSS5.3AI score0.00652EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 5 days ago7 views

CVE-2026-49835

A flaw was found in Sigstore Timestamp Authority. An unauthenticated remote attacker can exploit this vulnerability by sending requests with arbitrary HTTP paths and methods. This leads to the creation of an excessive number of unique metric labels, causing unbounded memory growth and a denial of...

5.9CVSS6.1AI score0.00652EPSS
Exploits0References4
OSV
OSV
added 2026/06/30 6:40 p.m.6 views

GHSA-9C54-X2G4-V92J Sigstore Timestamp Authority has OOM due to unbounded metric label cardinality

Impact An unauthenticated remote attacker can trigger unbounded memory growth on the timestamp authority server. This vulnerability exists because the global wrapMetrics middleware records the raw HTTP request path r.URL.Path and raw HTTP request method r.Method as Prometheus labels for latency a...

5.9CVSS6AI score0.00652EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/02/12 9:33 p.m.27 views

CVE-2026-26069 Scraparr Readarr Integration exposes sensitive values as metric labels.

Scraparr is a Prometheus Exporter for various components of the arr Suite. From 3.0.0-beta to before 3.0.2, when the Readarr integration was enabled, the exporter exposed the configured Readarr API key as the alias metric label value. Users were affected only if all of the following conditions ar...

9.1CVSS0.00295EPSS
Exploits0References3
CVE
CVE
added 2026/02/12 9:33 p.m.20 views

CVE-2026-26069

Scraparr (Prometheus Exporter) prior to 3.0.2 is affected when Readarr integration is enabled and the exporter’s /metrics is exposed to outsiders. The Readarr API key could be exposed as the alias metric label value, under conditions: Readarr scraping enabled, no alias configured, /metrics public...

9.1CVSS5.5AI score0.00295EPSS
Exploits0References3Affected Software1
EUVD
EUVD
added 2025/10/03 8:7 p.m.7 views

EUVD-2022-3542

Malicious code in bioql PyPI...

6.5CVSS5.8AI score0.0178EPSS
Exploits1References8
OSV
OSV
added 2021/05/18 3:38 p.m.34 views

GHSA-2V6X-FRW8-7R7F Duplicate Advisory: k8s.io/kube-state-metrics Exposure of Sensitive Information

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-c92w-72c5-9x59. This link is maintained to preserve external references. Original Description A security issue was discovered in kube-state-metrics 1.7.x before 1.7.2. An experimental feature was added to v1.7.0...

6.5CVSS6.5AI score0.0178EPSS
Exploits1References5
Rows per page
Query Builder