[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] CVE-2022-21698: HTTP method DOS; Prometheus client_golang <1.11.1 affected; Other web
From: Bartek Plotka <bartek () prometheus ! io>
Date: 2022-02-15 12:53:06
Message-ID: CALSHWeDjhVEkJ76sRzqX56ToyxpLF+BsYTHneQ7iQ8H=0exeoA () mail ! gmail ! com
[Download RAW message or body]
Hi,
Prometheus Team just published CVE-2022-21698
<https://github.com/prometheus/client_golang/security/advisories/GHSA-cg3q-j54f-5p7p>
that
relates to unbounded cardinality of HTTP method, which is not validated by
some HTTP server implementations (including Golang one). See the GitHub
security advisory
<https://github.com/prometheus/client_golang/security/advisories/GHSA-cg3q-j54f-5p7p>
for
more details on potential attack vectors, characteristics and workarounds.
Prometheus client_golang before 1.11.1 was affected. Newer versions are
patched. See the announcement.
<https://groups.google.com/g/prometheus-announce/c/zlCm4A7FwZU>
Note however that many metric implementations that gather metrics about
HTTP requests can be affected, even without using client_golang or using
different programming languages (!). We notified some common open-source
web-servers (including Kubernetes) projects and some of them were affected
(without client_golang) and patched subsequently.
We would like to thank Prometheus contributor David <https://github.com/dgl>,
for reporting this.
Thanks,
The Prometheus Team
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic