![oss-sec logo](/images/oss-sec-logo.png)
oss-sec mailing list archives
CVE-2022-21698: HTTP method DOS; Prometheus client_golang <1.11.1 affected; Other web servers might be affected too
From: Bartek Plotka <bartek () prometheus io>
Date: Tue, 15 Feb 2022 13:53:06 +0100
Hi, Prometheus Team just published CVE-2022-21698 <https://github.com/prometheus/client_golang/security/advisories/GHSA-cg3q-j54f-5p7p> that relates to unbounded cardinality of HTTP method, which is not validated by some HTTP server implementations (including Golang one). See the GitHub security advisory <https://github.com/prometheus/client_golang/security/advisories/GHSA-cg3q-j54f-5p7p> for more details on potential attack vectors, characteristics and workarounds. Prometheus client_golang before 1.11.1 was affected. Newer versions are patched. See the announcement. <https://groups.google.com/g/prometheus-announce/c/zlCm4A7FwZU> Note however that many metric implementations that gather metrics about HTTP requests can be affected, even without using client_golang or using different programming languages (!). We notified some common open-source web-servers (including Kubernetes) projects and some of them were affected (without client_golang) and patched subsequently. We would like to thank Prometheus contributor David <https://github.com/dgl>, for reporting this. Thanks, The Prometheus Team
Current thread:
- CVE-2022-21698: HTTP method DOS; Prometheus client_golang <1.11.1 affected; Other web servers might be affected too Bartek Plotka (Feb 15)