Google Git
Sign in
go / vulndb / 768c201e6d4712f3a862926f0ca3ed2364ab9c6f / . / data / reports / GO-2022-0322.yaml
blob: 6d3abe05f8b4c7cd7139b64e452852174c63a1db [file] [log] [blame]
modules:
- module: github.com/prometheus/client_golang
versions:
- fixed: 1.11.1
vulnerable_at: 1.11.0
packages:
- package: github.com/prometheus/client_golang/prometheus/promhttp
symbols:
- sanitizeMethod
derived_symbols:
- flusherDelegator.Flush
- readerFromDelegator.ReadFrom
- responseWriterDelegator.Write
- responseWriterDelegator.WriteHeader
description: |
The Prometheus client_golang HTTP server is vulnerable to a denial of
service attack when handling requests with non-standard HTTP methods.
In order to be affected, an instrumented software must use any of
the promhttp.InstrumentHandler* middleware except `RequestsInFlight`;
not filter any specific methods (e.g GET) before middleware;
pass a metric with a "method" label name to a middleware; and not
have any firewall/LB/proxy that filters away requests with unknown
"method".
published: 2022-07-15T23:29:02Z
cves:
- CVE-2022-21698
ghsas:
- GHSA-cg3q-j54f-5p7p