| id: GO-2022-0322 |
| modules: |
| - module: github.com/prometheus/client_golang |
| versions: |
| - fixed: 1.11.1 |
| vulnerable_at: 1.11.0 |
| packages: |
| - package: github.com/prometheus/client_golang/prometheus/promhttp |
| symbols: |
| - sanitizeMethod |
| derived_symbols: |
| - Handler |
| - HandlerFor |
| - InstrumentHandlerCounter |
| - InstrumentHandlerDuration |
| - InstrumentHandlerRequestSize |
| - InstrumentHandlerResponseSize |
| - InstrumentHandlerTimeToWriteHeader |
| - InstrumentMetricHandler |
| - InstrumentRoundTripperCounter |
| - InstrumentRoundTripperDuration |
| - flusherDelegator.Flush |
| - readerFromDelegator.ReadFrom |
| - responseWriterDelegator.Write |
| - responseWriterDelegator.WriteHeader |
| summary: Uncontrolled resource consumption in github.com/prometheus/client_golang |
| description: |- |
| The Prometheus client_golang HTTP server is vulnerable to a denial of service |
| attack when handling requests with non-standard HTTP methods. |
| |
| In order to be affected, an instrumented software must use any of the |
| promhttp.InstrumentHandler* middleware except RequestsInFlight; not filter any |
| specific methods (e.g GET) before middleware; pass a metric with a "method" |
| label name to a middleware; and not have any firewall/LB/proxy that filters away |
| requests with unknown "method". |
| published: 2022-07-15T23:29:02Z |
| cves: |
| - CVE-2022-21698 |
| ghsas: |
| - GHSA-cg3q-j54f-5p7p |
| related: |
| - CVE-2023-25151 |
| - CVE-2023-45142 |
| - GHSA-5r5m-65gx-7vrh |
| - GHSA-rcjv-mgp8-qvmr |
| references: |
| - fix: https://github.com/prometheus/client_golang/pull/962 |
| review_status: REVIEWED |