CVE-2024-28867
CVSS V2 None
CVSS V3 None
Description
Swift Prometheus is a Swift client for the Prometheus monitoring system, supporting counters, gauges and histograms. In code which applies _un-sanitized string values into metric names or labels_, an attacker could make use of this and send a `?lang` query parameter containing newlines, `}` or similar characters which can lead to the attacker taking over the exported format -- including creating unbounded numbers of stored metrics, inflating server memory usage, or causing "bogus" metrics. This vulnerability is fixed in2.0.0-alpha.2.
Overview
- CVE ID
- CVE-2024-28867
- Assigner
- GitHub_M
- Vulnerability Status
- PUBLISHED
- Published Version
- 2024-03-29T14:26:22.194Z
- Last Modified Date
- 2024-06-04T18:03:18.312Z
Weakness Enumerations
References
Reference URL | Reference Tags |
---|---|
https://github.com/swift-server/swift-prometheus/security/advisories/GHSA-x768-cvr2-345r | x_refsource_CONFIRM |
https://github.com/swift-server/swift-prometheus/commit/bfcd4bbfabe11aae4b035424ee9724582e288501 | x_refsource_MISC |
Sources
Source Name | Source URL |
---|---|
NIST | https://nvd.nist.gov/vuln/detail/CVE-2024-28867 |
MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-28867 |
History
Created | Old Value | New Value | Data Type | Notes |
---|---|---|---|---|
2024-06-26 07:48:19 | Added to TrackCVE |