CVE-2024-28867

Swift Prometheus is a Swift client for the Prometheus monitoring system, supporting counters, gauges and histograms. In code which applies _un-sanitized string values into metric names or labels_, an attacker could make use of this and send a `?lang` query parameter containing newlines, `}` or similar characters which can lead to the attacker taking over the exported format -- including creating unbounded numbers of stored metrics, inflating server memory usage, or causing "bogus" metrics. This vulnerability is fixed in2.0.0-alpha.2.

CVSS v3 5.9 MEDIUM

5.9^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/swift-server/swift-prometheus/commit/bfcd4bbfabe11aae4b035424ee9724582e288501
https://github.com/swift-server/swift-prometheus/security/advisories/GHSA-x768-cvr2-345r
https://github.com/swift-server/swift-prometheus/commit/bfcd4bbfabe11aae4b035424ee9724582e288501
https://github.com/swift-server/swift-prometheus/security/advisories/GHSA-x768-cvr2-345r

Configurations

No configuration.

History

21 Nov 2024, 09:07

Type	Values Removed	Values Added
Summary		(es) Swift Prometheus es un cliente Swift para el sistema de monitoreo Prometheus, que admite contadores, medidores e histogramas. En el código que aplica _valores de cadena no desinfectados en nombres o etiquetas de métricas_, un atacante podría hacer uso de esto y enviar un parámetro de consulta `?lang` que contenga nuevas líneas, `}` o caracteres similares que pueden llevar al atacante a hacerse cargo del contenido exportado. formato, incluida la creación de números ilimitados de métricas almacenadas, inflar el uso de la memoria del servidor o generar métricas "falsas". Esta vulnerabilidad se solucionó en 2.0.0-alpha.2.
References	~~() https://github.com/swift-server/swift-prometheus/commit/bfcd4bbfabe11aae4b035424ee9724582e288501 -~~	() https://github.com/swift-server/swift-prometheus/commit/bfcd4bbfabe11aae4b035424ee9724582e288501 -
References	~~() https://github.com/swift-server/swift-prometheus/security/advisories/GHSA-x768-cvr2-345r -~~	() https://github.com/swift-server/swift-prometheus/security/advisories/GHSA-x768-cvr2-345r -

29 Mar 2024, 15:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-03-29 15:15

Updated : 2024-11-21 09:07

NVD link : CVE-2024-28867

Mitre link : CVE-2024-28867

CVE.ORG link : CVE-2024-28867

JSON object : View

Products Affected

No product.

CWE

CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

5.9 /10