CVE-2023-22497

Опубликовано: 14 янв. 2023

Источник: nvd

CVSS3: 6.5

CVSS3: 9.1

EPSS Низкий

Описание

Netdata is an open source option for real-time infrastructure monitoring and troubleshooting. Each Netdata Agent has an automatically generated MACHINE GUID. It is generated when the agent first starts and it is saved to disk, so that it will persist across restarts and reboots. Anyone who has access to a Netdata Agent has access to its MACHINE_GUID. Streaming is a feature that allows a Netdata Agent to act as parent for other Netdata Agents (children), offloading children from various functions (increased data retention, ML, health monitoring, etc) that can now be handled by the parent Agent. Configuration is done via stream.conf. On the parent side, users configure in stream.conf an API key (any random UUID can do) to provide common configuration for all children using this API key and per MACHINE GUID configuration to customize the configuration for each child. The way this was implemented, allowed an attacker to use a valid MACHINE_GUID as an API key. This affects all users who

Ссылки

https://github.com/netdata/netdata/releases/tag/v1.37.0
Release Notes
Third Party Advisory
https://github.com/netdata/netdata/security/advisories/GHSA-jx85-39cw-66f2
Exploit
Mitigation
Third Party Advisory
https://github.com/netdata/netdata/releases/tag/v1.37.0
Release Notes
Third Party Advisory
https://github.com/netdata/netdata/security/advisories/GHSA-jx85-39cw-66f2
Exploit
Mitigation
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:netdata:netdata:*:*:*:*:*:*:*:*

Версия до 1.37.0 (исключая)

EPSS

Процентиль: 50%

0.00267

Низкий

6.5 Medium

CVSS3

9.1 Critical

CVSS3

Дефекты

CWE-287

CWE-668

Связанные уязвимости

CVE-2023-22497

CVSS3: 6.5

ubuntu

около 3 лет назад

Netdata is an open source option for real-time infrastructure monitoring and troubleshooting. Each Netdata Agent has an automatically generated MACHINE GUID. It is generated when the agent first starts and it is saved to disk, so that it will persist across restarts and reboots. Anyone who has access to a Netdata Agent has access to its MACHINE_GUID. Streaming is a feature that allows a Netdata Agent to act as parent for other Netdata Agents (children), offloading children from various functions (increased data retention, ML, health monitoring, etc) that can now be handled by the parent Agent. Configuration is done via `stream.conf`. On the parent side, users configure in `stream.conf` an API key (any random UUID can do) to provide common configuration for all children using this API key and per MACHINE GUID configuration to customize the configuration for each child. The way this was implemented, allowed an attacker to use a valid MACHINE_GUID as an API key. This affects all users ...

CVE-2023-22497

CVSS3: 6.5

debian

около 3 лет назад

Netdata is an open source option for real-time infrastructure monitori ...

EPSS

Процентиль: 50%

0.00267

Низкий

6.5 Medium

CVSS3

9.1 Critical

CVSS3

Дефекты

CWE-287

CWE-668