CVE-2023-27591

Опубликовано: 17 мар. 2023

Источник: nvd

CVSS3: 7.5

EPSS Низкий

Описание

Miniflux is a feed reader. Prior to version 2.0.43, an unauthenticated user can retrieve Prometheus metrics from a publicly reachable Miniflux instance where the METRICS_COLLECTOR configuration option is enabled and METRICS_ALLOWED_NETWORKS is set to 127.0.0.1/8 (the default). A patch is available in Miniflux 2.0.43. As a workaround, set METRICS_COLLECTOR to false (default) or run Miniflux behind a trusted reverse-proxy.

Ссылки

https://github.com/miniflux/v2/pull/1745
Issue Tracking
Patch
https://github.com/miniflux/v2/releases/tag/2.0.43
Release Notes
https://github.com/miniflux/v2/security/advisories/GHSA-3qjf-qh38-x73v
Vendor Advisory
https://miniflux.app/docs/configuration.html#metrics-collector
Product
https://github.com/miniflux/v2/pull/1745
Issue Tracking
Patch
https://github.com/miniflux/v2/releases/tag/2.0.43
Release Notes
https://github.com/miniflux/v2/security/advisories/GHSA-3qjf-qh38-x73v
Vendor Advisory
https://miniflux.app/docs/configuration.html#metrics-collector
Product

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:miniflux_project:miniflux:*:*:*:*:*:go:*:*

Версия до 2.0.43 (исключая)

EPSS

Процентиль: 52%

0.00289

Низкий

7.5 High

CVSS3

Дефекты

CWE-200

NVD-CWE-noinfo

Связанные уязвимости

GHSA-3qjf-qh38-x73v