Skip to content

Unauthenticated user can bypass allowed networks check to obtain Prometheus metrics

Low
fguillot published GHSA-3qjf-qh38-x73v Mar 17, 2023

Package

gomod miniflux.app (Go)

Affected versions

<= 2.0.42

Patched versions

2.0.43

Description

Impact

An unauthenticated user can retrieve Prometheus metrics from a publicly reachable Miniflux instance where the METRICS_COLLECTOR configuration option is enabled and METRICS_ALLOWED_NETWORKS is set to 127.0.0.1/8 (the default).

Patches

PR #1745 fixes the problem. Available in Miniflux >= 2.0.43.

Workarounds

Set METRICS_COLLECTOR to false (default) or run Miniflux behind a trusted reverse-proxy.

References

Severity

Low
0.0
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N

CVE ID

CVE-2023-27591

Weaknesses

Credits