漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
Swift Prometheus un-sanitized metric name or labels can be used to take over exported metrics
Vulnerability Description
Swift Prometheus is a Swift client for the Prometheus monitoring system, supporting counters, gauges and histograms. In code which applies _un-sanitized string values into metric names or labels_, an attacker could make use of this and send a `?lang` query parameter containing newlines, `}` or similar characters which can lead to the attacker taking over the exported format -- including creating unbounded numbers of stored metrics, inflating server memory usage, or causing "bogus" metrics. This vulnerability is fixed in2.0.0-alpha.2.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Vulnerability Type
输出中的特殊元素转义处理不恰当(注入)
Vulnerability Title
Prometheus 安全漏洞
Vulnerability Description
Prometheus是一款使用Go语言编写的、用于记录使用HTTP拉模型构建的时间序列数据库中实时指标的开源软件。 Swift Prometheus 2.0.0-alpha.2之前版本存在安全漏洞,该漏洞源于将未清理的字符串值应用于指标名称或标签的代码中,攻击者利用该漏洞可以发送包含特俗字符的查询参数,导致服务器被接管。
CVSS Information
N/A
Vulnerability Type
N/A