CVE-2024-28867— Swift Prometheus un-sanitized metric name or labels can be used to take over exported metrics

Swift Prometheus un-sanitized metric name or labels can be used to take over exported metrics

Swift Prometheus is a Swift client for the Prometheus monitoring system, supporting counters, gauges and histograms. In code which applies _un-sanitized string values into metric names or labels_, an attacker could make use of this and send a `?lang` query parameter containing newlines, `}` or similar characters which can lead to the attacker taking over the exported format -- including creating unbounded numbers of stored metrics, inflating server memory usage, or causing "bogus" metrics. This vulnerability is fixed in2.0.0-alpha.2.

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

输出中的特殊元素转义处理不恰当(注入)

Prometheus 安全漏洞

Prometheus是一款使用Go语言编写的、用于记录使用HTTP拉模型构建的时间序列数据库中实时指标的开源软件。 Swift Prometheus 2.0.0-alpha.2之前版本存在安全漏洞，该漏洞源于将未清理的字符串值应用于指标名称或标签的代码中，攻击者利用该漏洞可以发送包含特俗字符的查询参数，导致服务器被接管。

N/A

N/A