CVE-2022-21698

MITRE NVD CVE.ORG Print: PDF PDF

Summary

CVECVE-2022-21698
StatePUBLIC
Assigner[email protected]
Source PriorityCVE Program / NVD first with legacy fallback
Published2022-02-15 16:15:00 UTC
Updated2023-11-07 03:43:00 UTC
Descriptionclient_golang is the instrumentation library for Go applications in Prometheus, and the promhttp package in client_golang provides tooling around HTTP servers and clients. In client_golang prior to version 1.11.1, HTTP server is susceptible to a Denial of Service through unbounded cardinality, and potential memory exhaustion, when handling requests with non-standard HTTP methods. In order to be affected, an instrumented software must use any of `promhttp.InstrumentHandler*` middleware except `RequestsInFlight`; not filter any specific methods (e.g GET) before middleware; pass metric with `method` label name to our middleware; and not have any firewall/LB/proxy that filters away requests with unknown `method`. client_golang version 1.11.1 contains a patch for this issue. Several workarounds are available, including removing the `method` label name from counter/gauge used in the InstrumentHandler; turning off affected promhttp handlers; adding custom middleware before promhttp handler that will sanitize the request method given by Go http.Request; and using a reverse proxy or web application firewall, configured to only allow a limited set of methods.

Risk And Classification

Problem Types: CWE-770

NVD Known Affected Configurations (CPE 2.3)

TypeVendorProductVersionUpdateEditionLanguage
Application Fedoraproject Extra Packages For Enterprise Linux 7.0 All All All
Application Fedoraproject Extra Packages For Enterprise Linux 8.0 All All All
Operating System Fedoraproject Fedora 34 All All All
Operating System Fedoraproject Fedora 35 All All All
Operating System Fedoraproject Fedora 36 All All All
Operating System Fedoraproject Fedora 37 All All All
Application Fedoraproject Fedora Extra Packages For Enterprise Linux 7.0 All All All
Application Prometheus Client Golang All All All All
Application Rdo Project Rdo - All All All

References

ReferenceSourceLinkTags
[SECURITY] Fedora 35 Update: skopeo-1.7.0-1.fc35 - package-announce - Fedora Mailing-Lists lists.fedoraproject.org
[SECURITY] Fedora 35 Update: golang-github-distribution-3-3.0.0-0.1.pre1.20221009git0122d7d.fc35 - package-announce - Fedora Mailing-Lists FEDORA lists.fedoraproject.org
[SECURITY] Fedora 35 Update: stargz-snapshotter-0.10.2-1.fc35 - package-announce - Fedora Mailing-Lists lists.fedoraproject.org
[SECURITY] Fedora 35 Update: podman-3.4.7-1.fc35 - package-announce - Fedora Mailing-Lists lists.fedoraproject.org
[SECURITY] Fedora 36 Update: aquatone-1.7.0-7.fc36 - package-announce - Fedora Mailing-Lists lists.fedoraproject.org
Release 1.11.1 / 2022-02-15 · prometheus/client_golang · GitHub MISC github.com Release Notes, Third Party Advisory
[SECURITY] Fedora 35 Update: podman-3.4.7-1.fc35 - package-announce - Fedora Mailing-Lists FEDORA lists.fedoraproject.org
[SECURITY] Fedora 35 Update: buildah-1.23.4-1.fc35 - package-announce - Fedora Mailing-Lists lists.fedoraproject.org
[SECURITY] Fedora 35 Update: grafana-7.5.15-2.fc35 - package-announce - Fedora Mailing-Lists lists.fedoraproject.org
[SECURITY] Fedora 36 Update: skopeo-1.7.0-1.fc36 - package-announce - Fedora Mailing-Lists FEDORA lists.fedoraproject.org
[SECURITY] Fedora 36 Update: golang-github-distribution-3-3.0.0-0.1.pre1.20221009git0122d7d.fc36 - package-announce - Fedora Mailing-Lists FEDORA lists.fedoraproject.org
[SECURITY] Fedora 36 Update: golang-github-distribution-3-3.0.0-0.1.pre1.20221009git0122d7d.fc36 - package-announce - Fedora Mailing-Lists lists.fedoraproject.org
[SECURITY] Fedora 35 Update: buildah-1.23.4-1.fc35 - package-announce - Fedora Mailing-Lists FEDORA lists.fedoraproject.org
[SECURITY] Fedora 36 Update: stargz-snapshotter-0.11.3-2.fc36 - package-announce - Fedora Mailing-Lists lists.fedoraproject.org
[SECURITY] Fedora 36 Update: podman-4.0.3-1.fc36 - package-announce - Fedora Mailing-Lists lists.fedoraproject.org
InstrumentHandler* HTTP middleware prone to DoS through method label cardinality · Advisory · prometheus/client_golang · GitHub CONFIRM github.com Issue Tracking, Third Party Advisory
[SECURITY] Fedora 36 Update: golang-github-prometheus-client-1.12.2-2.fc36 - package-announce - Fedora Mailing-Lists lists.fedoraproject.org
[SECURITY] Fedora 36 Update: grafana-7.5.15-2.fc36 - package-announce - Fedora Mailing-Lists FEDORA lists.fedoraproject.org
[SECURITY] Fedora 37 Update: golang-github-distribution-3-3.0.0-0.1.pre1.20221009git0122d7d.fc37 - package-announce - Fedora Mailing-Lists lists.fedoraproject.org
[SECURITY] Fedora 34 Update: podman-3.4.7-1.fc34 - package-announce - Fedora Mailing-Lists lists.fedoraproject.org
[SECURITY] Fedora 35 Update: stargz-snapshotter-0.10.2-1.fc35 - package-announce - Fedora Mailing-Lists FEDORA lists.fedoraproject.org
[SECURITY] Fedora 34 Update: stargz-snapshotter-0.10.2-1.fc34 - package-announce - Fedora Mailing-Lists FEDORA lists.fedoraproject.org
[SECURITY] Fedora 34 Update: stargz-snapshotter-0.10.2-1.fc34 - package-announce - Fedora Mailing-Lists lists.fedoraproject.org
[SECURITY] Fedora 34 Update: grafana-7.5.15-2.fc34 - package-announce - Fedora Mailing-Lists FEDORA lists.fedoraproject.org
[SECURITY] Fedora 36 Update: aquatone-1.7.0-7.fc36 - package-announce - Fedora Mailing-Lists FEDORA lists.fedoraproject.org
[SECURITY] Fedora 36 Update: skopeo-1.7.0-1.fc36 - package-announce - Fedora Mailing-Lists lists.fedoraproject.org
[SECURITY] Fedora 37 Update: golang-github-distribution-3-3.0.0-0.1.pre1.20221009git0122d7d.fc37 - package-announce - Fedora Mailing-Lists FEDORA lists.fedoraproject.org
[SECURITY] Fedora 36 Update: podman-4.0.3-1.fc36 - package-announce - Fedora Mailing-Lists FEDORA lists.fedoraproject.org
[SECURITY] Fedora 36 Update: grafana-7.5.15-2.fc36 - package-announce - Fedora Mailing-Lists lists.fedoraproject.org
[SECURITY] Fedora 34 Update: skopeo-1.7.0-1.fc34 - package-announce - Fedora Mailing-Lists lists.fedoraproject.org
[SECURITY] Fedora 35 Update: skopeo-1.7.0-1.fc35 - package-announce - Fedora Mailing-Lists FEDORA lists.fedoraproject.org
[SECURITY] Fedora 34 Update: podman-3.4.7-1.fc34 - package-announce - Fedora Mailing-Lists FEDORA lists.fedoraproject.org
[SECURITY] Fedora 34 Update: grafana-7.5.15-2.fc34 - package-announce - Fedora Mailing-Lists lists.fedoraproject.org
[SECURITY] Fedora 36 Update: golang-github-prometheus-client-1.12.2-2.fc36 - package-announce - Fedora Mailing-Lists FEDORA lists.fedoraproject.org
promhttp: Check validity of method and code label values by kakkoyun · Pull Request #962 · prometheus/client_golang · GitHub MISC github.com Patch, Third Party Advisory
[SECURITY] Fedora 34 Update: skopeo-1.7.0-1.fc34 - package-announce - Fedora Mailing-Lists FEDORA lists.fedoraproject.org
promhttp: Check validity of method and code label values (#962) by bwplotka · Pull Request #987 · prometheus/client_golang · GitHub MISC github.com Patch, Third Party Advisory
[SECURITY] Fedora 36 Update: stargz-snapshotter-0.11.3-2.fc36 - package-announce - Fedora Mailing-Lists FEDORA lists.fedoraproject.org
[SECURITY] Fedora 35 Update: golang-github-distribution-3-3.0.0-0.1.pre1.20221009git0122d7d.fc35 - package-announce - Fedora Mailing-Lists lists.fedoraproject.org
[SECURITY] Fedora 35 Update: grafana-7.5.15-2.fc35 - package-announce - Fedora Mailing-Lists FEDORA lists.fedoraproject.org
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis

Legacy QID Mappings

  • 159829 Oracle Enterprise Linux Security Update for container-tools:ol8 (ELSA-2022-1762)
  • 160237 Oracle Enterprise Linux Security Update for container-tools:3.0 (ELSA-2022-7529)
  • 160238 Oracle Enterprise Linux Security Update for grafana (ELSA-2022-7519)
  • 160278 Oracle Enterprise Linux Security Update for grafana (ELSA-2022-8057)
  • 183349 Debian Security Update for golang-github-prometheus-client-golang (CVE-2022-21698)
  • 240293 Red Hat Update for container-tools:rhel8 security (RHSA-2022:1762)
  • 240386 Red Hat OpenShift Container Platform 5 Security Update (RHSA-2022:2280)
  • 240607 Red Hat OpenShift Container Platform 4.11 Security Update (RHSA-2022:5068)
  • 240610 Red Hat Update for OpenStack Platform 16.1 (RHSA-2022:6066)
  • 240614 Red Hat Update for OpenStack Platform 16.2 (RHSA-2022:6061)
  • 240821 Red Hat Update for container-tools:3.0 (RHSA-2022:7529)
  • 240850 Red Hat Update for grafana security (RHSA-2022:7519)
  • 240902 Red Hat Update for grafana security (RHSA-2022:8057)
  • 242773 Red Hat Update for container-tools:3.0 (RHSA-2024:0564)
  • 282547 Fedora Security Update for skopeo (FEDORA-2022-6043a7b938)
  • 282548 Fedora Security Update for skopeo (FEDORA-2022-eda0e65b01)
  • 282587 Fedora Security Update for stargz (FEDORA-2022-e244ad73d6)
  • 282588 Fedora Security Update for stargz (FEDORA-2022-a7d438b30b)
  • 282601 Fedora Security Update for grafana (FEDORA-2022-83405f9d5b)
  • 282602 Fedora Security Update for grafana (FEDORA-2022-9dd03cab55)
  • 282631 Fedora Security Update for podman (FEDORA-2022-c87047f163)
  • 282683 Fedora Security Update for podman (FEDORA-2022-5e637f6cc6)
  • 282815 Fedora Security Update for buildah (FEDORA-2022-396c568c5e)
  • 282883 Fedora Security Update for golang (FEDORA-2022-92ef43c439)
  • 282893 Fedora Security Update for 3mux (FEDORA-2022-fae3ecee19)
  • 282947 Fedora Security Update for 3mux (FEDORA-2022-3969b64d4b)
  • 283265 Fedora Security Update for golang (FEDORA-2022-13ad572b5a)
  • 283266 Fedora Security Update for golang (FEDORA-2022-739c7a0058)
  • 283460 Fedora Security Update for golang (FEDORA-2022-741325e9a0)
  • 284299 Fedora Security Update for etcd (FEDORA-2022-28d38313c8)
  • 285318 Fedora Security Update for golang (FEDORA-2023-0c6723004f)
  • 502042 Alpine Linux Security Update for buildah
  • 752083 SUSE Enterprise Linux Security Update for firewalld, golang-github-prometheus-prometheus (SUSE-SU-2022:1435-1)
  • 752251 SUSE Enterprise Linux Security Update for SUSE Manager Client Tools (SUSE-SU-2022:2134-1)
  • 752252 SUSE Enterprise Linux Security Update for golang-github-prometheus-node_exporter (SUSE-SU-2022:2137-1)
  • 752253 SUSE Enterprise Linux Security Update for node_exporter (SUSE-SU-2022:2140-1)
  • 752731 SUSE Enterprise Linux Security Update for SUSE Manager Client Tools (SUSE-SU-2022:3747-1)
  • 752738 SUSE Enterprise Linux Security Update for golang-github-prometheus-node_exporter (SUSE-SU-2022:3745-1)
  • 753361 SUSE Enterprise Linux Security Update for podman (SUSE-SU-2022:2834-1)
  • 753444 SUSE Enterprise Linux Security Update for podman (SUSE-SU-2022:2839-1)
  • 753592 SUSE Enterprise Linux Security Update for podman (SUSE-SU-2023:0187-1)
  • 753659 SUSE Enterprise Linux Security Update for podman (SUSE-SU-2023:0326-1)
  • 770161 Red Hat OpenShift Container Platform 4.1 Security Update (RHSA-2022:5068)
  • 907625 Common Base Linux Mariner (CBL-Mariner) Security Update for kured (31981-1)
  • 907799 Common Base Linux Mariner (CBL-Mariner) Security Update for kube-vip-cloud-provider (33603-1)
  • 907825 Common Base Linux Mariner (CBL-Mariner) Security Update for moby-buildx (33614-1)
  • 907834 Common Base Linux Mariner (CBL-Mariner) Security Update for application-gateway-kubernetes-ingress (33567-1)
  • 907872 Common Base Linux Mariner (CBL-Mariner) Security Update for local-path-provisioner (33611-1)
  • 907878 Common Base Linux Mariner (CBL-Mariner) Security Update for rook (33639)
  • 907888 Common Base Linux Mariner (CBL-Mariner) Security Update for prometheus-node-exporter (33634-1)
  • 907889 Common Base Linux Mariner (CBL-Mariner) Security Update for prometheus-process-exporter (33637)
  • 907915 Common Base Linux Mariner (CBL-Mariner) Security Update for moby-engine (33620)
  • 907916 Common Base Linux Mariner (CBL-Mariner) Security Update for nmi (33623)
  • 907918 Common Base Linux Mariner (CBL-Mariner) Security Update for node-problem-detector (33626)
  • 907927 Common Base Linux Mariner (CBL-Mariner) Security Update for moby-cli (33618)
  • 907940 Common Base Linux Mariner (CBL-Mariner) Security Update for rook (33639-1)
  • 907944 Common Base Linux Mariner (CBL-Mariner) Security Update for moby-engine (33620-1)
  • 907947 Common Base Linux Mariner (CBL-Mariner) Security Update for prometheus-process-exporter (33637-1)
  • 907951 Common Base Linux Mariner (CBL-Mariner) Security Update for node-problem-detector (33626-1)
  • 907959 Common Base Linux Mariner (CBL-Mariner) Security Update for nmi (33623-1)
  • 907962 Common Base Linux Mariner (CBL-Mariner) Security Update for moby-cli (33618-1)
  • 940562 AlmaLinux Security Update for container-tools:rhel8 (ALSA-2022:1762)
  • 940770 AlmaLinux Security Update for grafana (ALSA-2022:7519)
  • 940773 AlmaLinux Security Update for container-tools:3.0 (ALSA-2022:7529)
  • 940826 AlmaLinux Security Update for grafana (ALSA-2022:8057)
  • 960194 Rocky Linux Security Update for container-tools:rhel8 (RLSA-2022:1762)
  • 960528 Rocky Linux Security Update for grafana (RLSA-2022:8057)
  • 960603 Rocky Linux Security Update for container-tools:3.0 (RLSA-2022:7529)
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

CVE.report and Source URL Uptime Status status.cve.report