{"api_version":"1","generated_at":"2026-04-23T00:41:44+00:00","cve":"CVE-2022-21698","urls":{"html":"https://cve.report/CVE-2022-21698","api":"https://cve.report/api/cve/CVE-2022-21698.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2022-21698","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2022-21698"},"summary":{"title":"CVE-2022-21698","description":"client_golang is the instrumentation library for Go applications in Prometheus, and the promhttp package in client_golang provides tooling around HTTP servers and clients. In client_golang prior to version 1.11.1, HTTP server is susceptible to a Denial of Service through unbounded cardinality, and potential memory exhaustion, when handling requests with non-standard HTTP methods. In order to be affected, an instrumented software must use any of `promhttp.InstrumentHandler*` middleware except `RequestsInFlight`; not filter any specific methods (e.g GET) before middleware; pass metric with `method` label name to our middleware; and not have any firewall/LB/proxy that filters away requests with unknown `method`. client_golang version 1.11.1 contains a patch for this issue. Several workarounds are available, including removing the `method` label name from counter/gauge used in the InstrumentHandler; turning off affected promhttp handlers; adding custom middleware before promhttp handler that will sanitize the request method given by Go http.Request; and using a reverse proxy or web application firewall, configured to only allow a limited set of methods.","state":"PUBLIC","assigner":"security-advisories@github.com","published_at":"2022-02-15 16:15:00","updated_at":"2023-11-07 03:43:00"},"problem_types":["CWE-770"],"metrics":[],"references":[{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AK7CJBCGERCRXYUR2EWDSSDVAQMTAZGX/","name":"FEDORA-2022-eda0e65b01","refsource":"","tags":[],"title":"[SECURITY] Fedora 35 Update: skopeo-1.7.0-1.fc35 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RN7JGC2LVHPEGSJYODFUV5FEKPBVG4D7/","name":"FEDORA-2022-739c7a0058","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 35 Update: golang-github-distribution-3-3.0.0-0.1.pre1.20221009git0122d7d.fc35 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7V7I72LSQ3IET3QJR6QPAVGJZ4CBDLN5/","name":"FEDORA-2022-a7d438b30b","refsource":"","tags":[],"title":"[SECURITY] Fedora 35 Update: stargz-snapshotter-0.10.2-1.fc35 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/J5WPM42UR6XIBQNQPNQHM32X7S4LJTRX/","name":"FEDORA-2022-c87047f163","refsource":"","tags":[],"title":"[SECURITY] Fedora 35 Update: podman-3.4.7-1.fc35 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZY2SLWOQR4ZURQ7UBRZ7JIX6H6F5JHJR/","name":"FEDORA-2022-fae3ecee19","refsource":"","tags":[],"title":"[SECURITY] Fedora 36 Update: aquatone-1.7.0-7.fc36 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/prometheus/client_golang/releases/tag/v1.11.1","name":"https://github.com/prometheus/client_golang/releases/tag/v1.11.1","refsource":"MISC","tags":["Release Notes","Third Party Advisory"],"title":"Release 1.11.1 / 2022-02-15 · prometheus/client_golang · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/J5WPM42UR6XIBQNQPNQHM32X7S4LJTRX/","name":"FEDORA-2022-c87047f163","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 35 Update: podman-3.4.7-1.fc35 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2IK53GWZ475OQ6ENABKMJMTOBZG6LXUR/","name":"FEDORA-2022-396c568c5e","refsource":"","tags":[],"title":"[SECURITY] Fedora 35 Update: buildah-1.23.4-1.fc35 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2PFW6Q2LXXWTFRTMTRN4ZGADFRQPKJ3D/","name":"FEDORA-2022-9dd03cab55","refsource":"","tags":[],"title":"[SECURITY] Fedora 35 Update: grafana-7.5.15-2.fc35 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FY3N7H6VSDZM37B4SKM2PFFCUWU7QYWN/","name":"FEDORA-2022-5f253807ce","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 36 Update: skopeo-1.7.0-1.fc36 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5OGNAFVXSMTTT2UPH6CS3IH6L3KM42Q7/","name":"FEDORA-2022-13ad572b5a","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 36 Update: golang-github-distribution-3-3.0.0-0.1.pre1.20221009git0122d7d.fc36 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5OGNAFVXSMTTT2UPH6CS3IH6L3KM42Q7/","name":"FEDORA-2022-13ad572b5a","refsource":"","tags":[],"title":"[SECURITY] Fedora 36 Update: golang-github-distribution-3-3.0.0-0.1.pre1.20221009git0122d7d.fc36 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2IK53GWZ475OQ6ENABKMJMTOBZG6LXUR/","name":"FEDORA-2022-396c568c5e","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 35 Update: buildah-1.23.4-1.fc35 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZKORFJTRRDJCWBTJPISKKCVMMMJBIRLG/","name":"FEDORA-2022-6c4cb64314","refsource":"","tags":[],"title":"[SECURITY] Fedora 36 Update: stargz-snapshotter-0.11.3-2.fc36 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4KDETHL5XCT6RZN2BBNOCEXRZ2W3SFU3/","name":"FEDORA-2022-2067702f06","refsource":"","tags":[],"title":"[SECURITY] Fedora 36 Update: podman-4.0.3-1.fc36 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/prometheus/client_golang/security/advisories/GHSA-cg3q-j54f-5p7p","name":"https://github.com/prometheus/client_golang/security/advisories/GHSA-cg3q-j54f-5p7p","refsource":"CONFIRM","tags":["Issue Tracking","Third Party Advisory"],"title":"InstrumentHandler* HTTP middleware prone to DoS through method label cardinality · Advisory · prometheus/client_golang · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MH6ALXEQXIFQRQFNJ5Y2MJ5DFPIX76VN/","name":"FEDORA-2022-92ef43c439","refsource":"","tags":[],"title":"[SECURITY] Fedora 36 Update: golang-github-prometheus-client-1.12.2-2.fc36 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/36GUEPA5TPSC57DZTPYPBL6T7UPQ2FRH/","name":"FEDORA-2022-c5383675d9","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 36 Update: grafana-7.5.15-2.fc36 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3L6GDN5S5QZSCFKWD3GKL2RDZQ6B4UWA/","name":"FEDORA-2022-741325e9a0","refsource":"","tags":[],"title":"[SECURITY] Fedora 37 Update: golang-github-distribution-3-3.0.0-0.1.pre1.20221009git0122d7d.fc37 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DLUJZV3HBP56ADXU6QH2V7RNYUPMVBXQ/","name":"FEDORA-2022-5e637f6cc6","refsource":"","tags":[],"title":"[SECURITY] Fedora 34 Update: podman-3.4.7-1.fc34 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7V7I72LSQ3IET3QJR6QPAVGJZ4CBDLN5/","name":"FEDORA-2022-a7d438b30b","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 35 Update: stargz-snapshotter-0.10.2-1.fc35 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KBMVIQFKQDSSTHVVJWJ4QH6TW3JVB7XZ/","name":"FEDORA-2022-e244ad73d6","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 34 Update: stargz-snapshotter-0.10.2-1.fc34 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KBMVIQFKQDSSTHVVJWJ4QH6TW3JVB7XZ/","name":"FEDORA-2022-e244ad73d6","refsource":"","tags":[],"title":"[SECURITY] Fedora 34 Update: stargz-snapshotter-0.10.2-1.fc34 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HLAQRRGNSO5MYCPAXGPH2OCSHOGHSQMQ/","name":"FEDORA-2022-83405f9d5b","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 34 Update: grafana-7.5.15-2.fc34 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZY2SLWOQR4ZURQ7UBRZ7JIX6H6F5JHJR/","name":"FEDORA-2022-fae3ecee19","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 36 Update: aquatone-1.7.0-7.fc36 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FY3N7H6VSDZM37B4SKM2PFFCUWU7QYWN/","name":"FEDORA-2022-5f253807ce","refsource":"","tags":[],"title":"[SECURITY] Fedora 36 Update: skopeo-1.7.0-1.fc36 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3L6GDN5S5QZSCFKWD3GKL2RDZQ6B4UWA/","name":"FEDORA-2022-741325e9a0","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 37 Update: golang-github-distribution-3-3.0.0-0.1.pre1.20221009git0122d7d.fc37 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4KDETHL5XCT6RZN2BBNOCEXRZ2W3SFU3/","name":"FEDORA-2022-2067702f06","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 36 Update: podman-4.0.3-1.fc36 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/36GUEPA5TPSC57DZTPYPBL6T7UPQ2FRH/","name":"FEDORA-2022-c5383675d9","refsource":"","tags":[],"title":"[SECURITY] Fedora 36 Update: grafana-7.5.15-2.fc36 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SASRKYHT5ZFSVMJUQUG3UAEQRJYGJKAR/","name":"FEDORA-2022-6043a7b938","refsource":"","tags":[],"title":"[SECURITY] Fedora 34 Update: skopeo-1.7.0-1.fc34 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AK7CJBCGERCRXYUR2EWDSSDVAQMTAZGX/","name":"FEDORA-2022-eda0e65b01","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 35 Update: skopeo-1.7.0-1.fc35 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DLUJZV3HBP56ADXU6QH2V7RNYUPMVBXQ/","name":"FEDORA-2022-5e637f6cc6","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 34 Update: podman-3.4.7-1.fc34 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HLAQRRGNSO5MYCPAXGPH2OCSHOGHSQMQ/","name":"FEDORA-2022-83405f9d5b","refsource":"","tags":[],"title":"[SECURITY] Fedora 34 Update: grafana-7.5.15-2.fc34 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MH6ALXEQXIFQRQFNJ5Y2MJ5DFPIX76VN/","name":"FEDORA-2022-92ef43c439","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 36 Update: golang-github-prometheus-client-1.12.2-2.fc36 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/prometheus/client_golang/pull/962","name":"https://github.com/prometheus/client_golang/pull/962","refsource":"MISC","tags":["Patch","Third Party Advisory"],"title":"promhttp: Check validity of method and code label values by kakkoyun · Pull Request #962 · prometheus/client_golang · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SASRKYHT5ZFSVMJUQUG3UAEQRJYGJKAR/","name":"FEDORA-2022-6043a7b938","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 34 Update: skopeo-1.7.0-1.fc34 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/prometheus/client_golang/pull/987","name":"https://github.com/prometheus/client_golang/pull/987","refsource":"MISC","tags":["Patch","Third Party Advisory"],"title":"promhttp: Check validity of method and code label values (#962) by bwplotka · Pull Request #987 · prometheus/client_golang · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZKORFJTRRDJCWBTJPISKKCVMMMJBIRLG/","name":"FEDORA-2022-6c4cb64314","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 36 Update: stargz-snapshotter-0.11.3-2.fc36 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RN7JGC2LVHPEGSJYODFUV5FEKPBVG4D7/","name":"FEDORA-2022-739c7a0058","refsource":"","tags":[],"title":"[SECURITY] Fedora 35 Update: golang-github-distribution-3-3.0.0-0.1.pre1.20221009git0122d7d.fc35 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2PFW6Q2LXXWTFRTMTRN4ZGADFRQPKJ3D/","name":"FEDORA-2022-9dd03cab55","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 35 Update: grafana-7.5.15-2.fc35 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-21698","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-21698","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2022","cve_id":"21698","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"fedoraproject","cpe5":"extra_packages_for_enterprise_linux","cpe6":"7.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"21698","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"fedoraproject","cpe5":"extra_packages_for_enterprise_linux","cpe6":"8.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"21698","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"34","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"21698","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"35","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"21698","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"36","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"21698","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"37","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"21698","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"fedoraproject","cpe5":"fedora_extra_packages_for_enterprise_linux","cpe6":"7.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"21698","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"prometheus","cpe5":"client_golang","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"go","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"21698","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"rdo_project","cpe5":"rdo","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2022-21698","qid":"159829","title":"Oracle Enterprise Linux Security Update for container-tools:ol8 (ELSA-2022-1762)"},{"cve":"CVE-2022-21698","qid":"160237","title":"Oracle Enterprise Linux Security Update for container-tools:3.0 (ELSA-2022-7529)"},{"cve":"CVE-2022-21698","qid":"160238","title":"Oracle Enterprise Linux Security Update for grafana (ELSA-2022-7519)"},{"cve":"CVE-2022-21698","qid":"160278","title":"Oracle Enterprise Linux Security Update for grafana (ELSA-2022-8057)"},{"cve":"CVE-2022-21698","qid":"183349","title":"Debian Security Update for golang-github-prometheus-client-golang (CVE-2022-21698)"},{"cve":"CVE-2022-21698","qid":"240293","title":"Red Hat Update for container-tools:rhel8 security (RHSA-2022:1762)"},{"cve":"CVE-2022-21698","qid":"240386","title":"Red Hat OpenShift Container Platform 5 Security Update (RHSA-2022:2280)"},{"cve":"CVE-2022-21698","qid":"240607","title":"Red Hat OpenShift Container Platform 4.11 Security Update (RHSA-2022:5068)"},{"cve":"CVE-2022-21698","qid":"240610","title":"Red Hat Update for OpenStack Platform 16.1 (RHSA-2022:6066)"},{"cve":"CVE-2022-21698","qid":"240614","title":"Red Hat Update for OpenStack Platform 16.2 (RHSA-2022:6061)"},{"cve":"CVE-2022-21698","qid":"240821","title":"Red Hat Update for container-tools:3.0 (RHSA-2022:7529)"},{"cve":"CVE-2022-21698","qid":"240850","title":"Red Hat Update for grafana security (RHSA-2022:7519)"},{"cve":"CVE-2022-21698","qid":"240902","title":"Red Hat Update for grafana security (RHSA-2022:8057)"},{"cve":"CVE-2022-21698","qid":"242773","title":"Red Hat Update for container-tools:3.0 (RHSA-2024:0564)"},{"cve":"CVE-2022-21698","qid":"282547","title":"Fedora Security Update for skopeo (FEDORA-2022-6043a7b938)"},{"cve":"CVE-2022-21698","qid":"282548","title":"Fedora Security Update for skopeo (FEDORA-2022-eda0e65b01)"},{"cve":"CVE-2022-21698","qid":"282587","title":"Fedora Security Update for stargz (FEDORA-2022-e244ad73d6)"},{"cve":"CVE-2022-21698","qid":"282588","title":"Fedora Security Update for stargz (FEDORA-2022-a7d438b30b)"},{"cve":"CVE-2022-21698","qid":"282601","title":"Fedora Security Update for grafana (FEDORA-2022-83405f9d5b)"},{"cve":"CVE-2022-21698","qid":"282602","title":"Fedora Security Update for grafana (FEDORA-2022-9dd03cab55)"},{"cve":"CVE-2022-21698","qid":"282631","title":"Fedora Security Update for podman (FEDORA-2022-c87047f163)"},{"cve":"CVE-2022-21698","qid":"282683","title":"Fedora Security Update for podman (FEDORA-2022-5e637f6cc6)"},{"cve":"CVE-2022-21698","qid":"282815","title":"Fedora Security Update for buildah (FEDORA-2022-396c568c5e)"},{"cve":"CVE-2022-21698","qid":"282883","title":"Fedora Security Update for golang (FEDORA-2022-92ef43c439)"},{"cve":"CVE-2022-21698","qid":"282893","title":"Fedora Security Update for 3mux (FEDORA-2022-fae3ecee19)"},{"cve":"CVE-2022-21698","qid":"282947","title":"Fedora Security Update for 3mux (FEDORA-2022-3969b64d4b)"},{"cve":"CVE-2022-21698","qid":"283265","title":"Fedora Security Update for golang (FEDORA-2022-13ad572b5a)"},{"cve":"CVE-2022-21698","qid":"283266","title":"Fedora Security Update for golang (FEDORA-2022-739c7a0058)"},{"cve":"CVE-2022-21698","qid":"283460","title":"Fedora Security Update for golang (FEDORA-2022-741325e9a0)"},{"cve":"CVE-2022-21698","qid":"284299","title":"Fedora Security Update for etcd (FEDORA-2022-28d38313c8)"},{"cve":"CVE-2022-21698","qid":"285318","title":"Fedora Security Update for golang (FEDORA-2023-0c6723004f)"},{"cve":"CVE-2022-21698","qid":"502042","title":"Alpine Linux Security Update for buildah"},{"cve":"CVE-2022-21698","qid":"752083","title":"SUSE Enterprise Linux Security Update for firewalld, golang-github-prometheus-prometheus (SUSE-SU-2022:1435-1)"},{"cve":"CVE-2022-21698","qid":"752251","title":"SUSE Enterprise Linux Security Update for SUSE Manager Client Tools (SUSE-SU-2022:2134-1)"},{"cve":"CVE-2022-21698","qid":"752252","title":"SUSE Enterprise Linux Security Update for golang-github-prometheus-node_exporter (SUSE-SU-2022:2137-1)"},{"cve":"CVE-2022-21698","qid":"752253","title":"SUSE Enterprise Linux Security Update for node_exporter (SUSE-SU-2022:2140-1)"},{"cve":"CVE-2022-21698","qid":"752731","title":"SUSE Enterprise Linux Security Update for SUSE Manager Client Tools (SUSE-SU-2022:3747-1)"},{"cve":"CVE-2022-21698","qid":"752738","title":"SUSE Enterprise Linux Security Update for golang-github-prometheus-node_exporter (SUSE-SU-2022:3745-1)"},{"cve":"CVE-2022-21698","qid":"753361","title":"SUSE Enterprise Linux Security Update for podman (SUSE-SU-2022:2834-1)"},{"cve":"CVE-2022-21698","qid":"753444","title":"SUSE Enterprise Linux Security Update for podman (SUSE-SU-2022:2839-1)"},{"cve":"CVE-2022-21698","qid":"753592","title":"SUSE Enterprise Linux Security Update for podman (SUSE-SU-2023:0187-1)"},{"cve":"CVE-2022-21698","qid":"753659","title":"SUSE Enterprise Linux Security Update for podman (SUSE-SU-2023:0326-1)"},{"cve":"CVE-2022-21698","qid":"770161","title":"Red Hat OpenShift Container Platform 4.1 Security Update (RHSA-2022:5068)"},{"cve":"CVE-2022-21698","qid":"907625","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for kured (31981-1)"},{"cve":"CVE-2022-21698","qid":"907799","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for kube-vip-cloud-provider (33603-1)"},{"cve":"CVE-2022-21698","qid":"907825","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for moby-buildx (33614-1)"},{"cve":"CVE-2022-21698","qid":"907834","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for application-gateway-kubernetes-ingress (33567-1)"},{"cve":"CVE-2022-21698","qid":"907872","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for local-path-provisioner (33611-1)"},{"cve":"CVE-2022-21698","qid":"907878","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for rook (33639)"},{"cve":"CVE-2022-21698","qid":"907888","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for prometheus-node-exporter (33634-1)"},{"cve":"CVE-2022-21698","qid":"907889","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for prometheus-process-exporter (33637)"},{"cve":"CVE-2022-21698","qid":"907915","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for moby-engine (33620)"},{"cve":"CVE-2022-21698","qid":"907916","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for nmi (33623)"},{"cve":"CVE-2022-21698","qid":"907918","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for node-problem-detector (33626)"},{"cve":"CVE-2022-21698","qid":"907927","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for moby-cli (33618)"},{"cve":"CVE-2022-21698","qid":"907940","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for rook (33639-1)"},{"cve":"CVE-2022-21698","qid":"907944","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for moby-engine (33620-1)"},{"cve":"CVE-2022-21698","qid":"907947","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for prometheus-process-exporter (33637-1)"},{"cve":"CVE-2022-21698","qid":"907951","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for node-problem-detector (33626-1)"},{"cve":"CVE-2022-21698","qid":"907959","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for nmi (33623-1)"},{"cve":"CVE-2022-21698","qid":"907962","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for moby-cli (33618-1)"},{"cve":"CVE-2022-21698","qid":"940562","title":"AlmaLinux Security Update for container-tools:rhel8 (ALSA-2022:1762)"},{"cve":"CVE-2022-21698","qid":"940770","title":"AlmaLinux Security Update for grafana (ALSA-2022:7519)"},{"cve":"CVE-2022-21698","qid":"940773","title":"AlmaLinux Security Update for container-tools:3.0 (ALSA-2022:7529)"},{"cve":"CVE-2022-21698","qid":"940826","title":"AlmaLinux Security Update for grafana (ALSA-2022:8057)"},{"cve":"CVE-2022-21698","qid":"960194","title":"Rocky Linux Security Update for container-tools:rhel8 (RLSA-2022:1762)"},{"cve":"CVE-2022-21698","qid":"960528","title":"Rocky Linux Security Update for grafana (RLSA-2022:8057)"},{"cve":"CVE-2022-21698","qid":"960603","title":"Rocky Linux Security Update for container-tools:3.0 (RLSA-2022:7529)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"security-advisories@github.com","ID":"CVE-2022-21698","STATE":"PUBLIC","TITLE":"Uncontrolled Resource Consumption in promhttp"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"client_golang","version":{"version_data":[{"version_value":"< 1.11.1"}]}}]},"vendor_name":"prometheus"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"client_golang is the instrumentation library for Go applications in Prometheus, and the promhttp package in client_golang provides tooling around HTTP servers and clients. In client_golang prior to version 1.11.1, HTTP server is susceptible to a Denial of Service through unbounded cardinality, and potential memory exhaustion, when handling requests with non-standard HTTP methods. In order to be affected, an instrumented software must use any of `promhttp.InstrumentHandler*` middleware except `RequestsInFlight`; not filter any specific methods (e.g GET) before middleware; pass metric with `method` label name to our middleware; and not have any firewall/LB/proxy that filters away requests with unknown `method`. client_golang version 1.11.1 contains a patch for this issue. Several workarounds are available, including removing the `method` label name from counter/gauge used in the InstrumentHandler; turning off affected promhttp handlers; adding custom middleware before promhttp handler that will sanitize the request method given by Go http.Request; and using a reverse proxy or web application firewall, configured to only allow a limited set of methods."}]},"impact":{"cvss":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-400: Uncontrolled Resource Consumption"}]}]},"references":{"reference_data":[{"name":"https://github.com/prometheus/client_golang/security/advisories/GHSA-cg3q-j54f-5p7p","refsource":"CONFIRM","url":"https://github.com/prometheus/client_golang/security/advisories/GHSA-cg3q-j54f-5p7p"},{"name":"https://github.com/prometheus/client_golang/pull/962","refsource":"MISC","url":"https://github.com/prometheus/client_golang/pull/962"},{"name":"https://github.com/prometheus/client_golang/pull/987","refsource":"MISC","url":"https://github.com/prometheus/client_golang/pull/987"},{"name":"https://github.com/prometheus/client_golang/releases/tag/v1.11.1","refsource":"MISC","url":"https://github.com/prometheus/client_golang/releases/tag/v1.11.1"},{"refsource":"FEDORA","name":"FEDORA-2022-5f253807ce","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FY3N7H6VSDZM37B4SKM2PFFCUWU7QYWN/"},{"refsource":"FEDORA","name":"FEDORA-2022-6c4cb64314","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZKORFJTRRDJCWBTJPISKKCVMMMJBIRLG/"},{"refsource":"FEDORA","name":"FEDORA-2022-eda0e65b01","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AK7CJBCGERCRXYUR2EWDSSDVAQMTAZGX/"},{"refsource":"FEDORA","name":"FEDORA-2022-6043a7b938","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SASRKYHT5ZFSVMJUQUG3UAEQRJYGJKAR/"},{"refsource":"FEDORA","name":"FEDORA-2022-e244ad73d6","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KBMVIQFKQDSSTHVVJWJ4QH6TW3JVB7XZ/"},{"refsource":"FEDORA","name":"FEDORA-2022-a7d438b30b","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7V7I72LSQ3IET3QJR6QPAVGJZ4CBDLN5/"},{"refsource":"FEDORA","name":"FEDORA-2022-83405f9d5b","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HLAQRRGNSO5MYCPAXGPH2OCSHOGHSQMQ/"},{"refsource":"FEDORA","name":"FEDORA-2022-9dd03cab55","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2PFW6Q2LXXWTFRTMTRN4ZGADFRQPKJ3D/"},{"refsource":"FEDORA","name":"FEDORA-2022-c87047f163","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/J5WPM42UR6XIBQNQPNQHM32X7S4LJTRX/"},{"refsource":"FEDORA","name":"FEDORA-2022-2067702f06","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4KDETHL5XCT6RZN2BBNOCEXRZ2W3SFU3/"},{"refsource":"FEDORA","name":"FEDORA-2022-c5383675d9","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/36GUEPA5TPSC57DZTPYPBL6T7UPQ2FRH/"},{"refsource":"FEDORA","name":"FEDORA-2022-5e637f6cc6","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DLUJZV3HBP56ADXU6QH2V7RNYUPMVBXQ/"},{"refsource":"FEDORA","name":"FEDORA-2022-396c568c5e","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2IK53GWZ475OQ6ENABKMJMTOBZG6LXUR/"},{"refsource":"FEDORA","name":"FEDORA-2022-92ef43c439","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MH6ALXEQXIFQRQFNJ5Y2MJ5DFPIX76VN/"},{"refsource":"FEDORA","name":"FEDORA-2022-fae3ecee19","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZY2SLWOQR4ZURQ7UBRZ7JIX6H6F5JHJR/"},{"refsource":"FEDORA","name":"FEDORA-2022-739c7a0058","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RN7JGC2LVHPEGSJYODFUV5FEKPBVG4D7/"},{"refsource":"FEDORA","name":"FEDORA-2022-13ad572b5a","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5OGNAFVXSMTTT2UPH6CS3IH6L3KM42Q7/"},{"refsource":"FEDORA","name":"FEDORA-2022-741325e9a0","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3L6GDN5S5QZSCFKWD3GKL2RDZQ6B4UWA/"}]},"source":{"advisory":"GHSA-cg3q-j54f-5p7p","discovery":"UNKNOWN"}},"nvd":{"publishedDate":"2022-02-15 16:15:00","lastModifiedDate":"2023-11-07 03:43:00","problem_types":["CWE-770"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:N/I:N/A:P","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"PARTIAL","baseScore":5},"severity":"MEDIUM","exploitabilityScore":10,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:prometheus:client_golang:*:*:*:*:*:go:*:*","versionEndExcluding":"1.11.1","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:fedoraproject:extra_packages_for_enterprise_linux:8.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:fedoraproject:extra_packages_for_enterprise_linux:7.0:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:rdo_project:rdo:-:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2022","CveId":"21698","Ordinal":"221433","Title":"CVE-2022-21698","CVE":"CVE-2022-21698","Year":"2022"},"notes":[{"CveYear":"2022","CveId":"21698","Ordinal":"1","NoteData":"** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.","Type":"Description","Title":null}]}}}