CVE-2022-36640
CRITICAL9.8EPSS 6.8%發布日:2022/9/2修改日:2026/4/28
描述
influxData influxDB before v1.8.10 contains no authentication mechanism or controls, allowing unauthenticated attackers to execute arbitrary commands. NOTE: the CVE ID assignment is disputed because the vendor's documentation states "If InfluxDB is being deployed on a publicly accessible endpoint, we strongly recommend authentication be enabled. Otherwise the data will be publicly available to any unauthenticated user. The default settings do NOT enable authentication and authorization.
受影響套件(2)
- Bitnami/influxdbfrom 0, < 1.8.0
- Debian/influxdbfrom 0
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
參考連結(8)
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2022-36640
- WEBhttp://influxdata.com
- WEBhttp://influxdb.com
- WEBhttps://dl.influxdata.com/influxdb/releases/influxdb_1.8.10_amd64.deb
- WEBhttps://nvd.nist.gov/vuln/detail/CVE-2022-36640
- WEBhttps://portal.influxdata.com/downloads/
- WEBhttps://www.influxdata.com/
- WEBhttp://www.krsecu.com/CVE/409b5310045bd6b9a984a5fb63bd8786d5c5681a8ad5b1c815c84b2b90002ad7.docx