CVE-2022-36640
Published: 2 September 2022
** DISPUTED ** influxData influxDB before v1.8.10 contains no authentication mechanism or controls, allowing unauthenticated attackers to execute arbitrary commands. NOTE: the CVE ID assignment is disputed because the vendor's documentation states "If InfluxDB is being deployed on a publicly accessible endpoint, we strongly recommend authentication be enabled. Otherwise the data will be publicly available to any unauthenticated user. The default settings do NOT enable authentication and authorization."
Priority
Status
Package | Release | Status |
---|---|---|
influxdb Launchpad, Ubuntu, Debian |
kinetic |
Ignored
(end of life, was needs-triage)
|
bionic |
Needs triage
|
|
focal |
Needs triage
|
|
jammy |
Needs triage
|
|
trusty |
Ignored
(end of standard support)
|
|
upstream |
Needs triage
|
|
xenial |
Needs triage
|
|
mantic |
Needs triage
|
|
lunar |
Ignored
(end of life, was needs-triage)
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 9.8 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | High |
Availability impact | High |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36640
- https://portal.influxdata.com/downloads/
- http://www.krsecu.com/CVE/409b5310045bd6b9a984a5fb63bd8786d5c5681a8ad5b1c815c84b2b90002ad7.docx
- http://influxdb.com
- http://influxdata.com
- https://dl.influxdata.com/influxdb/releases/influxdb_1.8.10_amd64.deb
- https://www.influxdata.com/
- NVD
- Launchpad
- Debian