CVE-2022-36640
published 2022-09-02CVE-2022-36640: influxData influxDB before v1.8.10 contains no authentication mechanism or controls, allowing unauthenticated attackers to execute arbitrary commands. NOTE…
PriorityP266critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.93%
77.5th percentile
influxData influxDB before v1.8.10 contains no authentication mechanism or controls, allowing unauthenticated attackers to execute arbitrary commands. NOTE: the CVE ID assignment is disputed because the vendor's documentation states "If InfluxDB is being deployed on a publicly accessible endpoint, we strongly recommend authentication be enabled. Otherwise the data will be publicly available to any unauthenticated user. The default settings do NOT enable authentication and authorization.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | influxdb | — | — |
| influxdata | influxdb | < 1.8.0 | 1.8.0 |
Detection & IOCsextracted from sources · hover to see the quote
- →InfluxDB instances with no authentication enabled are exploitable by unauthenticated attackers; detect unauthenticated HTTP requests to InfluxDB endpoints (default port 8086) from unexpected sources ↗
- →The default InfluxDB configuration does NOT enable authentication and authorization; audit deployments for missing auth config as an indicator of vulnerable exposure ↗
- ·Multiple Debian releases (bookworm, bullseye, forky, sid, trixie) remain open/unpatched as of the Debian Security Tracker, indicating wide exposure on Debian-based deployments. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_debian9.8LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2022-36640: influxdb - influxData influxDB before v1.8.10 contains no authentication mechanism or contr...
vendor_debian·2022·CVSS 9.8
CVE-2022-36640 [CRITICAL] CVE-2022-36640: influxdb - influxData influxDB before v1.8.10 contains no authentication mechanism or contr...
influxData influxDB before v1.8.10 contains no authentication mechanism or controls, allowing unauthenticated attackers to execute arbitrary commands. NOTE: the CVE ID assignment is disputed because the vendor's documentation states "If InfluxDB is being deployed on a publicly accessible endpoint, we strongly recommend authentication be enabled. Otherwise the data will be publicly available to any unauthenticated user. The default settings do NOT enable authentication and authorization.
Scope: local
bookworm: open
bullseye: open
forky: open
sid: open
trixie: open
GHSA
GHSA-x7v4-5qjr-j62x: influxData influxDB before v1
ghsa_unreviewed·2022-09-03
CVE-2022-36640 [CRITICAL] CWE-276 GHSA-x7v4-5qjr-j62x: influxData influxDB before v1
influxData influxDB before v1.8.10 contains no authentication mechanism or controls, allowing unauthenticated attackers to execute arbitrary commands.
OSV
CVE-2022-36640: ** DISPUTED ** influxData influxDB before v1
osv·2022-09-02·CVSS 9.8
CVE-2022-36640 [CRITICAL] CVE-2022-36640: ** DISPUTED ** influxData influxDB before v1
** DISPUTED ** influxData influxDB before v1.8.10 contains no authentication mechanism or controls, allowing unauthenticated attackers to execute arbitrary commands. NOTE: the CVE ID assignment is disputed because the vendor's documentation states "If InfluxDB is being deployed on a publicly accessible endpoint, we strongly recommend authentication be enabled. Otherwise the data will be publicly available to any unauthenticated user. The default settings do NOT enable authentication and authorization."
OSV
CVE-2022-36640: influxData influxDB before v1
osv·2022-09-02·CVSS 9.8
CVE-2022-36640 [CRITICAL] CVE-2022-36640: influxData influxDB before v1
influxData influxDB before v1.8.10 contains no authentication mechanism or controls, allowing unauthenticated attackers to execute arbitrary commands. NOTE: the CVE ID assignment is disputed because the vendor's documentation states "If InfluxDB is being deployed on a publicly accessible endpoint, we strongly recommend authentication be enabled. Otherwise the data will be publicly available to any unauthenticated user. The default settings do NOT enable authentication and authorization.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
http://influxdata.comhttp://influxdb.comhttp://www.krsecu.com/CVE/409b5310045bd6b9a984a5fb63bd8786d5c5681a8ad5b1c815c84b2b90002ad7.docxhttps://dl.influxdata.com/influxdb/releases/influxdb_1.8.10_amd64.debhttps://portal.influxdata.com/downloads/https://www.influxdata.com/http://influxdata.comhttp://influxdb.comhttp://www.krsecu.com/CVE/409b5310045bd6b9a984a5fb63bd8786d5c5681a8ad5b1c815c84b2b90002ad7.docxhttps://dl.influxdata.com/influxdb/releases/influxdb_1.8.10_amd64.debhttps://portal.influxdata.com/downloads/https://www.influxdata.com/
2022-09-02
Published