CVE-2022-36640 — Incorrect Default Permissions in Influxdb

CWE-276 — Incorrect Default Permissions5 documents4 sources

Severity

9.8CRITICALNVD

EPSS

6.8%

top 8.66%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Influxdata Influxdb Debian Influxdb

Timeline

PublishedSep 2

Latest updateSep 3

Description

influxData influxDB before v1.8.10 contains no authentication mechanism or controls, allowing unauthenticated attackers to execute arbitrary commands. NOTE: the CVE ID assignment is disputed because the vendor's documentation states "If InfluxDB is being deployed on a publicly accessible endpoint, we strongly recommend authentication be enabled. Otherwise the data will be publicly available to any unauthenticated user. The default settings do NOT enable authentication and authorization.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶NVDinfluxdata/influxdb< 1.8.0

▶debiandebian/influxdb

Patches

Patch: dl.influxdata.com ↗Patch: portal.influxdata.com ↗Patch: dl.influxdata.com ↗

🔴Vulnerability Details

GHSA

GHSA-x7v4-5qjr-j62x: influxData influxDB before v1↗2022-09-03

▶

OSV

CVE-2022-36640: ** DISPUTED ** influxData influxDB before v1↗2022-09-02

▶

OSV

CVE-2022-36640: influxData influxDB before v1↗2022-09-02

▶

📋Vendor Advisories

Debian

CVE-2022-36640: influxdb - influxData influxDB before v1.8.10 contains no authentication mechanism or contr...↗2022

▶