U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Vulnerability Change Records for CVE-2024-28867

Change History

New CVE Received by NIST 3/29/2024 11:15:11 AM

Action Type Old Value New Value
Added CVSS V3.1

								
							
							
						
GitHub, Inc. AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Added CWE

								
							
							
						
GitHub, Inc. CWE-74
Added Description

								
							
							
						
Swift Prometheus is a Swift client for the Prometheus monitoring system, supporting counters, gauges and histograms. In code which applies _un-sanitized string values into metric names or labels_, an attacker could make use of this and send a `?lang` query parameter containing newlines, `}`  or similar characters which can lead to the attacker taking over the exported format -- including creating unbounded numbers of stored metrics, inflating server memory usage, or causing "bogus" metrics. This vulnerability is fixed in2.0.0-alpha.2.
Added Reference

								
							
							
						
GitHub, Inc. https://github.com/swift-server/swift-prometheus/commit/bfcd4bbfabe11aae4b035424ee9724582e288501 [No types assigned]
Added Reference

								
							
							
						
GitHub, Inc. https://github.com/swift-server/swift-prometheus/security/advisories/GHSA-x768-cvr2-345r [No types assigned]