CVE-2023-22497

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2023-22497
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-22497.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-22497
Aliases
  • GHSA-jx85-39cw-66f2
Downstream
Published
2023-01-14T01:02:12Z
Modified
2025-10-15T02:27:50.425740Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H CVSS Calculator
Summary
Netdata is vulnerable to improper authentication
Details

Netdata is an open source option for real-time infrastructure monitoring and troubleshooting. Each Netdata Agent has an automatically generated MACHINE GUID. It is generated when the agent first starts and it is saved to disk, so that it will persist across restarts and reboots. Anyone who has access to a Netdata Agent has access to its MACHINEGUID. Streaming is a feature that allows a Netdata Agent to act as parent for other Netdata Agents (children), offloading children from various functions (increased data retention, ML, health monitoring, etc) that can now be handled by the parent Agent. Configuration is done via stream.conf. On the parent side, users configure in stream.conf an API key (any random UUID can do) to provide common configuration for all children using this API key and per MACHINE GUID configuration to customize the configuration for each child. The way this was implemented, allowed an attacker to use a valid MACHINEGUID as an API key. This affects all users who expose their Netdata Agents (children) to non-trusted users and they also expose to the same users Netdata Agent parents that aggregate data from all these children. The problem has been fixed in: Netdata agent v1.37 (stable) and Netdata agent v1.36.0-409 (nightly). As a workaround, do not enable streaming by default. If you have previously enabled this, it can be disabled. Limiting access to the port on the recipient Agent to trusted child connections may mitigate the impact of this vulnerability.

References

Affected packages

Git / github.com/netdata/netdata

Affected ranges

Type
GIT
Repo
https://github.com/netdata/netdata
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
ceec247bdd442a04609672c78d175b52a6d6b1ca

Affected versions

1.*

1.32.1
1.34.0

Other

untagged-10d59b9e5fa68b9500e1

v0.*

v0.1
v0.2

v1.*

v1.0.0
v1.0rc
v1.1.0
v1.10.0
v1.11.0
v1.11.1
v1.12.0
v1.12.0-rc0
v1.12.0-rc1
v1.12.0-rc2
v1.12.0-rc3
v1.12.1
v1.12.2
v1.13.0
v1.14.0
v1.14.0-rc0
v1.15.0
v1.16.0
v1.16.1
v1.17.0
v1.17.1
v1.18.0
v1.18.1
v1.19.0
v1.2.0
v1.20.0
v1.21.0
v1.21.1
v1.22.0
v1.22.1
v1.23.0
v1.23.1
v1.23.1_infiniband
v1.23.2
v1.24.0
v1.25.0
v1.26.0
v1.27.0
v1.27.0_0104103941
v1.28.0
v1.29.0
v1.29.1
v1.29.2
v1.29.3
v1.3.0
v1.30.0
v1.30.1
v1.31.0
v1.32.0
v1.32.1
v1.33.0
v1.33.1
v1.34.0
v1.35.0
v1.36.0
v1.4.0
v1.5.0
v1.6.0
v1.7.0
v1.8.0
v1.9.0

Database specific 

{
    "unresolved_versions": [
        {
            "events": [
                {
                    "introduced": "0"
                },
                {
                    "fixed": "1.36.0-409"
                }
            ],
            "type": ""
        }
    ]
}