CVE-2023-27591

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2023-27591

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-27591.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-27591

Aliases

GHSA-3qjf-qh38-x73v

Published

2023-03-17T19:04:03.702Z

Modified

2026-03-14T11:59:56.185328Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

Unauthenticated Miniflux user can bypass allowed networks check to obtain Prometheus metrics

Details

Miniflux is a feed reader. Prior to version 2.0.43, an unauthenticated user can retrieve Prometheus metrics from a publicly reachable Miniflux instance where the METRICS_COLLECTOR configuration option is enabled and METRICS_ALLOWED_NETWORKS is set to 127.0.0.1/8 (the default). A patch is available in Miniflux 2.0.43. As a workaround, set METRICS_COLLECTOR to false (default) or run Miniflux behind a trusted reverse-proxy.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-1220",
        "CWE-200"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/27xxx/CVE-2023-27591.json"
}

References

Affected packages

Git / github.com/miniflux/v2

Affected ranges

Type: GIT
Repo: https://github.com/miniflux/v2
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

ab209df78f41cfd2e3b273682e29c492351575d1

Affected versions

2.*

2.0.0

2.0.0-rc1

2.0.1

2.0.10

2.0.11

2.0.12

2.0.13

2.0.14

2.0.15

2.0.16

2.0.17

2.0.18

2.0.19

2.0.2

2.0.20

2.0.21

2.0.22

2.0.23

2.0.24

2.0.25

2.0.26

2.0.27

2.0.28

2.0.29

2.0.3

2.0.30

2.0.31

2.0.32

2.0.33

2.0.34

2.0.35

2.0.36

2.0.37

2.0.38

2.0.39

2.0.4

2.0.40

2.0.41

2.0.42

2.0.5

2.0.6

2.0.7

2.0.8

2.0.9

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-27591.json"