Home > Vulnerability Database > CVE-2023-27591

Mend.io Vulnerability Database

CVE-2023-27591

Date: March 17, 2023

Miniflux is a feed reader. Prior to version 2.0.43, an unauthenticated user can retrieve Prometheus metrics from a publicly reachable Miniflux instance where the "METRICS_COLLECTOR" configuration option is enabled and "METRICS_ALLOWED_NETWORKS" is set to "127.0.0.1/8" (the default). A patch is available in Miniflux 2.0.43. As a workaround, set "METRICS_COLLECTOR" to "false" (default) or run Miniflux behind a trusted reverse-proxy.

Language: Go

Severity Score

7.5

Related Resources (7)

Url: https://github.com/miniflux/v2/pull/1745

Url: https://github.com/miniflux/v2/releases/tag/2.0.43

Url: https://miniflux.app/docs/configuration.html#metrics-collector

Url: https://github.com/miniflux/v2

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-27591

Url: https://github.com/miniflux/v2/security/advisories/GHSA-3qjf-qh38-x73v

Url: https://www.mend.io/vulnerability-database/CVE-2023-27591

Severity Score

7.5

Weakness Type (CWE)

Exposure of Sensitive Information to an Unauthorized Actor

CWE-200

Insufficient Information

NVD-CWE-noinfo

Insufficient Granularity of Access Control

CWE-1220

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2023-27591

Date: March 17, 2023

Language: Go

Severity Score

Related Resources (7)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?