Home > Vulnerability Database > CVE-2023-27591

Mend.io Vulnerability Database

CVE-2023-27591

Good to know:

Date: March 17, 2023

Miniflux is a feed reader. Prior to version 2.0.43, an unauthenticated user can retrieve Prometheus metrics from a publicly reachable Miniflux instance where the `METRICS_COLLECTOR` configuration option is enabled and `METRICS_ALLOWED_NETWORKS` is set to `127.0.0.1/8` (the default). A patch is available in Miniflux 2.0.43. As a workaround, set `METRICS_COLLECTOR` to `false` (default) or run Miniflux behind a trusted reverse-proxy.

Language: Go

Severity Score

7.5

Related Resources (6)

Url: https://github.com/miniflux/v2/pull/1745

Url: https://github.com/miniflux/v2/releases/tag/2.0.43

Url: https://miniflux.app/docs/configuration.html#metrics-collector

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-27591

Url: https://github.com/miniflux/v2/security/advisories/GHSA-3qjf-qh38-x73v

Url: https://www.mend.io/vulnerability-database/CVE-2023-27591

Severity Score

7.5

Weakness Type (CWE)

Information Leak / Disclosure

CWE-200

Insufficient Information

NVD-CWE-noinfo

Insufficient Granularity of Access Control

CWE-1220

Top Fix

Upgrade Version

Upgrade to version 2.0.43

Learn More

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2023-27591

Good to know:

Date: March 17, 2023

Language: Go

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?