Bug 1203191 - (CVE-2022-36640) VUL-2: CVE-2022-36640: influxdb: there are no authentication mechanisms before v1.8.10 (DISPUTED)
(CVE-2022-36640)
VUL-2: CVE-2022-36640: influxdb: there are no authentication mechanisms befor...
Status: RESOLVED WONTFIX
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P5 - None : Normal
: ---
Assigned To: Cloud Bugs
Security Team bot
https://smash.suse.de/issue/341457/
CVSSv3.1:SUSE:CVE-2022-36640:0.0:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-09-07 06:33 UTC by Carlos López
Modified: 2022-09-07 06:35 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Carlos López 2022-09-07 06:33:50 UTC
CVE-2022-36640

** DISPUTED ** influxData influxDB before v1.8.10 contains no authentication
mechanism or controls, allowing unauthenticated attackers to execute arbitrary
commands. NOTE: the CVE ID assignment is disputed because the vendor's
documentation states "If InfluxDB is being deployed on a publicly accessible
endpoint, we strongly recommend authentication be enabled. Otherwise the data
will be publicly available to any unauthenticated user. The default settings do
NOT enable authentication and authorization."

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-36640
http://www.cvedetails.com/cve/CVE-2022-36640/
https://www.cve.org/CVERecord?id=CVE-2022-36640
https://dl.influxdata.com/influxdb/releases/influxdb_1.8.10_amd64.deb
https://www.influxdata.com/
http://influxdb.com
https://portal.influxdata.com/downloads/
http://www.krsecu.com/CVE/409b5310045bd6b9a984a5fb63bd8786d5c5681a8ad5b1c815c84b2b90002ad7.docx
http://influxdata.com
Comment 1 Carlos López 2022-09-07 06:35:30 UTC
This is CVE is disputed and the behavior is documented, so it does not meet the requirements for Cloud8 and Cloud9. Closing as WONTFIX.