CVE-2022-21698

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:N/I:N/A:C

Name of the Vulnerable Software and Affected Versions client golang versions prior to 1.11.1

Description The HTTP server in client golang is susceptible to a Denial of Service through unbounded cardinality, and potential memory exhaustion, when handling requests with non-standard HTTP methods. To be affected, an instrumented software must use any of promhttp.InstrumentHandler* middleware except RequestsInFlight, not filter any specific methods before middleware, pass metric with method label name to the middleware, and not have any firewall/LB/proxy that filters away requests with unknown method.

Recommendations For client golang versions prior to 1.11.1, update to version 1.11.1 or later to resolve the issue. As a temporary workaround, consider removing the method label name from counter/gauge used in the InstrumentHandler. Alternatively, turn off affected promhttp handlers or add custom middleware before promhttp handler that will sanitize the request method given by Go http.Request. Using a reverse proxy or web application firewall, configured to only allow a limited set of methods, can also help mitigate the issue.

Exploit

Fix

DoS

Missing Release of Resource after Effective Lifetime

Allocation of Resources Without Limits

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-772CWE-770CWE-400

Related Identifiers

ALSA-2022:1762

ALSA-2022:7519

ALSA-2022:7529

ALSA-2022:8057

ALSA-2022_1762

ALSA-2022_7529

ALSA-2025_16880

AZL-31981

AZL-33567

AZL-33603

AZL-33611

AZL-33614

AZL-33618

AZL-33620

AZL-33623

AZL-33626

AZL-33634

AZL-33637

AZL-33639

AZL-34541

AZL-34835

AZL-34999

AZL-35012

AZL-35040

AZL-35122

AZL-39665

AZL-43738

AZL-45249

BDU:2022-05475

CESA-2022_1762

CESA-2022_7519

CESA-2022_7529

CVE-2022-21698

GHSA-CG3Q-J54F-5P7P

GO-2022-0322

GO-2023-1546

GO-2023-2113

MGASA-2022-0180

MGASA-2023-0213

OPENSUSE-SU-2022_1435-1

OPENSUSE-SU-2022_2139-1

OPENSUSE-SU-2022_2140-1

OPENSUSE-SU-2022_2834-1

OPENSUSE-SU-2022_2839-1

OPENSUSE-SU-2022_3745-1

OPENSUSE-SU-2024:11965-1

OPENSUSE-SU-2024:12231-1

OPENSUSE-SU-2024:12259-1

OPENSUSE-SU-2024:12400-1

OPENSUSE-SU-2026:10634-1

OPENSUSE-SU-2026:10644-1

RHSA-2022:1762

RHSA-2022:2280

RHSA-2022:4667

RHSA-2022:5068

RHSA-2022:6042

RHSA-2022:6061

RHSA-2022:6066

RHSA-2022:7519

RHSA-2022:7529

RHSA-2022:8057

RHSA-2022_1762

RHSA-2022_7519

RHSA-2022_7529

RHSA-2022_8057

RHSA-2024:0564

RLSA-2022:1762

RLSA-2022:7519

RLSA-2022:7529

RLSA-2022:8057

SUSE-RU-2022:2145-1

SUSE-SU-2022:1433-1

SUSE-SU-2022:1434-1

SUSE-SU-2022:1435-1

SUSE-SU-2022:1531-1

SUSE-SU-2022:1545-1

SUSE-SU-2022:2134-1

SUSE-SU-2022:2137-1

SUSE-SU-2022:2139-1

SUSE-SU-2022:2140-1

SUSE-SU-2022:2145-1

SUSE-SU-2022:2834-1

SUSE-SU-2022:2839-1

SUSE-SU-2022:2839-2

SUSE-SU-2022:3745-1

SUSE-SU-2022:3747-1

SUSE-SU-2022_1435-1

SUSE-SU-2022_2137-1

SUSE-SU-2022_2140-1

SUSE-SU-2022_3745-1

SUSE-SU-2022_3747-1

SUSE-SU-2024:0191-1

Affected Products

Almalinux

Astra Linux

Centos

Debian

Red Hat

Red Os

Rocky Linux

Suse

Client Golang

CVE-2022-21698

Weakness Enumeration

Related Identifiers

Affected Products

References · 467