CVE-2023-27591

moderate-risk
Published 2023-03-17

Miniflux is a feed reader. Prior to version 2.0.43, an unauthenticated user can retrieve Prometheus metrics from a publicly reachable Miniflux instance where the `METRICS_COLLECTOR` configuration option is enabled and `METRICS_ALLOWED_NETWORKS` is set to `127.0.0.1/8` (the default). A patch is available in Miniflux 2.0.43. As a workaround, set `METRICS_COLLECTOR` to `false` (default) or run Miniflux behind a trusted reverse-proxy.

Do I need to act?

-
0.49% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.5/10 High
NETWORK / LOW complexity

Affected Products (1)

Miniflux

Affected Vendors

Miniflux Project

References (8)

Issue Tracking https://github.com/miniflux/v2/pull/1745
Release Notes https://github.com/miniflux/v2/releases/tag/2.0.43
Vendor Advisory https://github.com/miniflux/v2/security/advisories/GHSA-3qjf-qh38-x73v
Product https://miniflux.app/docs/configuration.html#metrics-collector
Issue Tracking https://github.com/miniflux/v2/pull/1745
Release Notes https://github.com/miniflux/v2/releases/tag/2.0.43
Vendor Advisory https://github.com/miniflux/v2/security/advisories/GHSA-3qjf-qh38-x73v
Product https://miniflux.app/docs/configuration.html#metrics-collector
33
/ 100
moderate-risk
Severity 26/34 · High
Exploitability 2/34 · Minimal
Exposure 5/34 · Minimal