Fluid Attacks Database

Description

Unauthenticated Miniflux user can bypass allowed networks check to obtain Prometheus metrics

Impact

An unauthenticated user can retrieve Prometheus metrics from a publicly reachable Miniflux instance where the METRICS_COLLECTOR configuration option is enabled and METRICS_ALLOWED_NETWORKS is set to 127.0.0.1/8 (the default).

Patches

PR #1745 fixes the problem. Available in Miniflux >= 2.0.43.

Workarounds

Set METRICS_COLLECTOR to false (default) or run Miniflux behind a trusted reverse-proxy.

References

https://miniflux.app/docs/configuration.html#metrics-collector

https://miniflux.app/docs/configuration.html#metrics-allowed-networks

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
go	miniflux.app/v2	>=0 <2.0.43	2.0.43
go	miniflux.app	>=0 <=1.0.46	-

Aliases

1. CVE-2023-275912. NVD-2023-275913. OSV-2023-275914. GHSA-3qjf-qh38-x73v5. GCVE-2023-27591

References

1. https://github.com/miniflux/v2/security/advisories/GHSA-3qjf-qh38-x73v2. https://github.com/miniflux/v2/pull/17453. https://github.com/miniflux/v2/releases/tag/2.0.434. https://miniflux.app/docs/configuration.html#metrics-collector

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.