CVE-2022-36640: Incorrect Default Permissions

September 2, 2022 (updated November 7, 2023)

influxData influxDB before v1.8.10 contains no authentication mechanism or controls, allowing unauthenticated attackers to execute arbitrary commands. NOTE: the CVE ID assignment is disputed because the vendor’s documentation states “If InfluxDB is being deployed on a publicly accessible endpoint, we strongly recommend authentication be enabled. Otherwise the data will be publicly available to any unauthenticated user. The default settings do NOT enable authentication and authorization.

References

influxdata.com/
influxdb.com/
www.krsecu.com/CVE/409b5310045bd6b9a984a5fb63bd8786d5c5681a8ad5b1c815c84b2b90002ad7.docx
dl.influxdata.com/influxdb/releases/influxdb_1.8.10_amd64.deb
nvd.nist.gov/vuln/detail/CVE-2022-36640
portal.influxdata.com/downloads/
www.influxdata.com/

Detect and mitigate CVE-2022-36640 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →