CVE-2022-21698 – Uncontrolled Resource Consumption in promhttp

https://notcve.org/view.php?id=CVE-2022-21698

15 Feb 2022 — client_golang is the instrumentation library for Go applications in Prometheus, and the promhttp package in client_golang provides tooling around HTTP servers and clients. In client_golang prior to version 1.11.1, HTTP server is susceptible to a Denial of Service through unbounded cardinality, and potential memory exhaustion, when handling requests with non-standard HTTP methods. In order to be affected, an instrumented software must use any of `promhttp.InstrumentHandler*` middleware except `RequestsInFlig... • https://github.com/prometheus/client_golang/pull/962 • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling CWE-772: Missing Release of Resource after Effective Lifetime •