SB2025072757 - Fedora EPEL 9 update for node-exporter

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2025072757

SB2025072757 - Fedora EPEL 9 update for node-exporter

Published: July 27, 2025

Security Bulletin ID SB2025072757
Severity
Medium
Patch available
YES
Number of vulnerabilities 6
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Medium 83% Low 17%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 6 secuirty vulnerabilities.


1) Input validation error (CVE-ID: CVE-2022-21698)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input within method label cardinality. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.


2) Use of Password Hash Instead of Password for Authentication (CVE-ID: CVE-2022-46146)

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to incorrect implementation of basic authentication. A remote attacker with knowledge of the password hash can authenticate against Prometheus without actual knowledge of the password.


3) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2022-41717)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to excessive memory growth when handling HTTP/2 server requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.


4) Resource exhaustion (CVE-ID: CVE-2022-41723)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources in the HPACK decoder. A remote attacker can send a specially crafted HTTP/2 stream to the application, cause resource exhaustion and perform a denial of service (DoS) attack.


5) Resource exhaustion (CVE-ID: CVE-2023-39325)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to excessive consumption of internal resources when handling HTTP/2 requests. A remote attacker can bypass the http2.Server.MaxConcurrentStreams setting by creating new connections while the current connections are still being processed, trigger resource exhaustion and perform a denial of service (DoS) attack.


6) Input validation error (CVE-ID: CVE-2025-22870)

The vulnerability allows a remote attacker to alter application's behavior.

The vulnerability exists due to insufficient validation of an IPv6 zone ID as a hostname component, when matching hosts against proxy patterns. For instance the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied. A remote attacker can alter application behavior and potentially  gain access to sensitive information or functionality.


Remediation

Install update from vendor's website.

References