CVE-2022-36640

NameCVE-2022-36640
DescriptioninfluxData influxDB before v1.8.10 contains no authentication mechanism or controls, allowing unauthenticated attackers to execute arbitrary commands. NOTE: the CVE ID assignment is disputed because the vendor's documentation states "If InfluxDB is being deployed on a publicly accessible endpoint, we strongly recommend authentication be enabled. Otherwise the data will be publicly available to any unauthenticated user. The default settings do NOT enable authentication and authorization.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
influxdb (PTS)stretch (security), stretch (lts), stretch1.1.1+dfsg1-4+deb9u1vulnerable
buster (security), buster, buster (lts)1.6.4-1+deb10u1vulnerable
bullseye, bookworm1.6.7~rc0-1vulnerable
sid, trixie1.6.7~rc0-2vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
influxdbsource(unstable)(unfixed)unimportant

Notes

If InfluxDB is deployed on publicly accessible endpoint, it is recommended
to enable authentication.

Search for package or bug name: Reporting problems