CVE-2022-36640
CRITICALinfluxdb < 1.8.10 - Unauthenticated Remote Code Execution
Title source: llmDescription
influxData influxDB before v1.8.10 contains no authentication mechanism or controls, allowing unauthenticated attackers to execute arbitrary commands. NOTE: the CVE ID assignment is disputed because the vendor's documentation states "If InfluxDB is being deployed on a publicly accessible endpoint, we strongly recommend authentication be enabled. Otherwise the data will be publicly available to any unauthenticated user. The default settings do NOT enable authentication and authorization.
References (6)
Core 6
Core References
Product x_refsource_misc
http://influxdata.com
Product x_refsource_misc
http://influxdb.com
Broken Link x_refsource_misc
http://www.krsecu.com/CVE/409b5310045bd6b9a984a5fb63bd8786d5c5681a8ad5b1c815c84b2b90002ad7.docx
Patch, Vendor Advisory x_refsource_misc
https://dl.influxdata.com/influxdb/releases/influxdb_1.8.10_amd64.deb
Patch, Product x_refsource_misc
https://portal.influxdata.com/downloads/
Product x_refsource_misc
https://www.influxdata.com/
Scores
CVSS v3
9.8
EPSS
0.0193
EPSS Percentile
77.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-276
Status
published
Products (1)
influxdata/influxdb
< 1.8.0
Published
Sep 02, 2022
Tracked Since
Feb 18, 2026