Executive Summary

This vulnerability affects Pyroscope, an open-source continuous profiling database that supports Tencent Cloud Object Storage (COS) as a storage backend.

If Pyroscope is configured to use Tencent COS, an attacker with direct access to the Pyroscope API can extract the secret_key configuration value.

This secret_key is sensitive information that should be protected, and the vulnerability arises because it can be accessed through the API without proper restrictions.

To mitigate this risk, it is recommended to limit public internet exposure of the Pyroscope database so that only trusted users or internal systems can access it.

Useful 0 Not Useful 0

Impact Analysis

If exploited, this vulnerability allows an attacker to obtain the secret_key used by Pyroscope when configured with Tencent COS storage.

With this secret_key, an attacker could potentially gain unauthorized access to the Tencent Cloud Object Storage backend, leading to data exposure or manipulation.

The vulnerability has a high severity score (CVSS 9.1), indicating it can lead to significant confidentiality and integrity impacts without requiring privileges or user interaction.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, it is highly recommended to limit the public internet exposure of all Pyroscope databases, ensuring they are only accessible by trusted users or internal systems.

Additionally, upgrade Pyroscope to a fixed version: 1.15.2 or above for 1.15.x versions, 1.16.1 or above for 1.16.x versions, and 1.17.0 or above for 1.17.x versions.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows an attacker with direct access to the Pyroscope API to extract the secret_key configuration value, exposing sensitive storage credentials. Such exposure of confidential information can lead to unauthorized access to data stored in Tencent Cloud Object Storage (COS).

The compromise of sensitive credentials and potential unauthorized data access can negatively impact compliance with data protection regulations and standards such as GDPR and HIPAA, which require strict controls over the confidentiality and integrity of personal and sensitive data.

To mitigate this risk and help maintain compliance, it is strongly recommended to restrict Pyroscope API access to trusted users or internal systems and avoid public internet exposure.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability requires direct access to the Pyroscope API when it is configured to use Tencent Cloud Object Storage (COS) as the storage backend. Detection involves verifying if your Pyroscope instance is exposed to untrusted networks and if the secret_key configuration can be accessed via the API.

To detect potential exposure, you can check if the Pyroscope API endpoint is accessible from outside trusted networks using network scanning tools or commands such as:

• Using curl to test API accessibility: curl -v http://<pyroscope-api-host>:<port>/api
• Using nmap to scan for open Pyroscope API ports: nmap -p <port> <pyroscope-api-host>

Additionally, reviewing the Pyroscope configuration files to check if Tencent COS is used as the storage backend and verifying the Pyroscope version to ensure it is patched (1.15.2+, 1.16.1+, or 1.17.0+) can help detect vulnerable instances.

Useful 0 Not Useful 0