SCA: security update for miniflux.app/v2 (GHSA-3qjf-qh38-x73v)

high Tenable Cloud Security Plugin ID 434609

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Miniflux is a feed reader. Prior to version 2.0.43, an unauthenticated user can retrieve Prometheus
metrics from a publicly reachable Miniflux instance where the `METRICS_COLLECTOR` configuration option is
enabled and `METRICS_ALLOWED_NETWORKS` is set to `127.0.0.1/8` (the default). A patch is available in
Miniflux 2.0.43. As a workaround, set `METRICS_COLLECTOR` to `false` (default) or run Miniflux behind a
trusted reverse-proxy. (CVE-2023-27591)

See Also

https://github.com/advisories/GHSA-3qjf-qh38-x73v

Plugin Details

Severity: High

ID: 434609

Version: Revision 1.4

Type: Local

Family: SCA Checks

Published: 8/19/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.51

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 5.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N

CVSS Score Source: CVE-2023-27591

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 4/2/2025

Vulnerability Publication Date: 3/17/2023

Reference Information

CVE: CVE-2023-27591