Tag: Configuration
Problems caused by incorrect or missing configuration settings
| ID | Title | Description | Category | Technology | Tags |
|---|---|---|---|---|---|
| CRE-2025-0030 Medium Impact: 6/10 Mitigation: 2/10 | SQLAlchemy create_engine fails when password contains special characters like @ | SQLAlchemy applications using `create_engine()` may fail to connect to a database if the username or password contains special characters (e.g., `@`, `:`, `/`, `#`). These characters must be URL-encoded when included in the database connection string. Failure to encode them leads to parsing errors or incorrect credential usage. | Orm | sqlalchemy | SqlalchemyConfigurationPasswordUriEscapingConnectionKnown IssuePublic |
| CRE-2025-0031 Medium Impact: 5/10 Mitigation: 5/10 | Django returns DisallowedHost error for untrusted HTTP_HOST headers | Django applications may return a "DisallowedHost" error when receiving requests with an unrecognized or missing Host header. This typically occurs in production environments where reverse proxies, load balancers, or external clients send requests using an unexpected domain or IP address. Django blocks these requests unless the domain is explicitly listed in `ALLOWED_HOSTS`. | Framework Problems | django | DjangoDisallowedhostConfigurationWebSecurityHost HeaderPublic |
| CRE-2025-0032 Low Impact: 2/10 Mitigation: 4/10 | Loki generates excessive logs when memcached service port name is incorrect | Loki instances using memcached for caching may emit excessive warning or error logs when the configured`memcached_client` service port name does not match the actual Kubernetes service port. This does not cause a crash or failure, but it results in noisy logs and ineffective caching behavior. | Observability Problems | loki | LokiMemcachedConfigurationServiceCacheKnown IssueKubernetesPublic |
| CRE-2025-0034 Medium Impact: 6/10 Mitigation: 2/10 | Datadog agent disabled due to missing API key | If the Datadog agent or client libraries do not detect a configured API key, they will skip sending metrics, logs, and events. This results in a silent failure of observability reporting, often visible only through startup log messages. | Observability Problems | datadog | DatadogConfigurationApi KeyObservabilityEnvironmentTelemetryKnown IssuePublic |
| CRE-2025-0043 Medium Impact: 4/10 Mitigation: 2/10 | Grafana fails to load plugin due to missing signature | Grafana may reject custom or third-party plugins at runtime if they are not digitally signed. When plugin signature validation is enabled (default since Grafana 8+), unsigned plugins are blocked and logged as validation errors during startup or plugin loading. | Observability Problems | grafana | GrafanaPluginValidationSignatureConfigurationSecurityKnown IssuePublic |
| CRE-2025-0044 High Impact: 9/10 Mitigation: 1/10 | NGINX Config Uses Insecure TLS Ciphers | Detects NGINX configuration files that advertise obsolete and cryptographically weak ciphers (RC4-MD5, RC4-SHA, DES-CBC3-SHA). These ciphers are vulnerable to several well-known attacks—including BEAST, BAR-Mitzvah, Lucky-13, and statistical biases in RC4—placing any client–server communication at risk of interception or tampering. | Insecure Configuration | nginx | NginxWeak CiphersSecurityConfigurationTLSKnown IssuePublic |
| CRE-2025-0053 Medium Impact: 5/10 Mitigation: 3/10 | NGINX Client Upload Size Limit Exceeded | NGINX server is receiving upload requests with bodies that exceed the configured size limits. This occurs when clients attempt to send files or data that are larger than what the server is configured to accept. | Web Server Problem | nginx | NginxUpload LimitsConfiguration |
| CRE-2025-0055 Medium Impact: 8/10 Mitigation: 3/10 | Nginx upstream buffer size too small | Nginx reports that an upstream server is sending headers that exceed the configured buffer size limits. This typically happens when the upstream application sends responses with large headers, cookies, or other header fields that don't fit in the default buffer allocation. When this occurs, Nginx cannot properly proxy the response to clients, resulting in HTTP errors. | Web Server Problems | nginx | NginxConfigurationProxyHeader SizeBuffer |
| CRE-2025-0056 Medium Impact: 8/10 Mitigation: 3/10 | NGINX worker connections limit exceeded | NGINX has reported that the configured worker_connections limit has been reached. This indicates that the web server has exhausted the available connection slots for handling concurrent client requests. When this limit is reached, new connection attempts may be rejected until existing connections are closed, causing service degradation or outages. | Web Server Problems | nginx | NginxCapacity IssueWeb ServerConfigurationPublic |
| CRE-2025-0059 Low Impact: 6/10 Mitigation: 2/10 | Datadog CWS Instrumentation webhook registration fails without service account | - Datadog Cluster Agent fails to register its CWS (Container Workload Security) instrumentation webhook when running in `remote_copy` mode without a configured service account. | Configuration Problem | datadog | DatadogCWSAdmission ControllerwebhookConfigurationKnown Issue |
| CRE-2025-0085 High Impact: 8/10 Mitigation: 7/10 | SpiceDB Schema Validation Failures Block Authorization Updates | Detects SpiceDB schema validation failures that prevent authorization logic updates and deployments. These failures occur when invalid schema definitions are submitted, including syntax errors, circular dependencies, type conflicts, or malformed permission expressions, blocking critical authorization system updates. | Authorization Problems | spicedb | SpiceDBAuthorizationConfigurationValidationCrashStartup Failure |