CVE-2023-40577 – Alertmanager UI is vulnerable to stored XSS via the /api/v1/alerts endpoint
https://notcve.org/view.php?id=CVE-2023-40577
Alertmanager handles alerts sent by client applications such as the Prometheus server. An attacker with the permission to perform POST requests on the /api/v1/alerts endpoint could be able to execute arbitrary JavaScript code on the users of Prometheus Alertmanager. This issue has been fixed in Alertmanager version 0.2.51. Alertmanager gestiona alertas enviadas por aplicaciones cliente como el servidor Prometheus. Un atacante con permiso para realizar peticiones POST en el endpoint "/api/v1/alerts" podría ser capaz de ejecutar código JavaScript arbitrario en los usuarios de Prometheus Alertmanager. • https://github.com/prometheus/alertmanager/security/advisories/GHSA-v86x-5fm3-5p7j https://lists.debian.org/debian-lts-announce/2023/10/msg00011.html https://access.redhat.com/security/cve/CVE-2023-40577 https://bugzilla.redhat.com/show_bug.cgi?id=2235479 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2023-26735
https://notcve.org/view.php?id=CVE-2023-26735
blackbox_exporter v0.23.0 was discovered to contain an access control issue in its probe interface. This vulnerability allows attackers to detect intranet ports and services, as well as download resources. NOTE: this is disputed by third parties because authentication can be configured. • http://blackboxexporter.com http://prometheus.com https://github.com/prometheus/blackbox_exporter#tls-and-basic-authentication https://github.com/prometheus/blackbox_exporter/issues/1024 https://github.com/prometheus/blackbox_exporter/issues/1025 https://github.com/prometheus/blackbox_exporter/issues/1026 • CWE-918: Server-Side Request Forgery (SSRF) •
CVE-2022-46146 – Prometheus Exporter Toolkit vulnerable to basic authentication bypass
https://notcve.org/view.php?id=CVE-2022-46146
Prometheus Exporter Toolkit is a utility package to build exporters. Prior to versions 0.7.2 and 0.8.2, if someone has access to a Prometheus web.yml file and users' bcrypted passwords, they can bypass security by poisoning the built-in authentication cache. Versions 0.7.2 and 0.8.2 contain a fix for the issue. There is no workaround, but attacker must have access to the hashed password to use this functionality. Un usuario podía eliminar un perfil VPN del cliente móvil WARP en la plataforma iOS a pesar del interruptor Lock WARP https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/warp-settings/# La función lock-warp-switch está habilitada en Zero Trust Platform. • http://www.openwall.com/lists/oss-security/2022/11/29/1 http://www.openwall.com/lists/oss-security/2022/11/29/2 http://www.openwall.com/lists/oss-security/2022/11/29/4 https://github.com/prometheus/exporter-toolkit/commit/5b1eab34484ddd353986bce736cd119d863e4ff5 https://github.com/prometheus/exporter-toolkit/security/advisories/GHSA-7rg2-cxvp-9p7p https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JRSHISR64L6QGSMDFZDNPHHIXSCAKK26 https://lists.fedoraproject.org/archi • CWE-287: Improper Authentication CWE-303: Incorrect Implementation of Authentication Algorithm CWE-305: Authentication Bypass by Primary Weakness •
CVE-2022-21698 – Uncontrolled Resource Consumption in promhttp
https://notcve.org/view.php?id=CVE-2022-21698
client_golang is the instrumentation library for Go applications in Prometheus, and the promhttp package in client_golang provides tooling around HTTP servers and clients. In client_golang prior to version 1.11.1, HTTP server is susceptible to a Denial of Service through unbounded cardinality, and potential memory exhaustion, when handling requests with non-standard HTTP methods. In order to be affected, an instrumented software must use any of `promhttp.InstrumentHandler*` middleware except `RequestsInFlight`; not filter any specific methods (e.g GET) before middleware; pass metric with `method` label name to our middleware; and not have any firewall/LB/proxy that filters away requests with unknown `method`. client_golang version 1.11.1 contains a patch for this issue. Several workarounds are available, including removing the `method` label name from counter/gauge used in the InstrumentHandler; turning off affected promhttp handlers; adding custom middleware before promhttp handler that will sanitize the request method given by Go http.Request; and using a reverse proxy or web application firewall, configured to only allow a limited set of methods. client_golang es la biblioteca de instrumentación para aplicaciones Go en Prometheus, y el paquete promhttp en client_golang proporciona herramientas en torno a los servidores y clientes HTTP. En client_golang versiones anteriores a 1.11.1, el servidor HTTP es susceptible de una Denegación de Servicio mediante una cardinalidad no limitada, y un potencial agotamiento de la memoria, cuando es manejado peticiones con métodos HTTP no estándar. • https://github.com/prometheus/client_golang/pull/962 https://github.com/prometheus/client_golang/pull/987 https://github.com/prometheus/client_golang/releases/tag/v1.11.1 https://github.com/prometheus/client_golang/security/advisories/GHSA-cg3q-j54f-5p7p https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2IK53GWZ475OQ6ENABKMJMTOBZG6LXUR https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2PFW6Q2LXXWTFRTMTRN4ZGADFRQPKJ3D https://lists.fedor • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling CWE-772: Missing Release of Resource after Effective Lifetime •
CVE-2021-29622 – Arbitrary redirects under /new endpoint
https://notcve.org/view.php?id=CVE-2021-29622
Prometheus is an open-source monitoring system and time series database. In 2.23.0, Prometheus changed its default UI to the New ui. To ensure a seamless transition, the URL's prefixed by /new redirect to /. Due to a bug in the code, it is possible for an attacker to craft an URL that can redirect to any other URL, in the /new endpoint. If a user visits a prometheus server with a specially crafted address, they can be redirected to an arbitrary URL. • https://github.com/prometheus/prometheus/releases/tag/v2.26.1 https://github.com/prometheus/prometheus/releases/tag/v2.27.1 https://github.com/prometheus/prometheus/security/advisories/GHSA-vx57-7f4q-fpc7 https://access.redhat.com/security/cve/CVE-2021-29622 https://bugzilla.redhat.com/show_bug.cgi?id=1962718 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •