CVE-2023-40577

Alertmanager UI is vulnerable to stored XSS via the /api/v1/alerts endpoint

Severity Score

5.4

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

Alertmanager handles alerts sent by client applications such as the Prometheus server. An attacker with the permission to perform POST requests on the /api/v1/alerts endpoint could be able to execute arbitrary JavaScript code on the users of Prometheus Alertmanager. This issue has been fixed in Alertmanager version 0.2.51.

Alertmanager gestiona alertas enviadas por aplicaciones cliente como el servidor Prometheus. Un atacante con permiso para realizar peticiones POST en el endpoint "/api/v1/alerts" podría ser capaz de ejecutar código JavaScript arbitrario en los usuarios de Prometheus Alertmanager. Este problema se ha solucionado en la versión 0.2.51 de Alertmanager.

Prometheus Alertmanager is vulnerable to cross-site scripting due to improper validation of user-supplied input by the /api/v1/alerts endpoint. This issue could allow a remote attacker to inject malicious script into a web page, which would be executed in a victim's web browser within the hosting website once the page is viewed, allow the attacker to steal the victim's cookie-based authentication credentials.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

None

Automatable

Yes

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2023-08-16 CVE Reserved
2023-08-25 CVE Published
2024-08-31 EPSS Updated
2024-10-02 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CAPEC

References (4)

URL	Tag	Source
https://lists.debian.org/debian-lts-announce/2023/10/msg00011.html	Mailing List

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://github.com/prometheus/alertmanager/security/advisories/GHSA-v86x-5fm3-5p7j	2023-10-24
https://access.redhat.com/security/cve/CVE-2023-40577	2024-02-27
https://bugzilla.redhat.com/show_bug.cgi?id=2235479	2024-02-27

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Prometheus Search vendor "Prometheus"		Alertmanager Search vendor "Prometheus" for product "Alertmanager"				0.25.0 Search vendor "Prometheus" for product "Alertmanager" and version "0.25.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0"		-		Affected