Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS12ODZ4LTVmbTMtNXA3as4AA1eS
Alertmanager UI is vulnerable to stored XSS via the /api/v1/alerts endpoint
Impact
An attacker with the permission to perform POST requests on the /api/v1/alerts endpoint could be able to execute arbitrary JavaScript code on the users of Prometheus Alertmanager.
Patches
Users can upgrade to Alertmanager v0.2.51.
Workarounds
Users can setup a reverse proxy in front of the Alertmanager web server to forbid access to the /api/v1/alerts endpoint.
References
N/A
Permalink: https://github.com/advisories/GHSA-v86x-5fm3-5p7jJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS12ODZ4LTVmbTMtNXA3as4AA1eS
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 9 months ago
Updated: 6 months ago
CVSS Score: 5.4
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Identifiers: GHSA-v86x-5fm3-5p7j, CVE-2023-40577
References:
- https://github.com/prometheus/alertmanager/security/advisories/GHSA-v86x-5fm3-5p7j
- https://nvd.nist.gov/vuln/detail/CVE-2023-40577
- https://lists.debian.org/debian-lts-announce/2023/10/msg00011.html
- https://github.com/advisories/GHSA-v86x-5fm3-5p7j
Blast Radius: 19.3
Affected Packages
go:github.com/prometheus/alertmanager
Dependent packages: 481Dependent repositories: 3,798
Downloads:
Affected Version Ranges: <= 0.25.0
Fixed in: 0.25.1
All affected versions: 0.3.0, 0.4.0, 0.4.1, 0.4.2, 0.5.0, 0.5.1, 0.6.0, 0.6.1, 0.6.2, 0.7.0, 0.7.1, 0.8.0, 0.9.0, 0.9.1, 0.10.0, 0.11.0, 0.12.0, 0.13.0, 0.14.0, 0.15.0, 0.15.1, 0.15.2, 0.15.3, 0.16.0, 0.16.1, 0.16.2, 0.17.0, 0.18.0, 0.19.0, 0.20.0, 0.21.0, 0.22.0, 0.22.1, 0.22.2, 0.23.0, 0.24.0, 0.25.0
All unaffected versions: 0.25.1, 0.26.0