CVE-2023-40577
SOURCE - githubSummary
Impact
An attacker with the permission to perform POST requests on the /api/v1/alerts endpoint could be able to execute arbitrary JavaScript code on the users of Prometheus Alertmanager.
Patches
Users can upgrade to Alertmanager v0.2.51.
Workarounds
Users can setup a reverse proxy in front of the Alertmanager web server to forbid access to the /api/v1/alerts endpoint.
References
N/A
Common Weakness Enumeration (CWE)
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
NIST
2.3
CVSS SCORE
5.4mediumGitHub
2.3
CVSS SCORE
5.4mediumAlpine
-
Debian
-
CVSS SCORE
N/AlowUbuntu
2.3
CVSS SCORE
5.4mediumGoLang
-
Red Hat
3.9
CVSS SCORE
7.5mediumChainguard
CGA-qrgj-wj7v-r5x2
-
Chainguard
CGA-wch8-gq8v-g3r5
-
Chainguard
CGA-7f4h-m585-rhrp
-
Chainguard
CGA-8xwx-h3q4-g46x
-
Chainguard
CGA-98g2-9g6q-wpmq
-
Chainguard
CGA-cp98-m225-5r8c
-
Chainguard
CGA-fm97-7fqm-gp74
-
Chainguard
CGA-gjg2-34xh-wgjg
-
Chainguard
CGA-jm99-fpwg-pwq5
-