CVE-2023-40577
ADVISORY - githubSummary
Impact
An attacker with the permission to perform POST requests on the /api/v1/alerts endpoint could be able to execute arbitrary JavaScript code on the users of Prometheus Alertmanager.
Patches
Users can upgrade to Alertmanager v0.2.51.
Workarounds
Users can setup a reverse proxy in front of the Alertmanager web server to forbid access to the /api/v1/alerts endpoint.
References
N/A
Common Weakness Enumeration (CWE)
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
NIST
3.9
GitHub
2.3
Alpine
-
Debian
-
Ubuntu
2.3
GoLang
-
Bitnami
BIT-alertmanager-2023-40577
3.9
Red Hat
3.9
Chainguard
CGA-qrgj-wj7v-r5x2
-
Chainguard
CGA-wch8-gq8v-g3r5
-
Chainguard
CGA-7f4h-m585-rhrp
-
Chainguard
CGA-8xwx-h3q4-g46x
-
Chainguard
CGA-98g2-9g6q-wpmq
-
Chainguard
CGA-cp98-m225-5r8c
-
Chainguard
CGA-fm97-7fqm-gp74
-
Chainguard
CGA-gjg2-34xh-wgjg
-
Chainguard
CGA-jm99-fpwg-pwq5
-