PT-2023-9332 · Unknown+6 · Alertmanager+6

Oxeye-Daniel

Publicado

2023-08-23

Atualizado

2024-11-08

CVE-2023-40577

CVSS v3.1

7.5

Alta

Vetor

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Alertmanager versions prior to 0.2.51

Description The issue is related to the improper neutralization of input data during web page generation in the /api/v1/alerts endpoint of the Alertmanager component in the Prometheus monitoring system. An attacker with permission to perform POST requests on the /api/v1/alerts endpoint could execute arbitrary JavaScript code on the users of Prometheus Alertmanager.

Recommendations For versions prior to 0.2.51, upgrade to Alertmanager version 0.2.51. As a temporary workaround, consider setting up a reverse proxy in front of the Alertmanager web server to forbid access to the /api/v1/alerts endpoint.

Exploit

Correção

XSS

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-79

Identificadores relacionados

ALT-PU-2023-8410

BDU:2024-06600

BIT-ALERTMANAGER-2023-40577

CVE-2023-40577

DLA-3609-1

ECHO-C766-677F-419D

GHSA-V86X-5FM3-5P7J

GO-2023-2020

OPENSUSE-SU-2024:13599-1

OPENSUSE-SU-2024_0512-1

SUSE-SU-2024:0191-1

SUSE-SU-2024:0486-1

SUSE-SU-2024:0512-1

USN-6935-1

Produtos afetados

Alt Linux

Alertmanager

Debian

Linuxmint

Red Os

Suse

Ubuntu

PT-2023-9332 · Unknown+6 · Alertmanager+6

CVE-2023-40577

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 154