PT-2023-9332 · Unknown+6 · Alertmanager+6

Oxeye-Daniel

Published

2023-08-23

Updated

2024-11-08

CVE-2023-40577

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Alertmanager versions prior to 0.2.51

Description The issue is related to the improper neutralization of input data during web page generation in the /api/v1/alerts endpoint of the Alertmanager component in the Prometheus monitoring system. An attacker with permission to perform POST requests on the /api/v1/alerts endpoint could execute arbitrary JavaScript code on the users of Prometheus Alertmanager.

Recommendations For versions prior to 0.2.51, upgrade to Alertmanager version 0.2.51. As a temporary workaround, consider setting up a reverse proxy in front of the Alertmanager web server to forbid access to the /api/v1/alerts endpoint.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

ALT-PU-2023-8410

BDU:2024-06600

BIT-ALERTMANAGER-2023-40577

CVE-2023-40577

DLA-3609-1

ECHO-C766-677F-419D

GHSA-V86X-5FM3-5P7J

GO-2023-2020

OPENSUSE-SU-2024:13599-1

OPENSUSE-SU-2024_0512-1

SUSE-SU-2024:0191-1

SUSE-SU-2024:0486-1

SUSE-SU-2024:0512-1

USN-6935-1

Affected Products

Alt Linux

Alertmanager

Debian

Linuxmint

Red Os

Suse

Ubuntu

PT-2023-9332 · Unknown+6 · Alertmanager+6

CVE-2023-40577

Weakness Enumeration

Related Identifiers

Affected Products

References · 154