prometheus prometheus vulnerabilities and exploits

(subscribe to this query)

5.8

CVSSv2

Prometheus is an open-source monitoring system and time series database. In 2.23.0, Prometheus changed its default UI to the New ui. To ensure a seamless transition, the URL's prefixed by /new redirect to /. Due to a bug in the code, it is possible for an malicious user to c...

Prometheus Prometheus Prometheus Prometheus 2.27.0

7.5

CVSSv2

Prometheus 6.0 and previous versions allows remote malicious users to execute arbitrary PHP code via a modified PROMETHEUS_LIBRARY_BASE that points to code stored on a remote server, which is then used in (1) index.php, (2) install.php, or (3) various test_*.php scripts.

Jason Orcutt Prometheus 3.0 Beta Jason Orcutt Prometheus 4.0 Beta Jason Orcutt Prometheus 6.0

1 EDB exploit

4.3

CVSSv2

A stored, DOM based, cross-site scripting (XSS) flaw was found in Prometheus before version 2.7.1. An attacker could exploit this by convincing an authenticated user to visit a crafted URL on a Prometheus server, allowing for the execution and persistent storage of arbitrary scri...

Prometheus Prometheus Redhat Openshift Container Platform 3.11

5

CVSSv2

Prometheus Blackbox Exporter up to and including 0.17.0 allows /probe?target= SSRF. NOTE: follow-on discussion suggests that this might plausibly be interpreted as both intended functionality and also a vulnerability

Prometheus Blackbox Exporter

NA

Prometheus Exporter Toolkit is a utility package to build exporters. Prior to versions 0.7.2 and 0.8.2, if someone has access to a Prometheus web.yml file and users' bcrypted passwords, they can bypass security by poisoning the built-in authentication cache. Versions 0.7.2 a...

Prometheus Exporter Toolkit

NA

blackbox_exporter v0.23.0 exists to contain an access control issue in its probe interface. This vulnerability allows malicious users to detect intranet ports and services, as well as download resources. NOTE: this is disputed by third parties because authentication can be config...

Prometheus Blackbox Exporter 0.23.0

NA

Alertmanager handles alerts sent by client applications such as the Prometheus server. An attacker with the permission to perform POST requests on the /api/v1/alerts endpoint could be able to execute arbitrary JavaScript code on the users of Prometheus Alertmanager. This issue ha...

Prometheus Alertmanager 0.25.0 Debian Debian Linux 10.0

5

CVSSv2

client_golang is the instrumentation library for Go applications in Prometheus, and the promhttp package in client_golang provides tooling around HTTP servers and clients. In client_golang prior to version 1.11.1, HTTP server is susceptible to a Denial of Service through unbounde...

Prometheus Client Golang Fedoraproject Fedora 34 Fedoraproject Fedora 35 Fedoraproject Fedora 36 Fedoraproject Extra Packages For Enterprise Linux 8.0 Fedoraproject Extra Packages For Enterprise Linux 7.0 Rdo Project Rdo -Fedoraproject Fedora 37

4.3

CVSSv2

Bootstrap-3-Typeahead after version 4.0.2 is vulnerable to a cross-site scripting flaw in the highlighter() function. An attacker could exploit this via user interaction to execute code in the user's browser.

Bootstrap-3-typeahead Project Bootstrap-3-typeahead

5

CVSSv2

The Alias feature in SnakeYAML prior to 1.26 allows entity expansion during a load operation, a related issue to CVE-2003-1564.

Snakeyaml Project Snakeyaml Fedoraproject Fedora 31 Fedoraproject Fedora 32 Quarkus Quarkus Oracle Peoplesoft Enterprise Pt Peopletools 8.56 Oracle Peoplesoft Enterprise Pt Peopletools 8.57 Oracle Peoplesoft Enterprise Pt Peopletools 8.58

3 Github repositories

Get Started

1 2 3 4 NEXT »

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook