Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
12 vulnerabilities found for prometheus by prometheus
CVE-2026-44903 (GCVE-0-2026-44903)
Vulnerability from nvd – Published: 2026-05-26 21:27 – Updated: 2026-05-27 14:20
VLAI
Title
Prometheus: Stored XSS via crafted histogram bucket label values in the heatmap display of the old Prometheus web UI
Summary
Prometheus is an open-source monitoring system and time series database. From 2.49.0 to before 3.5.3 and 3.11.3, in the Prometheus server's legacy web UI (enabled via the command-line flag --enable-feature=old-ui), the histogram heatmap chart view does not escape le label values when inserting them into the HTML for use as axis tick mark labels. An attacker who can inject crafted metrics can execute JavaScript in the browser of any Prometheus user who views the metric in the heatmap chart UI. This vulnerability is fixed in 3.5.3 and 3.11.3.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/prometheus/prometheus/security… | x_refsource_CONFIRM |
| https://github.com/prometheus/prometheus/commit/3… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| prometheus | prometheus |
Affected:
>= 2.49.0, < 3.5.3
Affected: >= 3.6.0-rc.0, < 3.11.3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44903",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-27T14:19:11.558921Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T14:20:35.919Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "prometheus",
"vendor": "prometheus",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.49.0, \u003c 3.5.3"
},
{
"status": "affected",
"version": "\u003e= 3.6.0-rc.0, \u003c 3.11.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Prometheus is an open-source monitoring system and time series database. From 2.49.0 to before 3.5.3 and 3.11.3, in the Prometheus server\u0027s legacy web UI (enabled via the command-line flag --enable-feature=old-ui), the histogram heatmap chart view does not escape le label values when inserting them into the HTML for use as axis tick mark labels. An attacker who can inject crafted metrics can execute JavaScript in the browser of any Prometheus user who views the metric in the heatmap chart UI. This vulnerability is fixed in 3.5.3 and 3.11.3."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T21:27:18.597Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/prometheus/prometheus/security/advisories/GHSA-fw8g-cg8f-9j28",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/prometheus/prometheus/security/advisories/GHSA-fw8g-cg8f-9j28"
},
{
"name": "https://github.com/prometheus/prometheus/commit/38f23b9075ced1de2b82d2dad8b2bebb1ecd5b7d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/prometheus/prometheus/commit/38f23b9075ced1de2b82d2dad8b2bebb1ecd5b7d"
}
],
"source": {
"advisory": "GHSA-fw8g-cg8f-9j28",
"discovery": "UNKNOWN"
},
"title": "Prometheus: Stored XSS via crafted histogram bucket label values in the heatmap display of the old Prometheus web UI"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44903",
"datePublished": "2026-05-26T21:27:18.597Z",
"dateReserved": "2026-05-07T21:50:33.547Z",
"dateUpdated": "2026-05-27T14:20:35.919Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42154 (GCVE-0-2026-42154)
Vulnerability from nvd – Published: 2026-05-04 18:13 – Updated: 2026-05-04 20:19
VLAI
Title
Prometheus: remote read endpoint allows denial of service via crafted snappy payload
Summary
Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the remote read endpoint (/api/v1/read) does not validate the declared decoded length in a snappy-compressed request body before allocating memory. An unauthenticated attacker can send a small payload that causes a huge heap allocation per request. Under concurrent load this can exhaust available memory and crash the Prometheus process. This issue has been patched in versions 3.5.3 and 3.11.3.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/prometheus/prometheus/security… | x_refsource_CONFIRM |
| https://github.com/prometheus/prometheus/pull/18584 | x_refsource_MISC |
| https://github.com/prometheus/prometheus/pull/18585 | x_refsource_MISC |
| https://github.com/prometheus/prometheus/releases… | x_refsource_MISC |
| https://github.com/prometheus/prometheus/releases… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| prometheus | prometheus |
Affected:
< 3.5.3
Affected: >= 3.6.0, < 3.11.3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42154",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-04T20:18:48.754025Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-04T20:19:13.876Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "prometheus",
"vendor": "prometheus",
"versions": [
{
"status": "affected",
"version": "\u003c 3.5.3"
},
{
"status": "affected",
"version": "\u003e= 3.6.0, \u003c 3.11.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the remote read endpoint (/api/v1/read) does not validate the declared decoded length in a snappy-compressed request body before allocating memory. An unauthenticated attacker can send a small payload that causes a huge heap allocation per request. Under concurrent load this can exhaust available memory and crash the Prometheus process. This issue has been patched in versions 3.5.3 and 3.11.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-789",
"description": "CWE-789: Memory Allocation with Excessive Size Value",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-04T18:13:12.340Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/prometheus/prometheus/security/advisories/GHSA-8rm2-7qqf-34qm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/prometheus/prometheus/security/advisories/GHSA-8rm2-7qqf-34qm"
},
{
"name": "https://github.com/prometheus/prometheus/pull/18584",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/prometheus/prometheus/pull/18584"
},
{
"name": "https://github.com/prometheus/prometheus/pull/18585",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/prometheus/prometheus/pull/18585"
},
{
"name": "https://github.com/prometheus/prometheus/releases/tag/v3.11.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/prometheus/prometheus/releases/tag/v3.11.3"
},
{
"name": "https://github.com/prometheus/prometheus/releases/tag/v3.5.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/prometheus/prometheus/releases/tag/v3.5.3"
}
],
"source": {
"advisory": "GHSA-8rm2-7qqf-34qm",
"discovery": "UNKNOWN"
},
"title": "Prometheus: remote read endpoint allows denial of service via crafted snappy payload"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42154",
"datePublished": "2026-05-04T18:13:12.340Z",
"dateReserved": "2026-04-24T17:15:21.835Z",
"dateUpdated": "2026-05-04T20:19:13.876Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42151 (GCVE-0-2026-42151)
Vulnerability from nvd – Published: 2026-05-04 18:12 – Updated: 2026-05-04 19:55
VLAI
Title
Prometheus Azure AD remote write OAuth client secret exposed via config API
Summary
Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the client_secret field in the Azure AD remote write OAuth configuration (storage/remote/azuread) was typed as string instead of Secret. Prometheus redacts fields of type Secret when serving the configuration via the /-/config HTTP API endpoint. Because the field was a plain string, the Azure OAuth client secret was exposed in plaintext to any user or process with access to that endpoint. This issue has been patched in versions 3.5.3 and 3.11.3.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/prometheus/prometheus/security… | x_refsource_CONFIRM |
| https://github.com/prometheus/prometheus/pull/18587 | x_refsource_MISC |
| https://github.com/prometheus/prometheus/pull/18590 | x_refsource_MISC |
| https://github.com/prometheus/prometheus/releases… | x_refsource_MISC |
| https://github.com/prometheus/prometheus/releases… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| prometheus | prometheus |
Affected:
< 3.5.3
Affected: >= 3.6.0, < 3.11.3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42151",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-04T19:54:39.314002Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-04T19:55:09.255Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "prometheus",
"vendor": "prometheus",
"versions": [
{
"status": "affected",
"version": "\u003c 3.5.3"
},
{
"status": "affected",
"version": "\u003e= 3.6.0, \u003c 3.11.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the client_secret field in the Azure AD remote write OAuth configuration (storage/remote/azuread) was typed as string instead of Secret. Prometheus redacts fields of type Secret when serving the configuration via the /-/config HTTP API endpoint. Because the field was a plain string, the Azure OAuth client secret was exposed in plaintext to any user or process with access to that endpoint. This issue has been patched in versions 3.5.3 and 3.11.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-312",
"description": "CWE-312: Cleartext Storage of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-04T18:12:16.917Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/prometheus/prometheus/security/advisories/GHSA-wg65-39gg-5wfj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/prometheus/prometheus/security/advisories/GHSA-wg65-39gg-5wfj"
},
{
"name": "https://github.com/prometheus/prometheus/pull/18587",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/prometheus/prometheus/pull/18587"
},
{
"name": "https://github.com/prometheus/prometheus/pull/18590",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/prometheus/prometheus/pull/18590"
},
{
"name": "https://github.com/prometheus/prometheus/releases/tag/v3.11.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/prometheus/prometheus/releases/tag/v3.11.3"
},
{
"name": "https://github.com/prometheus/prometheus/releases/tag/v3.5.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/prometheus/prometheus/releases/tag/v3.5.3"
}
],
"source": {
"advisory": "GHSA-wg65-39gg-5wfj",
"discovery": "UNKNOWN"
},
"title": "Prometheus Azure AD remote write OAuth client secret exposed via config API"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42151",
"datePublished": "2026-05-04T18:12:16.917Z",
"dateReserved": "2026-04-24T17:15:21.835Z",
"dateUpdated": "2026-05-04T19:55:09.255Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40179 (GCVE-0-2026-40179)
Vulnerability from nvd – Published: 2026-04-15 22:26 – Updated: 2026-04-16 14:21
VLAI
Title
Prometheus: Stored XSS via metric names and label values in web UI tooltips and metrics explorer
Summary
Prometheus is an open-source monitoring system and time series database. Versions 3.0 through 3.5.1 and 3.6.0 through 3.11.1 have stored cross-site scripting vulnerabilities in multiple components of the Prometheus web UI where metric names and label values are injected into innerHTML without escaping. In both the Mantine UI and old React UI, chart tooltips on the Graph page render metric names containing HTML/JavaScript without sanitization. In the old React UI, the Metric Explorer fuzzy search results use dangerouslySetInnerHTML without escaping, and heatmap cell tooltips interpolate le label values without sanitization. With Prometheus v3.x defaulting to UTF-8 metric and label name validation, characters like <, >, and " are now valid in metric names and labels. An attacker who can inject metrics via a compromised scrape target, remote write, or OTLP receiver endpoint can execute arbitrary JavaScript in the browser of any Prometheus user who views the metric in the Graph UI, potentially enabling configuration exfiltration, data deletion, or Prometheus shutdown depending on enabled flags. This issue has been fixed in versions 3.5.2 and 3.11.2. If developers are unable to immediately update, the following workarounds are recommended: ensure that the remote write receiver (--web.enable-remote-write-receiver) and the OTLP receiver (--web.enable-otlp-receiver) are not exposed to untrusted sources; verify that all scrape targets are trusted and not under attacker control; avoid enabling admin or mutating API endpoints (e.g., --web.enable-admin-api or --web.enable-lifecycle) in environments where untrusted data may be ingested; and refrain from clicking untrusted links, particularly those containing functions such as label_replace, as they may generate poisoned label names and values.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/prometheus/prometheus/security… | x_refsource_CONFIRM |
| https://github.com/prometheus/prometheus/pull/18506 | x_refsource_MISC |
| https://github.com/prometheus/prometheus/commit/0… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| prometheus | prometheus |
Affected:
>= 3.0.0, < 3.5.2
Affected: >= 3.6.0, < 3.11.2 Affected: < 0.311.2-0.20260410083055-07c6232d159b |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40179",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-16T14:21:31.807163Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-16T14:21:42.130Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "prometheus",
"vendor": "prometheus",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 3.5.2"
},
{
"status": "affected",
"version": "\u003e= 3.6.0, \u003c 3.11.2"
},
{
"status": "affected",
"version": "\u003c 0.311.2-0.20260410083055-07c6232d159b"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Prometheus is an open-source monitoring system and time series database. Versions 3.0 through 3.5.1 and 3.6.0 through 3.11.1 have stored cross-site scripting vulnerabilities in multiple components of the Prometheus web UI where metric names and label values are injected into innerHTML without escaping. In both the Mantine UI and old React UI, chart tooltips on the Graph page render metric names containing HTML/JavaScript without sanitization. In the old React UI, the Metric Explorer fuzzy search results use dangerouslySetInnerHTML without escaping, and heatmap cell tooltips interpolate le label values without sanitization. With Prometheus v3.x defaulting to UTF-8 metric and label name validation, characters like \u003c, \u003e, and \" are now valid in metric names and labels. An attacker who can inject metrics via a compromised scrape target, remote write, or OTLP receiver endpoint can execute arbitrary JavaScript in the browser of any Prometheus user who views the metric in the Graph UI, potentially enabling configuration exfiltration, data deletion, or Prometheus shutdown depending on enabled flags. This issue has been fixed in versions 3.5.2 and 3.11.2. If developers are unable to immediately update, the following workarounds are recommended: ensure that the remote write receiver (--web.enable-remote-write-receiver) and the OTLP receiver (--web.enable-otlp-receiver) are not exposed to untrusted sources; verify that all scrape targets are trusted and not under attacker control; avoid enabling admin or mutating API endpoints (e.g., --web.enable-admin-api or --web.enable-lifecycle) in environments where untrusted data may be ingested; and refrain from clicking untrusted links, particularly those containing functions such as label_replace, as they may generate poisoned label names and values."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-15T22:26:46.909Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/prometheus/prometheus/security/advisories/GHSA-vffh-x6r8-xx99",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/prometheus/prometheus/security/advisories/GHSA-vffh-x6r8-xx99"
},
{
"name": "https://github.com/prometheus/prometheus/pull/18506",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/prometheus/prometheus/pull/18506"
},
{
"name": "https://github.com/prometheus/prometheus/commit/07c6232d159bfb474a077788be184d87adcfac3c",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/prometheus/prometheus/commit/07c6232d159bfb474a077788be184d87adcfac3c"
}
],
"source": {
"advisory": "GHSA-vffh-x6r8-xx99",
"discovery": "UNKNOWN"
},
"title": "Prometheus: Stored XSS via metric names and label values in web UI tooltips and metrics explorer"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40179",
"datePublished": "2026-04-15T22:26:46.909Z",
"dateReserved": "2026-04-09T20:59:17.619Z",
"dateUpdated": "2026-04-16T14:21:42.130Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2021-29622 (GCVE-0-2021-29622)
Vulnerability from nvd – Published: 2021-05-19 20:00 – Updated: 2024-08-03 22:11
VLAI
Title
Arbitrary redirects under /new endpoint
Summary
Prometheus is an open-source monitoring system and time series database. In 2.23.0, Prometheus changed its default UI to the New ui. To ensure a seamless transition, the URL's prefixed by /new redirect to /. Due to a bug in the code, it is possible for an attacker to craft an URL that can redirect to any other URL, in the /new endpoint. If a user visits a prometheus server with a specially crafted address, they can be redirected to an arbitrary URL. The issue was patched in the 2.26.1 and 2.27.1 releases. In 2.28.0, the /new endpoint will be removed completely. The workaround is to disable access to /new via a reverse proxy in front of Prometheus.
Severity
6.5 (Medium)
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/prometheus/prometheus/security… | x_refsource_CONFIRM |
| https://github.com/prometheus/prometheus/releases… | x_refsource_MISC |
| https://github.com/prometheus/prometheus/releases… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| prometheus | prometheus |
Affected:
>= 2.23.0, < 2.27.1
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:11:06.291Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/prometheus/prometheus/security/advisories/GHSA-vx57-7f4q-fpc7"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/prometheus/prometheus/releases/tag/v2.26.1"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/prometheus/prometheus/releases/tag/v2.27.1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "prometheus",
"vendor": "prometheus",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.23.0, \u003c 2.27.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Prometheus is an open-source monitoring system and time series database. In 2.23.0, Prometheus changed its default UI to the New ui. To ensure a seamless transition, the URL\u0027s prefixed by /new redirect to /. Due to a bug in the code, it is possible for an attacker to craft an URL that can redirect to any other URL, in the /new endpoint. If a user visits a prometheus server with a specially crafted address, they can be redirected to an arbitrary URL. The issue was patched in the 2.26.1 and 2.27.1 releases. In 2.28.0, the /new endpoint will be removed completely. The workaround is to disable access to /new via a reverse proxy in front of Prometheus."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-19T20:00:12.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/prometheus/prometheus/security/advisories/GHSA-vx57-7f4q-fpc7"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/prometheus/prometheus/releases/tag/v2.26.1"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/prometheus/prometheus/releases/tag/v2.27.1"
}
],
"source": {
"advisory": "GHSA-vx57-7f4q-fpc7",
"discovery": "UNKNOWN"
},
"title": "Arbitrary redirects under /new endpoint",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-29622",
"STATE": "PUBLIC",
"TITLE": "Arbitrary redirects under /new endpoint"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "prometheus",
"version": {
"version_data": [
{
"version_value": "\u003e= 2.23.0, \u003c 2.27.1"
}
]
}
}
]
},
"vendor_name": "prometheus"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Prometheus is an open-source monitoring system and time series database. In 2.23.0, Prometheus changed its default UI to the New ui. To ensure a seamless transition, the URL\u0027s prefixed by /new redirect to /. Due to a bug in the code, it is possible for an attacker to craft an URL that can redirect to any other URL, in the /new endpoint. If a user visits a prometheus server with a specially crafted address, they can be redirected to an arbitrary URL. The issue was patched in the 2.26.1 and 2.27.1 releases. In 2.28.0, the /new endpoint will be removed completely. The workaround is to disable access to /new via a reverse proxy in front of Prometheus."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/prometheus/prometheus/security/advisories/GHSA-vx57-7f4q-fpc7",
"refsource": "CONFIRM",
"url": "https://github.com/prometheus/prometheus/security/advisories/GHSA-vx57-7f4q-fpc7"
},
{
"name": "https://github.com/prometheus/prometheus/releases/tag/v2.26.1",
"refsource": "MISC",
"url": "https://github.com/prometheus/prometheus/releases/tag/v2.26.1"
},
{
"name": "https://github.com/prometheus/prometheus/releases/tag/v2.27.1",
"refsource": "MISC",
"url": "https://github.com/prometheus/prometheus/releases/tag/v2.27.1"
}
]
},
"source": {
"advisory": "GHSA-vx57-7f4q-fpc7",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-29622",
"datePublished": "2021-05-19T20:00:13.000Z",
"dateReserved": "2021-03-30T00:00:00.000Z",
"dateUpdated": "2024-08-03T22:11:06.291Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-3826 (GCVE-0-2019-3826)
Vulnerability from nvd – Published: 2019-03-26 17:48 – Updated: 2024-08-04 19:19
VLAI
Summary
A stored, DOM based, cross-site scripting (XSS) flaw was found in Prometheus before version 2.7.1. An attacker could exploit this by convincing an authenticated user to visit a crafted URL on a Prometheus server, allowing for the execution and persistent storage of arbitrary scripts.
Severity
6.1 (Medium)
CWE
Assigner
References
8 references
| URL | Tags |
|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2… | x_refsource_CONFIRM |
| https://github.com/prometheus/prometheus/pull/5163 | x_refsource_CONFIRM |
| https://github.com/prometheus/prometheus/commit/6… | x_refsource_CONFIRM |
| https://access.redhat.com/errata/RHBA-2019:0327 | vendor-advisoryx_refsource_REDHAT |
| https://lists.apache.org/thread.html/rdf2a0d94c3b… | mailing-listx_refsource_MLIST |
| https://lists.apache.org/thread.html/r8e3f7da12bf… | mailing-listx_refsource_MLIST |
| https://lists.apache.org/thread.html/r48d5019bd42… | mailing-listx_refsource_MLIST |
| https://advisory.checkmarx.net/advisory/CX-2019-4297 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| [UNKNOWN] | prometheus |
Affected:
2.7.1
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T19:19:18.663Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3826"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/prometheus/prometheus/pull/5163"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/prometheus/prometheus/commit/62e591f9"
},
{
"name": "RHBA-2019:0327",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHBA-2019:0327"
},
{
"name": "[zookeeper-commits] 20200118 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-3677: owasp checker failing for - CVE-2019-17571 Apache Log4j 1.2 deserialization of untrusted data in SocketServer",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rdf2a0d94c3b5b523aeff7741ae71347415276062811b687f30ea6573%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20200118 [zookeeper] branch master updated: ZOOKEEPER-3677: owasp checker failing for - CVE-2019-17571 Apache Log4j 1.2 deserialization of untrusted data in SocketServer",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r8e3f7da12bf5750b0a02e69a78a61073a2ac950eed7451ce70a65177%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20200118 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-3677: owasp checker failing for - CVE-2019-17571 Apache Log4j 1.2 deserialization of untrusted data in SocketServer",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r48d5019bd42e0770f7e5351e420a63a41ff1f16924942442c6aff6a8%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://advisory.checkmarx.net/advisory/CX-2019-4297"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "prometheus",
"vendor": "[UNKNOWN]",
"versions": [
{
"status": "affected",
"version": "2.7.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A stored, DOM based, cross-site scripting (XSS) flaw was found in Prometheus before version 2.7.1. An attacker could exploit this by convincing an authenticated user to visit a crafted URL on a Prometheus server, allowing for the execution and persistent storage of arbitrary scripts."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-03-31T20:22:42.000Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3826"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/prometheus/prometheus/pull/5163"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/prometheus/prometheus/commit/62e591f9"
},
{
"name": "RHBA-2019:0327",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHBA-2019:0327"
},
{
"name": "[zookeeper-commits] 20200118 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-3677: owasp checker failing for - CVE-2019-17571 Apache Log4j 1.2 deserialization of untrusted data in SocketServer",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rdf2a0d94c3b5b523aeff7741ae71347415276062811b687f30ea6573%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20200118 [zookeeper] branch master updated: ZOOKEEPER-3677: owasp checker failing for - CVE-2019-17571 Apache Log4j 1.2 deserialization of untrusted data in SocketServer",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r8e3f7da12bf5750b0a02e69a78a61073a2ac950eed7451ce70a65177%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20200118 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-3677: owasp checker failing for - CVE-2019-17571 Apache Log4j 1.2 deserialization of untrusted data in SocketServer",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r48d5019bd42e0770f7e5351e420a63a41ff1f16924942442c6aff6a8%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://advisory.checkmarx.net/advisory/CX-2019-4297"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2019-3826",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "prometheus",
"version": {
"version_data": [
{
"version_value": "2.7.1"
}
]
}
}
]
},
"vendor_name": "[UNKNOWN]"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A stored, DOM based, cross-site scripting (XSS) flaw was found in Prometheus before version 2.7.1. An attacker could exploit this by convincing an authenticated user to visit a crafted URL on a Prometheus server, allowing for the execution and persistent storage of arbitrary scripts."
}
]
},
"impact": {
"cvss": [
[
{
"vectorString": "6.1/CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
}
]
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3826",
"refsource": "CONFIRM",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3826"
},
{
"name": "https://github.com/prometheus/prometheus/pull/5163",
"refsource": "CONFIRM",
"url": "https://github.com/prometheus/prometheus/pull/5163"
},
{
"name": "https://github.com/prometheus/prometheus/commit/62e591f9",
"refsource": "CONFIRM",
"url": "https://github.com/prometheus/prometheus/commit/62e591f9"
},
{
"name": "RHBA-2019:0327",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHBA-2019:0327"
},
{
"name": "[zookeeper-commits] 20200118 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-3677: owasp checker failing for - CVE-2019-17571 Apache Log4j 1.2 deserialization of untrusted data in SocketServer",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rdf2a0d94c3b5b523aeff7741ae71347415276062811b687f30ea6573@%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20200118 [zookeeper] branch master updated: ZOOKEEPER-3677: owasp checker failing for - CVE-2019-17571 Apache Log4j 1.2 deserialization of untrusted data in SocketServer",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r8e3f7da12bf5750b0a02e69a78a61073a2ac950eed7451ce70a65177@%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20200118 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-3677: owasp checker failing for - CVE-2019-17571 Apache Log4j 1.2 deserialization of untrusted data in SocketServer",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r48d5019bd42e0770f7e5351e420a63a41ff1f16924942442c6aff6a8@%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "https://advisory.checkmarx.net/advisory/CX-2019-4297",
"refsource": "MISC",
"url": "https://advisory.checkmarx.net/advisory/CX-2019-4297"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2019-3826",
"datePublished": "2019-03-26T17:48:31.000Z",
"dateReserved": "2019-01-03T00:00:00.000Z",
"dateUpdated": "2024-08-04T19:19:18.663Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-44903 (GCVE-0-2026-44903)
Vulnerability from cvelistv5 – Published: 2026-05-26 21:27 – Updated: 2026-05-27 14:20
VLAI
Title
Prometheus: Stored XSS via crafted histogram bucket label values in the heatmap display of the old Prometheus web UI
Summary
Prometheus is an open-source monitoring system and time series database. From 2.49.0 to before 3.5.3 and 3.11.3, in the Prometheus server's legacy web UI (enabled via the command-line flag --enable-feature=old-ui), the histogram heatmap chart view does not escape le label values when inserting them into the HTML for use as axis tick mark labels. An attacker who can inject crafted metrics can execute JavaScript in the browser of any Prometheus user who views the metric in the heatmap chart UI. This vulnerability is fixed in 3.5.3 and 3.11.3.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/prometheus/prometheus/security… | x_refsource_CONFIRM |
| https://github.com/prometheus/prometheus/commit/3… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| prometheus | prometheus |
Affected:
>= 2.49.0, < 3.5.3
Affected: >= 3.6.0-rc.0, < 3.11.3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44903",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-27T14:19:11.558921Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T14:20:35.919Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "prometheus",
"vendor": "prometheus",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.49.0, \u003c 3.5.3"
},
{
"status": "affected",
"version": "\u003e= 3.6.0-rc.0, \u003c 3.11.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Prometheus is an open-source monitoring system and time series database. From 2.49.0 to before 3.5.3 and 3.11.3, in the Prometheus server\u0027s legacy web UI (enabled via the command-line flag --enable-feature=old-ui), the histogram heatmap chart view does not escape le label values when inserting them into the HTML for use as axis tick mark labels. An attacker who can inject crafted metrics can execute JavaScript in the browser of any Prometheus user who views the metric in the heatmap chart UI. This vulnerability is fixed in 3.5.3 and 3.11.3."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T21:27:18.597Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/prometheus/prometheus/security/advisories/GHSA-fw8g-cg8f-9j28",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/prometheus/prometheus/security/advisories/GHSA-fw8g-cg8f-9j28"
},
{
"name": "https://github.com/prometheus/prometheus/commit/38f23b9075ced1de2b82d2dad8b2bebb1ecd5b7d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/prometheus/prometheus/commit/38f23b9075ced1de2b82d2dad8b2bebb1ecd5b7d"
}
],
"source": {
"advisory": "GHSA-fw8g-cg8f-9j28",
"discovery": "UNKNOWN"
},
"title": "Prometheus: Stored XSS via crafted histogram bucket label values in the heatmap display of the old Prometheus web UI"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44903",
"datePublished": "2026-05-26T21:27:18.597Z",
"dateReserved": "2026-05-07T21:50:33.547Z",
"dateUpdated": "2026-05-27T14:20:35.919Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42154 (GCVE-0-2026-42154)
Vulnerability from cvelistv5 – Published: 2026-05-04 18:13 – Updated: 2026-05-04 20:19
VLAI
Title
Prometheus: remote read endpoint allows denial of service via crafted snappy payload
Summary
Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the remote read endpoint (/api/v1/read) does not validate the declared decoded length in a snappy-compressed request body before allocating memory. An unauthenticated attacker can send a small payload that causes a huge heap allocation per request. Under concurrent load this can exhaust available memory and crash the Prometheus process. This issue has been patched in versions 3.5.3 and 3.11.3.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/prometheus/prometheus/security… | x_refsource_CONFIRM |
| https://github.com/prometheus/prometheus/pull/18584 | x_refsource_MISC |
| https://github.com/prometheus/prometheus/pull/18585 | x_refsource_MISC |
| https://github.com/prometheus/prometheus/releases… | x_refsource_MISC |
| https://github.com/prometheus/prometheus/releases… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| prometheus | prometheus |
Affected:
< 3.5.3
Affected: >= 3.6.0, < 3.11.3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42154",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-04T20:18:48.754025Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-04T20:19:13.876Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "prometheus",
"vendor": "prometheus",
"versions": [
{
"status": "affected",
"version": "\u003c 3.5.3"
},
{
"status": "affected",
"version": "\u003e= 3.6.0, \u003c 3.11.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the remote read endpoint (/api/v1/read) does not validate the declared decoded length in a snappy-compressed request body before allocating memory. An unauthenticated attacker can send a small payload that causes a huge heap allocation per request. Under concurrent load this can exhaust available memory and crash the Prometheus process. This issue has been patched in versions 3.5.3 and 3.11.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-789",
"description": "CWE-789: Memory Allocation with Excessive Size Value",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-04T18:13:12.340Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/prometheus/prometheus/security/advisories/GHSA-8rm2-7qqf-34qm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/prometheus/prometheus/security/advisories/GHSA-8rm2-7qqf-34qm"
},
{
"name": "https://github.com/prometheus/prometheus/pull/18584",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/prometheus/prometheus/pull/18584"
},
{
"name": "https://github.com/prometheus/prometheus/pull/18585",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/prometheus/prometheus/pull/18585"
},
{
"name": "https://github.com/prometheus/prometheus/releases/tag/v3.11.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/prometheus/prometheus/releases/tag/v3.11.3"
},
{
"name": "https://github.com/prometheus/prometheus/releases/tag/v3.5.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/prometheus/prometheus/releases/tag/v3.5.3"
}
],
"source": {
"advisory": "GHSA-8rm2-7qqf-34qm",
"discovery": "UNKNOWN"
},
"title": "Prometheus: remote read endpoint allows denial of service via crafted snappy payload"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42154",
"datePublished": "2026-05-04T18:13:12.340Z",
"dateReserved": "2026-04-24T17:15:21.835Z",
"dateUpdated": "2026-05-04T20:19:13.876Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42151 (GCVE-0-2026-42151)
Vulnerability from cvelistv5 – Published: 2026-05-04 18:12 – Updated: 2026-05-04 19:55
VLAI
Title
Prometheus Azure AD remote write OAuth client secret exposed via config API
Summary
Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the client_secret field in the Azure AD remote write OAuth configuration (storage/remote/azuread) was typed as string instead of Secret. Prometheus redacts fields of type Secret when serving the configuration via the /-/config HTTP API endpoint. Because the field was a plain string, the Azure OAuth client secret was exposed in plaintext to any user or process with access to that endpoint. This issue has been patched in versions 3.5.3 and 3.11.3.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/prometheus/prometheus/security… | x_refsource_CONFIRM |
| https://github.com/prometheus/prometheus/pull/18587 | x_refsource_MISC |
| https://github.com/prometheus/prometheus/pull/18590 | x_refsource_MISC |
| https://github.com/prometheus/prometheus/releases… | x_refsource_MISC |
| https://github.com/prometheus/prometheus/releases… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| prometheus | prometheus |
Affected:
< 3.5.3
Affected: >= 3.6.0, < 3.11.3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42151",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-04T19:54:39.314002Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-04T19:55:09.255Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "prometheus",
"vendor": "prometheus",
"versions": [
{
"status": "affected",
"version": "\u003c 3.5.3"
},
{
"status": "affected",
"version": "\u003e= 3.6.0, \u003c 3.11.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the client_secret field in the Azure AD remote write OAuth configuration (storage/remote/azuread) was typed as string instead of Secret. Prometheus redacts fields of type Secret when serving the configuration via the /-/config HTTP API endpoint. Because the field was a plain string, the Azure OAuth client secret was exposed in plaintext to any user or process with access to that endpoint. This issue has been patched in versions 3.5.3 and 3.11.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-312",
"description": "CWE-312: Cleartext Storage of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-04T18:12:16.917Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/prometheus/prometheus/security/advisories/GHSA-wg65-39gg-5wfj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/prometheus/prometheus/security/advisories/GHSA-wg65-39gg-5wfj"
},
{
"name": "https://github.com/prometheus/prometheus/pull/18587",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/prometheus/prometheus/pull/18587"
},
{
"name": "https://github.com/prometheus/prometheus/pull/18590",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/prometheus/prometheus/pull/18590"
},
{
"name": "https://github.com/prometheus/prometheus/releases/tag/v3.11.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/prometheus/prometheus/releases/tag/v3.11.3"
},
{
"name": "https://github.com/prometheus/prometheus/releases/tag/v3.5.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/prometheus/prometheus/releases/tag/v3.5.3"
}
],
"source": {
"advisory": "GHSA-wg65-39gg-5wfj",
"discovery": "UNKNOWN"
},
"title": "Prometheus Azure AD remote write OAuth client secret exposed via config API"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42151",
"datePublished": "2026-05-04T18:12:16.917Z",
"dateReserved": "2026-04-24T17:15:21.835Z",
"dateUpdated": "2026-05-04T19:55:09.255Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40179 (GCVE-0-2026-40179)
Vulnerability from cvelistv5 – Published: 2026-04-15 22:26 – Updated: 2026-04-16 14:21
VLAI
Title
Prometheus: Stored XSS via metric names and label values in web UI tooltips and metrics explorer
Summary
Prometheus is an open-source monitoring system and time series database. Versions 3.0 through 3.5.1 and 3.6.0 through 3.11.1 have stored cross-site scripting vulnerabilities in multiple components of the Prometheus web UI where metric names and label values are injected into innerHTML without escaping. In both the Mantine UI and old React UI, chart tooltips on the Graph page render metric names containing HTML/JavaScript without sanitization. In the old React UI, the Metric Explorer fuzzy search results use dangerouslySetInnerHTML without escaping, and heatmap cell tooltips interpolate le label values without sanitization. With Prometheus v3.x defaulting to UTF-8 metric and label name validation, characters like <, >, and " are now valid in metric names and labels. An attacker who can inject metrics via a compromised scrape target, remote write, or OTLP receiver endpoint can execute arbitrary JavaScript in the browser of any Prometheus user who views the metric in the Graph UI, potentially enabling configuration exfiltration, data deletion, or Prometheus shutdown depending on enabled flags. This issue has been fixed in versions 3.5.2 and 3.11.2. If developers are unable to immediately update, the following workarounds are recommended: ensure that the remote write receiver (--web.enable-remote-write-receiver) and the OTLP receiver (--web.enable-otlp-receiver) are not exposed to untrusted sources; verify that all scrape targets are trusted and not under attacker control; avoid enabling admin or mutating API endpoints (e.g., --web.enable-admin-api or --web.enable-lifecycle) in environments where untrusted data may be ingested; and refrain from clicking untrusted links, particularly those containing functions such as label_replace, as they may generate poisoned label names and values.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/prometheus/prometheus/security… | x_refsource_CONFIRM |
| https://github.com/prometheus/prometheus/pull/18506 | x_refsource_MISC |
| https://github.com/prometheus/prometheus/commit/0… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| prometheus | prometheus |
Affected:
>= 3.0.0, < 3.5.2
Affected: >= 3.6.0, < 3.11.2 Affected: < 0.311.2-0.20260410083055-07c6232d159b |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40179",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-16T14:21:31.807163Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-16T14:21:42.130Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "prometheus",
"vendor": "prometheus",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 3.5.2"
},
{
"status": "affected",
"version": "\u003e= 3.6.0, \u003c 3.11.2"
},
{
"status": "affected",
"version": "\u003c 0.311.2-0.20260410083055-07c6232d159b"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Prometheus is an open-source monitoring system and time series database. Versions 3.0 through 3.5.1 and 3.6.0 through 3.11.1 have stored cross-site scripting vulnerabilities in multiple components of the Prometheus web UI where metric names and label values are injected into innerHTML without escaping. In both the Mantine UI and old React UI, chart tooltips on the Graph page render metric names containing HTML/JavaScript without sanitization. In the old React UI, the Metric Explorer fuzzy search results use dangerouslySetInnerHTML without escaping, and heatmap cell tooltips interpolate le label values without sanitization. With Prometheus v3.x defaulting to UTF-8 metric and label name validation, characters like \u003c, \u003e, and \" are now valid in metric names and labels. An attacker who can inject metrics via a compromised scrape target, remote write, or OTLP receiver endpoint can execute arbitrary JavaScript in the browser of any Prometheus user who views the metric in the Graph UI, potentially enabling configuration exfiltration, data deletion, or Prometheus shutdown depending on enabled flags. This issue has been fixed in versions 3.5.2 and 3.11.2. If developers are unable to immediately update, the following workarounds are recommended: ensure that the remote write receiver (--web.enable-remote-write-receiver) and the OTLP receiver (--web.enable-otlp-receiver) are not exposed to untrusted sources; verify that all scrape targets are trusted and not under attacker control; avoid enabling admin or mutating API endpoints (e.g., --web.enable-admin-api or --web.enable-lifecycle) in environments where untrusted data may be ingested; and refrain from clicking untrusted links, particularly those containing functions such as label_replace, as they may generate poisoned label names and values."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-15T22:26:46.909Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/prometheus/prometheus/security/advisories/GHSA-vffh-x6r8-xx99",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/prometheus/prometheus/security/advisories/GHSA-vffh-x6r8-xx99"
},
{
"name": "https://github.com/prometheus/prometheus/pull/18506",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/prometheus/prometheus/pull/18506"
},
{
"name": "https://github.com/prometheus/prometheus/commit/07c6232d159bfb474a077788be184d87adcfac3c",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/prometheus/prometheus/commit/07c6232d159bfb474a077788be184d87adcfac3c"
}
],
"source": {
"advisory": "GHSA-vffh-x6r8-xx99",
"discovery": "UNKNOWN"
},
"title": "Prometheus: Stored XSS via metric names and label values in web UI tooltips and metrics explorer"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40179",
"datePublished": "2026-04-15T22:26:46.909Z",
"dateReserved": "2026-04-09T20:59:17.619Z",
"dateUpdated": "2026-04-16T14:21:42.130Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2021-29622 (GCVE-0-2021-29622)
Vulnerability from cvelistv5 – Published: 2021-05-19 20:00 – Updated: 2024-08-03 22:11
VLAI
Title
Arbitrary redirects under /new endpoint
Summary
Prometheus is an open-source monitoring system and time series database. In 2.23.0, Prometheus changed its default UI to the New ui. To ensure a seamless transition, the URL's prefixed by /new redirect to /. Due to a bug in the code, it is possible for an attacker to craft an URL that can redirect to any other URL, in the /new endpoint. If a user visits a prometheus server with a specially crafted address, they can be redirected to an arbitrary URL. The issue was patched in the 2.26.1 and 2.27.1 releases. In 2.28.0, the /new endpoint will be removed completely. The workaround is to disable access to /new via a reverse proxy in front of Prometheus.
Severity
6.5 (Medium)
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/prometheus/prometheus/security… | x_refsource_CONFIRM |
| https://github.com/prometheus/prometheus/releases… | x_refsource_MISC |
| https://github.com/prometheus/prometheus/releases… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| prometheus | prometheus |
Affected:
>= 2.23.0, < 2.27.1
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:11:06.291Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/prometheus/prometheus/security/advisories/GHSA-vx57-7f4q-fpc7"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/prometheus/prometheus/releases/tag/v2.26.1"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/prometheus/prometheus/releases/tag/v2.27.1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "prometheus",
"vendor": "prometheus",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.23.0, \u003c 2.27.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Prometheus is an open-source monitoring system and time series database. In 2.23.0, Prometheus changed its default UI to the New ui. To ensure a seamless transition, the URL\u0027s prefixed by /new redirect to /. Due to a bug in the code, it is possible for an attacker to craft an URL that can redirect to any other URL, in the /new endpoint. If a user visits a prometheus server with a specially crafted address, they can be redirected to an arbitrary URL. The issue was patched in the 2.26.1 and 2.27.1 releases. In 2.28.0, the /new endpoint will be removed completely. The workaround is to disable access to /new via a reverse proxy in front of Prometheus."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-19T20:00:12.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/prometheus/prometheus/security/advisories/GHSA-vx57-7f4q-fpc7"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/prometheus/prometheus/releases/tag/v2.26.1"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/prometheus/prometheus/releases/tag/v2.27.1"
}
],
"source": {
"advisory": "GHSA-vx57-7f4q-fpc7",
"discovery": "UNKNOWN"
},
"title": "Arbitrary redirects under /new endpoint",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-29622",
"STATE": "PUBLIC",
"TITLE": "Arbitrary redirects under /new endpoint"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "prometheus",
"version": {
"version_data": [
{
"version_value": "\u003e= 2.23.0, \u003c 2.27.1"
}
]
}
}
]
},
"vendor_name": "prometheus"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Prometheus is an open-source monitoring system and time series database. In 2.23.0, Prometheus changed its default UI to the New ui. To ensure a seamless transition, the URL\u0027s prefixed by /new redirect to /. Due to a bug in the code, it is possible for an attacker to craft an URL that can redirect to any other URL, in the /new endpoint. If a user visits a prometheus server with a specially crafted address, they can be redirected to an arbitrary URL. The issue was patched in the 2.26.1 and 2.27.1 releases. In 2.28.0, the /new endpoint will be removed completely. The workaround is to disable access to /new via a reverse proxy in front of Prometheus."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/prometheus/prometheus/security/advisories/GHSA-vx57-7f4q-fpc7",
"refsource": "CONFIRM",
"url": "https://github.com/prometheus/prometheus/security/advisories/GHSA-vx57-7f4q-fpc7"
},
{
"name": "https://github.com/prometheus/prometheus/releases/tag/v2.26.1",
"refsource": "MISC",
"url": "https://github.com/prometheus/prometheus/releases/tag/v2.26.1"
},
{
"name": "https://github.com/prometheus/prometheus/releases/tag/v2.27.1",
"refsource": "MISC",
"url": "https://github.com/prometheus/prometheus/releases/tag/v2.27.1"
}
]
},
"source": {
"advisory": "GHSA-vx57-7f4q-fpc7",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-29622",
"datePublished": "2021-05-19T20:00:13.000Z",
"dateReserved": "2021-03-30T00:00:00.000Z",
"dateUpdated": "2024-08-03T22:11:06.291Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-3826 (GCVE-0-2019-3826)
Vulnerability from cvelistv5 – Published: 2019-03-26 17:48 – Updated: 2024-08-04 19:19
VLAI
Summary
A stored, DOM based, cross-site scripting (XSS) flaw was found in Prometheus before version 2.7.1. An attacker could exploit this by convincing an authenticated user to visit a crafted URL on a Prometheus server, allowing for the execution and persistent storage of arbitrary scripts.
Severity
6.1 (Medium)
CWE
Assigner
References
8 references
| URL | Tags |
|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2… | x_refsource_CONFIRM |
| https://github.com/prometheus/prometheus/pull/5163 | x_refsource_CONFIRM |
| https://github.com/prometheus/prometheus/commit/6… | x_refsource_CONFIRM |
| https://access.redhat.com/errata/RHBA-2019:0327 | vendor-advisoryx_refsource_REDHAT |
| https://lists.apache.org/thread.html/rdf2a0d94c3b… | mailing-listx_refsource_MLIST |
| https://lists.apache.org/thread.html/r8e3f7da12bf… | mailing-listx_refsource_MLIST |
| https://lists.apache.org/thread.html/r48d5019bd42… | mailing-listx_refsource_MLIST |
| https://advisory.checkmarx.net/advisory/CX-2019-4297 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| [UNKNOWN] | prometheus |
Affected:
2.7.1
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T19:19:18.663Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3826"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/prometheus/prometheus/pull/5163"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/prometheus/prometheus/commit/62e591f9"
},
{
"name": "RHBA-2019:0327",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHBA-2019:0327"
},
{
"name": "[zookeeper-commits] 20200118 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-3677: owasp checker failing for - CVE-2019-17571 Apache Log4j 1.2 deserialization of untrusted data in SocketServer",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rdf2a0d94c3b5b523aeff7741ae71347415276062811b687f30ea6573%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20200118 [zookeeper] branch master updated: ZOOKEEPER-3677: owasp checker failing for - CVE-2019-17571 Apache Log4j 1.2 deserialization of untrusted data in SocketServer",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r8e3f7da12bf5750b0a02e69a78a61073a2ac950eed7451ce70a65177%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20200118 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-3677: owasp checker failing for - CVE-2019-17571 Apache Log4j 1.2 deserialization of untrusted data in SocketServer",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r48d5019bd42e0770f7e5351e420a63a41ff1f16924942442c6aff6a8%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://advisory.checkmarx.net/advisory/CX-2019-4297"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "prometheus",
"vendor": "[UNKNOWN]",
"versions": [
{
"status": "affected",
"version": "2.7.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A stored, DOM based, cross-site scripting (XSS) flaw was found in Prometheus before version 2.7.1. An attacker could exploit this by convincing an authenticated user to visit a crafted URL on a Prometheus server, allowing for the execution and persistent storage of arbitrary scripts."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-03-31T20:22:42.000Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3826"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/prometheus/prometheus/pull/5163"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/prometheus/prometheus/commit/62e591f9"
},
{
"name": "RHBA-2019:0327",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHBA-2019:0327"
},
{
"name": "[zookeeper-commits] 20200118 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-3677: owasp checker failing for - CVE-2019-17571 Apache Log4j 1.2 deserialization of untrusted data in SocketServer",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rdf2a0d94c3b5b523aeff7741ae71347415276062811b687f30ea6573%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20200118 [zookeeper] branch master updated: ZOOKEEPER-3677: owasp checker failing for - CVE-2019-17571 Apache Log4j 1.2 deserialization of untrusted data in SocketServer",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r8e3f7da12bf5750b0a02e69a78a61073a2ac950eed7451ce70a65177%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20200118 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-3677: owasp checker failing for - CVE-2019-17571 Apache Log4j 1.2 deserialization of untrusted data in SocketServer",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r48d5019bd42e0770f7e5351e420a63a41ff1f16924942442c6aff6a8%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://advisory.checkmarx.net/advisory/CX-2019-4297"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2019-3826",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "prometheus",
"version": {
"version_data": [
{
"version_value": "2.7.1"
}
]
}
}
]
},
"vendor_name": "[UNKNOWN]"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A stored, DOM based, cross-site scripting (XSS) flaw was found in Prometheus before version 2.7.1. An attacker could exploit this by convincing an authenticated user to visit a crafted URL on a Prometheus server, allowing for the execution and persistent storage of arbitrary scripts."
}
]
},
"impact": {
"cvss": [
[
{
"vectorString": "6.1/CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
}
]
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3826",
"refsource": "CONFIRM",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3826"
},
{
"name": "https://github.com/prometheus/prometheus/pull/5163",
"refsource": "CONFIRM",
"url": "https://github.com/prometheus/prometheus/pull/5163"
},
{
"name": "https://github.com/prometheus/prometheus/commit/62e591f9",
"refsource": "CONFIRM",
"url": "https://github.com/prometheus/prometheus/commit/62e591f9"
},
{
"name": "RHBA-2019:0327",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHBA-2019:0327"
},
{
"name": "[zookeeper-commits] 20200118 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-3677: owasp checker failing for - CVE-2019-17571 Apache Log4j 1.2 deserialization of untrusted data in SocketServer",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rdf2a0d94c3b5b523aeff7741ae71347415276062811b687f30ea6573@%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20200118 [zookeeper] branch master updated: ZOOKEEPER-3677: owasp checker failing for - CVE-2019-17571 Apache Log4j 1.2 deserialization of untrusted data in SocketServer",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r8e3f7da12bf5750b0a02e69a78a61073a2ac950eed7451ce70a65177@%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20200118 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-3677: owasp checker failing for - CVE-2019-17571 Apache Log4j 1.2 deserialization of untrusted data in SocketServer",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r48d5019bd42e0770f7e5351e420a63a41ff1f16924942442c6aff6a8@%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "https://advisory.checkmarx.net/advisory/CX-2019-4297",
"refsource": "MISC",
"url": "https://advisory.checkmarx.net/advisory/CX-2019-4297"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2019-3826",
"datePublished": "2019-03-26T17:48:31.000Z",
"dateReserved": "2019-01-03T00:00:00.000Z",
"dateUpdated": "2024-08-04T19:19:18.663Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}