Bug 1672865 (CVE-2019-3826)
| Summary: | CVE-2019-3826 prometheus: Stored DOM cross-site scripting (XSS) attack via crafted URL | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Sam Fowler <sfowler> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | ahardin, bleanhar, bmontgom, ccoleman, chazlett, dedgar, eparis, jburrell, jgoulding, jokerman, mchappel, nstielau, spasquie, sponnaga |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | prometheus 2.7.1 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A stored, DOM based, cross-site scripting (XSS) flaw was found in Prometheus. An attacker could exploit this by convincing an authenticated user to visit a crafted URL on a Prometheus server, allowing for the execution and persistent storage of arbitrary scripts.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-10-25 09:51:51 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1672866, 1672867, 1672870, 1672871, 1677478, 1677479, 1677480 | ||
| Bug Blocks: | 1672868 | ||
|
Description
Sam Fowler
2019-02-06 04:31:24 UTC
Created golang-github-prometheus-prometheus tracking bugs for this issue: Affects: epel-6 [bug 1672867] Affects: fedora-all [bug 1672866] Prometheus Cluster Monitoring was a Technology Preview feature before OpenShift Container Platform 3.11. https://access.redhat.com/documentation/en-us/openshift_container_platform/3.11/html-single/release_notes/#ocp-311-technology-preview |