Bug 2235479 (CVE-2023-40577) - CVE-2023-40577 prometheus-alertmanager: UI is vulnerable to stored XSS via the /api/v1/alerts endpoint
Summary: CVE-2023-40577 prometheus-alertmanager: UI is vulnerable to stored XSS via th...
Status: NEW
Alias: CVE-2023-40577
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Product Security
QA Contact:
Depends On:
Blocks: 2235477
TreeView+ depends on / blocked
Reported: 2023-08-28 20:12 UTC by Chess Hazlett
Modified: 2024-02-27 20:49 UTC (History)
10 users (show)

Fixed In Version: Alertmanager 0.25.1
Doc Type: If docs needed, set a value
Doc Text:
Prometheus Alertmanager is vulnerable to cross-site scripting due to improper validation of user-supplied input by the /api/v1/alerts endpoint. This issue could allow a remote attacker to inject malicious script into a web page, which would be executed in a victim's web browser within the hosting website once the page is viewed, allow the attacker to steal the victim's cookie-based authentication credentials.
Clone Of:
Last Closed:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:7198 0 None None None 2024-02-27 20:49:38 UTC

Description Chess Hazlett 2023-08-28 20:12:56 UTC
Alertmanager handles alerts sent by client applications such as the Prometheus server. An attacker with the permission to perform POST requests on the /api/v1/alerts endpoint could be able to execute arbitrary JavaScript code on the users of Prometheus Alertmanager. This issue has been fixed in Alertmanager version 0.2.51.

Comment 3 errata-xmlrpc 2024-02-27 20:49:36 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2023:7198 https://access.redhat.com/errata/RHSA-2023:7198

Note You need to log in before you can comment on or make changes to this bug.