Prometheus The Prometheus monitoring system and time series database.
Products by Prometheus Sorted by Most Security Vulnerabilities since 2018
By the Year
In 2024 there have been 0 vulnerabilities in Prometheus . Last year Prometheus had 2 security vulnerabilities published. Right now, Prometheus is on track to have less security vulnerabilities in 2024 than it did last year.
Year | Vulnerabilities | Average Score |
---|---|---|
2024 | 0 | 0.00 |
2023 | 2 | 6.45 |
2022 | 2 | 8.15 |
2021 | 1 | 6.10 |
2020 | 1 | 5.80 |
2019 | 1 | 6.10 |
2018 | 0 | 0.00 |
It may take a day or so for new Prometheus vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Prometheus Security Vulnerabilities
Alertmanager handles alerts sent by client applications such as the Prometheus server
CVE-2023-40577
5.4 - Medium
- August 25, 2023
Alertmanager handles alerts sent by client applications such as the Prometheus server. An attacker with the permission to perform POST requests on the /api/v1/alerts endpoint could be able to execute arbitrary JavaScript code on the users of Prometheus Alertmanager. This issue has been fixed in Alertmanager version 0.2.51.
XSS
blackbox_exporter v0.23.0 was discovered to contain an access control issue in its probe interface
CVE-2023-26735
7.5 - High
- April 26, 2023
blackbox_exporter v0.23.0 was discovered to contain an access control issue in its probe interface. This vulnerability allows attackers to detect intranet ports and services, as well as download resources. NOTE: this is disputed by third parties because authentication can be configured.
XSPA
Prometheus Exporter Toolkit is a utility package to build exporters
CVE-2022-46146
8.8 - High
- November 29, 2022
Prometheus Exporter Toolkit is a utility package to build exporters. Prior to versions 0.7.2 and 0.8.2, if someone has access to a Prometheus web.yml file and users' bcrypted passwords, they can bypass security by poisoning the built-in authentication cache. Versions 0.7.2 and 0.8.2 contain a fix for the issue. There is no workaround, but attacker must have access to the hashed password to use this functionality.
authentification
client_golang is the instrumentation library for Go applications in Prometheus
CVE-2022-21698
7.5 - High
- February 15, 2022
client_golang is the instrumentation library for Go applications in Prometheus, and the promhttp package in client_golang provides tooling around HTTP servers and clients. In client_golang prior to version 1.11.1, HTTP server is susceptible to a Denial of Service through unbounded cardinality, and potential memory exhaustion, when handling requests with non-standard HTTP methods. In order to be affected, an instrumented software must use any of `promhttp.InstrumentHandler*` middleware except `RequestsInFlight`; not filter any specific methods (e.g GET) before middleware; pass metric with `method` label name to our middleware; and not have any firewall/LB/proxy that filters away requests with unknown `method`. client_golang version 1.11.1 contains a patch for this issue. Several workarounds are available, including removing the `method` label name from counter/gauge used in the InstrumentHandler; turning off affected promhttp handlers; adding custom middleware before promhttp handler that will sanitize the request method given by Go http.Request; and using a reverse proxy or web application firewall, configured to only allow a limited set of methods.
Allocation of Resources Without Limits or Throttling
Prometheus is an open-source monitoring system and time series database
CVE-2021-29622
6.1 - Medium
- May 19, 2021
Prometheus is an open-source monitoring system and time series database. In 2.23.0, Prometheus changed its default UI to the New ui. To ensure a seamless transition, the URL's prefixed by /new redirect to /. Due to a bug in the code, it is possible for an attacker to craft an URL that can redirect to any other URL, in the /new endpoint. If a user visits a prometheus server with a specially crafted address, they can be redirected to an arbitrary URL. The issue was patched in the 2.26.1 and 2.27.1 releases. In 2.28.0, the /new endpoint will be removed completely. The workaround is to disable access to /new via a reverse proxy in front of Prometheus.
Open Redirect
Prometheus Blackbox Exporter through 0.17.0 allows /probe?target= SSRF
CVE-2020-16248
5.8 - Medium
- August 09, 2020
Prometheus Blackbox Exporter through 0.17.0 allows /probe?target= SSRF. NOTE: follow-on discussion suggests that this might plausibly be interpreted as both intended functionality and also a vulnerability
XSPA
A stored, DOM based, cross-site scripting (XSS) flaw was found in Prometheus before version 2.7.1
CVE-2019-3826
6.1 - Medium
- March 26, 2019
A stored, DOM based, cross-site scripting (XSS) flaw was found in Prometheus before version 2.7.1. An attacker could exploit this by convincing an authenticated user to visit a crafted URL on a Prometheus server, allowing for the execution and persistent storage of arbitrary scripts.
XSS