Prometheus Prometheus The Prometheus monitoring system and time series database.

  1. Vendors
  2. Prometheus
Do you want an email whenever new security vulnerabilities are reported in any Prometheus product?

Products by Prometheus Sorted by Most Security Vulnerabilities since 2018

Prometheus Blackbox Exporter2 vulnerabilities

Prometheus2 vulnerabilities

Prometheus Alertmanager1 vulnerability

Prometheus Client Golang1 vulnerability

Prometheus Exporter Toolkit1 vulnerability

By the Year

In 2024 there have been 0 vulnerabilities in Prometheus . Last year Prometheus had 2 security vulnerabilities published. Right now, Prometheus is on track to have less security vulnerabilities in 2024 than it did last year.

Year Vulnerabilities Average Score
2024 0 0.00
2023 2 6.45
2022 2 8.15
2021 1 6.10
2020 1 5.80
2019 1 6.10
2018 0 0.00

It may take a day or so for new Prometheus vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Prometheus Security Vulnerabilities

Alertmanager handles alerts sent by client applications such as the Prometheus server

CVE-2023-40577 5.4 - Medium - August 25, 2023

Alertmanager handles alerts sent by client applications such as the Prometheus server. An attacker with the permission to perform POST requests on the /api/v1/alerts endpoint could be able to execute arbitrary JavaScript code on the users of Prometheus Alertmanager. This issue has been fixed in Alertmanager version 0.2.51.

XSS

blackbox_exporter v0.23.0 was discovered to contain an access control issue in its probe interface

CVE-2023-26735 7.5 - High - April 26, 2023

blackbox_exporter v0.23.0 was discovered to contain an access control issue in its probe interface. This vulnerability allows attackers to detect intranet ports and services, as well as download resources. NOTE: this is disputed by third parties because authentication can be configured.

XSPA

Prometheus Exporter Toolkit is a utility package to build exporters

CVE-2022-46146 8.8 - High - November 29, 2022

Prometheus Exporter Toolkit is a utility package to build exporters. Prior to versions 0.7.2 and 0.8.2, if someone has access to a Prometheus web.yml file and users' bcrypted passwords, they can bypass security by poisoning the built-in authentication cache. Versions 0.7.2 and 0.8.2 contain a fix for the issue. There is no workaround, but attacker must have access to the hashed password to use this functionality.

authentification

client_golang is the instrumentation library for Go applications in Prometheus

CVE-2022-21698 7.5 - High - February 15, 2022

client_golang is the instrumentation library for Go applications in Prometheus, and the promhttp package in client_golang provides tooling around HTTP servers and clients. In client_golang prior to version 1.11.1, HTTP server is susceptible to a Denial of Service through unbounded cardinality, and potential memory exhaustion, when handling requests with non-standard HTTP methods. In order to be affected, an instrumented software must use any of `promhttp.InstrumentHandler*` middleware except `RequestsInFlight`; not filter any specific methods (e.g GET) before middleware; pass metric with `method` label name to our middleware; and not have any firewall/LB/proxy that filters away requests with unknown `method`. client_golang version 1.11.1 contains a patch for this issue. Several workarounds are available, including removing the `method` label name from counter/gauge used in the InstrumentHandler; turning off affected promhttp handlers; adding custom middleware before promhttp handler that will sanitize the request method given by Go http.Request; and using a reverse proxy or web application firewall, configured to only allow a limited set of methods.

Allocation of Resources Without Limits or Throttling

Prometheus is an open-source monitoring system and time series database

CVE-2021-29622 6.1 - Medium - May 19, 2021

Prometheus is an open-source monitoring system and time series database. In 2.23.0, Prometheus changed its default UI to the New ui. To ensure a seamless transition, the URL's prefixed by /new redirect to /. Due to a bug in the code, it is possible for an attacker to craft an URL that can redirect to any other URL, in the /new endpoint. If a user visits a prometheus server with a specially crafted address, they can be redirected to an arbitrary URL. The issue was patched in the 2.26.1 and 2.27.1 releases. In 2.28.0, the /new endpoint will be removed completely. The workaround is to disable access to /new via a reverse proxy in front of Prometheus.

Open Redirect

Prometheus Blackbox Exporter through 0.17.0 allows /probe?target= SSRF

CVE-2020-16248 5.8 - Medium - August 09, 2020

Prometheus Blackbox Exporter through 0.17.0 allows /probe?target= SSRF. NOTE: follow-on discussion suggests that this might plausibly be interpreted as both intended functionality and also a vulnerability

XSPA

A stored, DOM based, cross-site scripting (XSS) flaw was found in Prometheus before version 2.7.1

CVE-2019-3826 6.1 - Medium - March 26, 2019

A stored, DOM based, cross-site scripting (XSS) flaw was found in Prometheus before version 2.7.1. An attacker could exploit this by convincing an authenticated user to visit a crafted URL on a Prometheus server, allowing for the execution and persistent storage of arbitrary scripts.

XSS

Built by Foundeo Inc., with data from the National Vulnerability Database (NVD), Icons by Icons8. Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.