Ironic Standalone Operator's prometheus metrics exporter bound to all interfaces

Impact The Ironic Standalone Operator IRSO is the operator to maintain an Ironic deployment for Metal3. The Prometheus metrics exporter binds to 0.0.0.0 all network interfaces by default with no authentication. The default config is disabled. If enabled, this exposes operational metrics to any ho...

Security Bulletin: IBM App Connect Enterprise Certified Container IntegrationServer and IntegrationRuntime operands that report metrics are vulnerable to loss of confidentiality (CVE-2025-13490)

Summary When an IBM App Connect Enterprise Certified Container IntegrationRuntime or IntegrationServer is configured to report metrics to a Prometheus instance in the OpenShift cluster, the metrics are sent over an unencrypted channel. This bulletin provides patch information to address the...

Kasten Prometheus Export via remote_write

Purpose Kasten now supports exporting metrics from the embedded Prometheus to external backends using Prometheus's remotewrite capability. This feature supports the collection, aggregation, and visualization of cluster and multi-cluster metrics in monitoring tools like Grafana Cloud and Datadog...

[SECURITY] Fedora 42 Update: rust-prometheus_exporter-0.8.5-5.fc42

Helper libary to export prometheus metrics using tiny-http...

[SECURITY] Fedora 43 Update: rust-prometheus_exporter-0.8.5-5.fc43

Helper libary to export prometheus metrics using tiny-http...

EUVD-2018-6509

Malware in sbrugna...

EUVD-2023-58268

Malicious code in bioql PyPI...

EUVD-2024-2854

Malicious code in bioql PyPI...

EUVD-2023-31333

Malicious code in bioql PyPI...

EUVD-2024-45992

Malicious code in bioql PyPI...

fleetdeck-poc

FleetDeck PoC !Go Versionhttps://img.shields.io/badge/go-...

CVE-2024-52307

authentik is an open-source identity provider. Due to the usage of a non-constant time comparison for the /-/metrics/ endpoint it was possible to brute-force the SECRETKEY, which is used to authenticate the endpoint. The /-/metrics/ endpoint returns Prometheus metrics and is not intended to be...

CVE-2024-12564

Exposure of Sensitive Information to an Unauthorized Actor vulnerability was discovered in Open Design Alliance CDE inWEB SDK before 2025.3. Installing CDE Server with default settings allows unauthorized users to visit prometheus metrics page. This can allow attackers to understand more things...

CVE-2023-27591

Miniflux is a feed reader. Prior to version 2.0.43, an unauthenticated user can retrieve Prometheus metrics from a publicly reachable Miniflux instance where the METRICSCOLLECTOR configuration option is enabled and METRICSALLOWEDNETWORKS is set to 127.0.0.1/8 the default. A patch is available in...

Unauthenticated Miniflux user can bypass allowed networks check to obtain Prometheus metrics

Impact An unauthenticated user can retrieve Prometheus metrics from a publicly reachable Miniflux instance where the METRICSCOLLECTOR configuration option is enabled and METRICSALLOWEDNETWORKS is set to 127.0.0.1/8 the default. Patches PR 1745 fixes the problem. Available in Miniflux = 2.0.43...

GHSA-3QJF-QH38-X73V Unauthenticated Miniflux user can bypass allowed networks check to obtain Prometheus metrics

Impact An unauthenticated user can retrieve Prometheus metrics from a publicly reachable Miniflux instance where the METRICSCOLLECTOR configuration option is enabled and METRICSALLOWEDNETWORKS is set to 127.0.0.1/8 the default. Patches PR 1745 fixes the problem. Available in Miniflux = 2.0.43...

GO-2025-3418 Envoy Admin Interface Exposed through prometheus metrics endpoint in github.com/envoyproxy/gateway

Envoy Admin Interface Exposed through prometheus metrics endpoint in github.com/envoyproxy/gateway...

Envoy Admin Interface Exposed through prometheus metrics endpoint

Impact A user with access to a Kubernetes cluster where Envoy Gateway is installed can use a path traversal attack to execute Envoy Admin interface commands on proxies managed by Envoy Gateway. The admin interface can be used to terminate the Envoy process and extract the Envoy configuration...

CVE-2025-24030 Envoy Admin Interface Exposed through prometheus metrics endpoint

Envoy Gateway is an open source project for managing Envoy Proxy as a standalone or Kubernetes-based application gateway. A user with access to the Kubernetes cluster can use a path traversal attack to execute Envoy Admin interface commands on proxies managed by any version of Envoy Gateway prior...

CVE-2024-12564

Exposure of Sensitive Information to an Unauthorized Actor vulnerability was discovered in Open Design Alliance CDE inWEB SDK before 2025.3. Installing CDE Server with default settings allows unauthorized users to visit prometheus metrics page. This can allow attackers to understand more things...