Lucene search

K
ubuntucveUbuntu.comUB:CVE-2023-40577
HistoryAug 25, 2023 - 12:00 a.m.

CVE-2023-40577

2023-08-2500:00:00
ubuntu.com
ubuntu.com
67
alertmanager
prometheus
execution
arbitrary
javascript
post requests
endpoint
fixed
version 0.2.51
security issue

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

0.0004 Low

EPSS

Percentile

14.0%

Alertmanager handles alerts sent by client applications such as the
Prometheus server. An attacker with the permission to perform POST requests
on the /api/v1/alerts endpoint could be able to execute arbitrary
JavaScript code on the users of Prometheus Alertmanager. This issue has
been fixed in Alertmanager version 0.2.51.

Bugs

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

0.0004 Low

EPSS

Percentile

14.0%