Cross-site scripting (reflected) vulnerability found in burp scan report for Prometheus Server and Alertmanager
41 views
Skip to first unread message
veena thimmegowda
May 28, 2020, 11:39:44 PM5/28/20
to Prometheus Users
Hi,
In the burp scan analysis report we found Cross-site scripting (reflected) vulnerability for the Alertmanager and Prometheus server.
Please provide the solution to solve/remove this vulnerability.
Please find the attached files for more information.
Regards,
Veena
Brian Brazil
May 29, 2020, 3:53:29 AM5/29/20
to veena thimmegowda, Prometheus Users
On Fri, 29 May 2020 at 04:39, veena thimmegowda <veen...@gmail.com> wrote:
Hi,In the burp scan analysis report we found Cross-site scripting (reflected) vulnerability for the Alertmanager and Prometheus server.Please provide the solution to solve/remove this vulnerability.
Neither Prometheus nor the Alertmanager can return 401s, nor is state a URL parameter we use. This sounds like an issue with a reverse proxy you have in front of them.
Brian
Please find the attached files for more information.Regards,Veena
--
You received this message because you are subscribed to the Google Groups "Prometheus Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to prometheus-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-users/68a949dd-bc8a-4814-8206-773ba1c0320a%40googlegroups.com.
Brian Brazil
Julien Pivotto
May 29, 2020, 11:44:01 AM5/29/20
to Brian Brazil, veena thimmegowda, Prometheus Users
On 29 May 08:53, Brian Brazil wrote:
> On Fri, 29 May 2020 at 04:39, veena thimmegowda <veen...@gmail.com> wrote:
>
> > Hi,
> >
> > In the burp scan analysis report we found *Cross-site scripting
> On Fri, 29 May 2020 at 04:39, veena thimmegowda <veen...@gmail.com> wrote:
>
> > Hi,
> >
> > (reflected) *vulnerability for the Alertmanager and Prometheus server.
> > Please provide the solution to solve/remove this vulnerability.
> >
>
> Neither Prometheus nor the Alertmanager can return 401s, nor is state a URL
> parameter we use. This sounds like an issue with a reverse proxy you have
> in front of them.
>
> Brian
Thank you Veena,
> >
>
> Neither Prometheus nor the Alertmanager can return 401s, nor is state a URL
> parameter we use. This sounds like an issue with a reverse proxy you have
> in front of them.
>
> Brian
I would also like to point you to our Security Model page:
https://prometheus.io/docs/operating/security/
In this doc, we ask for security issues to be reported to the
maintainers listed in the MAINTAINERS of the relevant repository and CC
prometh...@googlegroups.com.
Should you have other reports like this, it would be better to have them
handled this way so we can work with you on a timely fix & disclosure.
Thanks!
>
>
> >
> > Please find the attached files for more information.
> >
> > Regards,
> > Veena
> >
> >
> > --
> > You received this message because you are subscribed to the Google Groups
> > "Prometheus Users" group.
> > To unsubscribe from this group and stop receiving emails from it, send an
> > email to prometheus-use...@googlegroups.com.
> > To view this discussion on the web visit
> > https://groups.google.com/d/msgid/prometheus-users/68a949dd-bc8a-4814-8206-773ba1c0320a%40googlegroups.com
> > .
> >
>
>
> --
> Brian Brazil
> www.robustperception.io
>
> --
> You received this message because you are subscribed to the Google Groups "Prometheus Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to prometheus-use...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-users/CAHJKeLqRGVjK1SsQ07%2BG6gmU7vRXiDwefrCTF2eE%3D3TzTxV_DA%40mail.gmail.com.
> --
> You received this message because you are subscribed to the Google Groups "Prometheus Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to prometheus-use...@googlegroups.com.
--
Julien Pivotto
@roidelapluie
Reply all
Reply to author
Forward
0 new messages