Burp scan reports SQL injection attack on the prometheus server

[Pavan Reddy]

What happened: using burp scanner to scan the Prometheus server, it reports a SQL injection attack with high severity.I am using Prometheus 2.16 version. 

Please find the Request and Response details below.

Request

GET /api/v1/query?query=time()'&_=1588065331449 HTTP/1.1

Host: x.x.x.x:9090

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0

Accept: application/json, text/javascript, */*; q=0.01

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: http://x.x.x.x:9090/graph

X-Requested-With: XMLHttpRequest

Connection: close

Response

HTTP/1.1 400 Bad Request

Content-Type: application/json

Date: Tue, 28 Apr 2020 09:18:26 GMT

Content-Length: 123

Connection: close

{"status":"error","errorType":"bad_data","error":"invalid parameter 'query': 1:7: parse error: unterminated quoted string"}

What you expected to happen: no high level attacks

[Brian Candler]

I suggest you report this to the burp people as a false positive.

Prometheus has handled this exactly right - it has rejected the request, and given a descriptive response saying what's wrong with the format of the provided data.  There's no SQL in prometheus anyway.