CVE-2023-40577

NameCVE-2023-40577
DescriptionAlertmanager handles alerts sent by client applications such as the Prometheus server. An attacker with the permission to perform POST requests on the /api/v1/alerts endpoint could be able to execute arbitrary JavaScript code on the users of Prometheus Alertmanager. This issue has been fixed in Alertmanager version 0.2.51.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3609-1
Debian Bugs1050558

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
prometheus-alertmanager (PTS)stretch0.5.1+ds-7fixed
buster (security), buster, buster (lts)0.15.3+ds-3+deb10u1fixed
bullseye0.21.0+ds-4vulnerable
bookworm0.25.0-1vulnerable
sid, trixie0.27.0+ds-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
prometheus-alertmanagersourcestretch(not affected)
prometheus-alertmanagersourcebuster0.15.3+ds-3+deb10u1DLA-3609-1
prometheus-alertmanagersource(unstable)0.26.0+ds-1unimportant1050558

Notes

https://github.com/prometheus/alertmanager/security/advisories/GHSA-v86x-5fm3-5p7j
https://github.com/prometheus/alertmanager/commit/8b9f2fd20c25e0d1e76aa0b407f7e354996d8e72 (v0.25.1)
Debian package doesn't ship the UI
[stretch] - prometheus-alertmanager <not-affected> (The vulnerable code was introduced later)
Search for package or bug name: Reporting problems