Version 3.0.1
prometheus
The Prometheus monitoring system and time series database.
Install Instructions
go get github.com/prometheus/prometheus
Current Version Release Date November 28, 2024
Language Go
Package URL (purl) pkg:github/prometheus/prometheus@13390c399558a83288875e80994a182e864b0724
Find prometheus vulnerabilities in your supply chain.
prometheus Vulnerabilities
Sort by
CVE (Latest)
CVE (Latest)
-
CVE (Latest)
-
CVE (Oldest)
-
CVSS Score (Highest)
-
CVSS Score (Lowest)
CVE  |
CVSS Score |
CWE(s) |
EPSS Score |
EPSS % |
Impacted Versions |
|---|---|---|---|---|---|
| CVE-2021-29622 | Medium 6.1 | CWE-601 | 0.00287 | 0.69598 |
|
| CVE-2019-3826 | Medium 6.1 | CWE-79 | 0.00406 | 0.74513 |
|
prometheus Vulnerability Remediation Guidance
| CVE | Description | Full list of Impacted Versions | Fix |
|---|---|---|---|
| CVE-2021-29622 | Prometheus is an open-source monitoring system and time series database. In 2.23.0, Prometheus changed its default UI to the New ui. To ensure a seamless transition, the URL's prefixed by /new redirect to /. Due to a bug in the code, it is possible for an attacker to craft an URL that can redirect to any other URL, in the /new endpoint. If a user visits a prometheus server with a specially crafted address, they can be redirected to an arbitrary URL. The issue was patched in the 2.26.1 and 2.27.1 releases. In 2.28.0, the /new endpoint will be removed completely. The workaround is to disable access to /new via a reverse proxy in front of Prometheus. | Patch → 2.26.1 | |
| CVE-2019-3826 | A stored, DOM based, cross-site scripting (XSS) flaw was found in Prometheus before version 2.7.1. An attacker could exploit this by convincing an authenticated user to visit a crafted URL on a Prometheus server, allowing for the execution and persistent storage of arbitrary scripts. | Patch → 2.7.1 |
Instantly see if these prometheus vulnerabilities affect your code.