CVE-2019-3826: XSS
First published: Tue Mar 26 2019(Updated: )
## Withdrawn Advisory This advisory has been withdrawn because the vulnerability does not apply to the Prometheus golang package. This link is maintained to preserve external references. ## Original Description A stored, DOM based, cross-site scripting (XSS) flaw was found in Prometheus before version 2.7.1. An attacker could exploit this by convincing an authenticated user to visit a crafted URL on a Prometheus server, allowing for the execution and persistent storage of arbitrary scripts.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Prometheus Prometheus | <2.7.1 | |
| Redhat Openshift Container Platform | =3.11 | |
| go/github.com/prometheus/prometheus | <2.7.1 | 2.7.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://access.redhat.com/errata/RHBA-2019:0327
- https://advisory.checkmarx.net/advisory/CX-2019-4297
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3826
- https://github.com/prometheus/prometheus/commit/62e591f9
- https://github.com/prometheus/prometheus/pull/5163
- https://lists.apache.org/thread.html/r48d5019bd42e0770f7e5351e420a63a41ff1f16924942442c6aff6a8@%3Ccommits.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/r8e3f7da12bf5750b0a02e69a78a61073a2ac950eed7451ce70a65177@%3Ccommits.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/rdf2a0d94c3b5b523aeff7741ae71347415276062811b687f30ea6573@%3Ccommits.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/r48d5019bd42e0770f7e5351e420a63a41ff1f16924942442c6aff6a8%40%3Ccommits.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/r8e3f7da12bf5750b0a02e69a78a61073a2ac950eed7451ce70a65177%40%3Ccommits.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/rdf2a0d94c3b5b523aeff7741ae71347415276062811b687f30ea6573%40%3Ccommits.zookeeper.apache.org%3E
- https://nvd.nist.gov/vuln/detail/CVE-2019-3826
- https://github.com/prometheus/prometheus/pull/5163/commits/ea254eea5e3c9a12d6f37a25921b7259ff1c4280
- https://github.com/aquasecurity/trivy/issues/2992
- https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/merge_requests/26608
- https://github.com/advisories/GHSA-3m87-5598-2v4f (Advisory)
- collector/nvd-index
- collector/nvd-cve
- collector/github-advisory-latest
- alias/GHSA-3m87-5598-2v4f
- alias/CVE-2019-3826
- collector/github-advisory
- agent/author
- agent/severity
- agent/weakness
- agent/references
- agent/type
- agent/event
- agent/description
- agent/first-publish-date
- agent/softwarecombine
- agent/last-modified-date
- agent/remedy
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/prometheus
- canonical/prometheus prometheus
- vendor/redhat
- canonical/redhat openshift container platform
- version/redhat openshift container platform/3.11
- package-manager/go