Alertmanager handles alerts sent by client applications such as the Prometheus server. An attacker with the permission to perform POST requests on the /api/v1/alerts endpoint could be able to execute arbitrary JavaScript code on the users of Prometheus Alertmanager. This issue has been fixed in Alertmanager version 0.2.51.
{ "availability": "Available with Ubuntu Pro: https://ubuntu.com/pro", "ubuntu_priority": "medium", "binaries": [ { "prometheus-alertmanager-dbgsym": "0.6.2+ds-3ubuntu0.1+esm1", "prometheus-alertmanager": "0.6.2+ds-3ubuntu0.1+esm1", "golang-github-prometheus-alertmanager-dev": "0.6.2+ds-3ubuntu0.1+esm1" } ] }
{ "availability": "Available with Ubuntu Pro: https://ubuntu.com/pro", "ubuntu_priority": "medium", "binaries": [ { "prometheus-alertmanager-dbgsym": "0.23.0-4ubuntu0.2+esm1", "prometheus-alertmanager": "0.23.0-4ubuntu0.2+esm1", "golang-github-prometheus-alertmanager-dev": "0.23.0-4ubuntu0.2+esm1" } ] }