Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/prometheus/prometheus: CVE-2019-3826 #2254

Closed
tatianab opened this issue Nov 8, 2023 · 2 comments
Closed

x/vulndb: potential Go vuln in github.com/prometheus/prometheus: CVE-2019-3826 #2254

tatianab opened this issue Nov 8, 2023 · 2 comments
Labels
excluded: LEGACY_FALSE_POSITIVE (DO NOT USE) Vulnerability marked as false positive before we introduced the triage process

Comments

@tatianab
Copy link
Contributor

tatianab commented Nov 8, 2023

CVE-2019-3826 references github.com/prometheus/prometheus, which may be a Go module.

Description:
A stored, DOM based, cross-site scripting (XSS) flaw was found in Prometheus before version 2.7.1. An attacker could exploit this by convincing an authenticated user to visit a crafted URL on a Prometheus server, allowing for the execution and persistent storage of arbitrary scripts.

References:

Cross references:

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/prometheus/prometheus
      vulnerable_at: 0.47.2
      packages:
        - package: prometheus
cves:
    - CVE-2019-3826
references:
    - web: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3826
    - fix: https://github.com/prometheus/prometheus/pull/5163
    - fix: https://github.com/prometheus/prometheus/commit/62e591f9
    - web: https://access.redhat.com/errata/RHBA-2019:0327
    - web: https://lists.apache.org/thread.html/rdf2a0d94c3b5b523aeff7741ae71347415276062811b687f30ea6573@%3Ccommits.zookeeper.apache.org%3E
    - web: https://lists.apache.org/thread.html/r8e3f7da12bf5750b0a02e69a78a61073a2ac950eed7451ce70a65177@%3Ccommits.zookeeper.apache.org%3E
    - web: https://lists.apache.org/thread.html/r48d5019bd42e0770f7e5351e420a63a41ff1f16924942442c6aff6a8@%3Ccommits.zookeeper.apache.org%3E
    - web: https://advisory.checkmarx.net/advisory/CX-2019-4297
@tatianab tatianab added the excluded: LEGACY_FALSE_POSITIVE (DO NOT USE) Vulnerability marked as false positive before we introduced the triage process label Nov 8, 2023
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/540721 mentions this issue: data/excluded: batch add 135 excluded reports

@GoVulnBot GoVulnBot mentioned this issue Dec 13, 2023
Closed
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/549915 mentions this issue: data/excluded: update GO-2023-2254.yaml

gopherbot pushed a commit that referenced this issue Dec 14, 2023
@timothy-king
data/excluded: update GO-2023-2254.yaml
42fb908 
Aliases: CVE-2019-3826, GHSA-3m87-5598-2v4f

Updates #2254

Fixes #2408

Change-Id: I7f5bb8eddf871d7248c356fa816799e8f2e2a268
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/549915
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Run-TryBot: Tim King <taking@google.com>
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
excluded: LEGACY_FALSE_POSITIVE (DO NOT USE) Vulnerability marked as false positive before we introduced the triage process
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tatianab @gopherbot