H3-2022-0032¶

Unauthenticated Access to Prometheus Alertmanager

Description¶

The Prometheus Alertmanager application requires no authentication.

Impact¶

An unauthenticated attacker can access potentially sensitive alert data, access any stored secrets, and perform server-side request forgert (SSRF) attacks to leak additional sensitive data.

References¶

• Securing Prometheus API and UI Endpoints Using Basic Auth
• Don’t let Prometheus Steal your Fire
• CWE-306: Missing Authentication for Critical Function