{"id":"USN-6935-1","summary":"prometheus-alertmanager vulnerability","details":"It was discovered that prometheus-alertmanager didn't properly sanitize \ninput it received through an API endpoint. An attacker with permission to \nsend requests to this endpoint could potentially inject arbitrary code.\n\nOn Ubuntu 20.04 LTS and Ubuntu 22.04 LTS, this vulnerability is only \npresent if the UI has been explicitly activated.\n","modified":"2026-04-24T09:52:19.567274Z","published":"2024-07-31T15:07:56Z","related":["UBUNTU-CVE-2023-40577"],"upstream":["CVE-2023-40577","UBUNTU-CVE-2023-40577"],"references":[{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-6935-1"}],"affected":[{"package":{"name":"prometheus-alertmanager","ecosystem":"Ubuntu:Pro:18.04:LTS","purl":"pkg:deb/ubuntu/prometheus-alertmanager@0.6.2+ds-3ubuntu0.1+esm1?arch=source&distro=esm-apps/bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.6.2+ds-3ubuntu0.1+esm1"}]}],"versions":["0.6.2+ds-2","0.6.2+ds-3","0.6.2+ds-3ubuntu0.1"],"ecosystem_specific":{"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro","binaries":[{"binary_version":"0.6.2+ds-3ubuntu0.1+esm1","binary_name":"golang-github-prometheus-alertmanager-dev"},{"binary_version":"0.6.2+ds-3ubuntu0.1+esm1","binary_name":"prometheus-alertmanager"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-6935-1.json","cves_map":{"ecosystem":"Ubuntu:Pro:18.04:LTS","cves":[]}}},{"package":{"name":"prometheus-alertmanager","ecosystem":"Ubuntu:20.04:LTS","purl":"pkg:deb/ubuntu/prometheus-alertmanager@0.15.3+ds-3ubuntu1.2?arch=source&distro=focal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.15.3+ds-3ubuntu1.2"}]}],"versions":["0.15.3+ds-3","0.15.3+ds-3ubuntu1","0.15.3+ds-3ubuntu1.1"],"ecosystem_specific":{"availability":"No subscription required","binaries":[{"binary_version":"0.15.3+ds-3ubuntu1.2","binary_name":"golang-github-prometheus-alertmanager-dev"},{"binary_version":"0.15.3+ds-3ubuntu1.2","binary_name":"prometheus-alertmanager"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-6935-1.json","cves_map":{"ecosystem":"Ubuntu:20.04:LTS","cves":[]}}},{"package":{"name":"prometheus-alertmanager","ecosystem":"Ubuntu:Pro:22.04:LTS","purl":"pkg:deb/ubuntu/prometheus-alertmanager@0.23.0-4ubuntu0.2+esm1?arch=source&distro=esm-apps/jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.23.0-4ubuntu0.2+esm1"}]}],"versions":["0.21.0+ds-4","0.23.0-4","0.23.0-4ubuntu0.1","0.23.0-4ubuntu0.2"],"ecosystem_specific":{"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro","binaries":[{"binary_version":"0.23.0-4ubuntu0.2+esm1","binary_name":"golang-github-prometheus-alertmanager-dev"},{"binary_version":"0.23.0-4ubuntu0.2+esm1","binary_name":"prometheus-alertmanager"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-6935-1.json","cves_map":{"ecosystem":"Ubuntu:Pro:22.04:LTS","cves":[]}}}],"schema_version":"1.7.5"}