VYPR

rpm package

opensuse/golang-github-prometheus-prometheus&distro=openSUSE Tumbleweed

pkg:rpm/opensuse/golang-github-prometheus-prometheus&distro=openSUSE%20Tumbleweed

Vulnerabilities (13)

  • CVE-2026-39821CriMay 22, 2026
    affected < 3.12.0-2.1fixed 3.12.0-2.1

    The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error. This behavior can lead to privilege escalation in program

  • CVE-2026-42154HigMay 4, 2026
    affected < 3.11.3-1.1fixed 3.11.3-1.1

    Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the remote read endpoint (/api/v1/read) does not validate the declared decoded length in a snappy-compressed request body before allocating memory. An unauthenticated atta

  • CVE-2026-42151HigMay 4, 2026
    affected < 3.11.3-1.1fixed 3.11.3-1.1

    Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the client_secret field in the Azure AD remote write OAuth configuration (storage/remote/azuread) was typed as string instead of Secret. Prometheus redacts fields of type

  • CVE-2026-40179MedApr 15, 2026
    affected < 3.11.2-1.1fixed 3.11.2-1.1

    Prometheus is an open-source monitoring system and time series database. Versions 3.0 through 3.5.1 and 3.6.0 through 3.11.1 have stored cross-site scripting vulnerabilities in multiple components of the Prometheus web UI where metric names and label values are injected into inne

  • CVE-2025-13465MedJan 21, 2026
    affected < 3.9.1-2.1fixed 3.9.1-2.1

    Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes. The issue permits deletion of properties but does not allow overwritin

  • CVE-2024-45337CriDec 12, 2024
    affected < 3.1.0-1.1fixed 3.1.0-1.1

    Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that

  • CVE-2024-6104Jun 24, 2024
    affected < 2.53.0-2.1fixed 2.53.0-2.1

    go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its log file. This could lead to go-retryablehttp writing sensitive HTTP basic auth credentials to its log file. This vulnerability, CVE-2024-6104, was fixed in go-retryablehttp 0.7.7.

  • CVE-2023-45142Oct 12, 2023
    affected < 2.53.0-3.1fixed 2.53.0-3.1

    OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. A handler wrapper out of the box adds labels `http.user_agent` and `http.method` that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests

  • CVE-2022-41723Feb 28, 2023
    affected < 2.46.0-2.1fixed 2.46.0-2.1

    A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.

  • CVE-2022-46146Nov 29, 2022
    affected < 2.41.0-1.1fixed 2.41.0-1.1

    Prometheus Exporter Toolkit is a utility package to build exporters. Prior to versions 0.7.2 and 0.8.2, if someone has access to a Prometheus web.yml file and users' bcrypted passwords, they can bypass security by poisoning the built-in authentication cache. Versions 0.7.2 and 0.

  • CVE-2022-41715Oct 14, 2022
    affected < 2.48.1-2.1fixed 2.48.1-2.1

    Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion or denial of service. The parsed regexp representation is linear in the size of the input, but in some cases the constant factor can be as high as 40,000, making relatively sm

  • CVE-2021-29622May 19, 2021
    affected < 2.27.1-4.2fixed 2.27.1-4.2

    Prometheus is an open-source monitoring system and time series database. In 2.23.0, Prometheus changed its default UI to the New ui. To ensure a seamless transition, the URL's prefixed by /new redirect to /. Due to a bug in the code, it is possible for an attacker to craft an URL

  • CVE-2019-10215Oct 8, 2019
    affected < 2.27.1-4.2fixed 2.27.1-4.2

    Bootstrap-3-Typeahead after version 4.0.2 is vulnerable to a cross-site scripting flaw in the highlighter() function. An attacker could exploit this via user interaction to execute code in the user's browser.