Alpine: multiple prometheus packages: security update to 3.5.3-r0

medium Tenable Self-Hosted Container Security Plugin ID 441027

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- Prometheus is an open-source monitoring system and time series database. Versions 3.0 through 3.5.1 and
3.6.0 through 3.11.1 have stored cross-site scripting vulnerabilities in multiple components of the
Prometheus web UI where metric names and label values are injected into innerHTML without escaping. In
both the Mantine UI and old React UI, chart tooltips on the Graph page render metric names containing
HTML/JavaScript without sanitization. In the old React UI, the Metric Explorer fuzzy search results use
dangerouslySetInnerHTML without escaping, and heatmap cell tooltips interpolate le label values without
sanitization. With Prometheus v3.x defaulting to UTF-8 metric and label name validation, characters like
<, >, and " are now valid in metric names and labels. An attacker who can inject metrics via a compromised
scrape target, remote write, or OTLP receiver endpoint can execute arbitrary JavaScript in the browser of
any Prometheus user who views the metric in the Graph UI, potentially enabling configuration exfiltration,
data deletion, or Prometheus shutdown depending on enabled flags. This issue has been fixed in versions
3.5.2 and 3.11.2. If developers are unable to immediately update, the following workarounds are
recommended: ensure that the remote write receiver (--web.enable-remote-write-receiver) and the OTLP
receiver (--web.enable-otlp-receiver) are not exposed to untrusted sources; verify that all scrape targets
are trusted and not under attacker control; avoid enabling admin or mutating API endpoints (e.g.,
--web.enable-admin-api or --web.enable-lifecycle) in environments where untrusted data may be ingested;
and refrain from clicking untrusted links, particularly those containing functions such as label_replace,
as they may generate poisoned label names and values. (CVE-2026-40179)

- Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and
3.11.3, the client_secret field in the Azure AD remote write OAuth configuration (storage/remote/azuread)
was typed as string instead of Secret. Prometheus redacts fields of type Secret when serving the
configuration via the /-/config HTTP API endpoint. Because the field was a plain string, the Azure OAuth
client secret was exposed in plaintext to any user or process with access to that endpoint. This issue has
been patched in versions 3.5.3 and 3.11.3. (CVE-2026-42151)

- Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and
3.11.3, the remote read endpoint (/api/v1/read) does not validate the declared decoded length in a snappy-
compressed request body before allocating memory. An unauthenticated attacker can send a small payload
that causes a huge heap allocation per request. Under concurrent load this can exhaust available memory
and crash the Prometheus process. This issue has been patched in versions 3.5.3 and 3.11.3.
(CVE-2026-42154)

Solution

Update the prometheus library and its related packages to version 3.5.3-r0 or later.

See Also

https://security.alpinelinux.org/vuln/CVE-2026-40179

https://security.alpinelinux.org/vuln/CVE-2026-42151

https://security.alpinelinux.org/vuln/CVE-2026-42154

Plugin Details

Severity: Medium

ID: 441027

Version: Revision 1.4

Type: Local

Published: 4/30/2026

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.72

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Temporal Score: 4.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSS Score Source: CVE-2026-40179

CVSS v3

Risk Factor: Medium

Base Score: 6.1

Temporal Score: 5.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: Medium

Base Score: 5.3

Threat Score: 1.3

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 4/13/2026

Reference Information

CVE: CVE-2026-40179, CVE-2026-42151, CVE-2026-42154