Prometheus Sensitive Endpoint Detected

medium Web App Scanning Plugin ID 114012

Language:

Synopsis

Prometheus Sensitive Endpoint Detected

Description

Prometheus is an open-source monitoring solution which is designed to record metrics in a dimensional data model to make it available through its own PromQL query language or built-in visualization capabilities. Prometheus offer multiple libraries (named 'Exporters') to help exporting these endpoints and make it available to third-party tools. When publicly exposed, a remote and unauthenticated attacker could leverage the data to understand the target application environment and try conducting further attack.

Solution

Ensure that the detected sensitive endpoint is not publicly available by requiring authentication or applying IP source filtering.

See Also

https://prometheus.io/

https://prometheus.io/docs/instrumenting/exporters/

Plugin Details

Severity: Medium

ID: 114012

Type: remote

Family: Data Exposure

Published: 9/11/2023

Updated: 10/30/2023

Scan Template: api, basic, full, pci, scan

Risk Information

VPR

Risk Factor: Low

Score: 1.4

CVSS v2

Risk Factor: Medium

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Score Source: Tenable

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS Score Source: Tenable

Reference Information

CWE: 16, 538

OWASP: 2010-A6, 2013-A5, 2017-A6, 2021-A1, 2021-A5

WASC: Application Misconfiguration, Predictable Resource Location

CAPEC: 95

DISA STIG: APSC-DV-002480

HIPAA: 164.312(a)(1), 164.312(a)(2)(i)

ISO: 27001-A.13.1.1, 27001-A.14.1.2, 27001-A.14.1.3, 27001-A.18.1.3, 27001-A.6.2.2, 27001-A.9.1.2, 27001-A.9.4.1, 27001-A.9.4.4, 27001-A.9.4.5

NIST: sp800_53-AC-3

OWASP API: 2019-API3, 2019-API7, 2023-API3, 2023-API8

PCI-DSS: 3.2-2.2