From 8d36ebe1d6082bb8660c58405e873397c4f21e0a Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Tue, 19 Oct 2021 20:32:48 +0530 Subject: [PATCH] Update prometheus-config-endpoint.yaml --- exposures/configs/prometheus-config-endpoint.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/exposures/configs/prometheus-config-endpoint.yaml b/exposures/configs/prometheus-config-endpoint.yaml index 7b6150eb2e..b454c38383 100644 --- a/exposures/configs/prometheus-config-endpoint.yaml +++ b/exposures/configs/prometheus-config-endpoint.yaml @@ -3,9 +3,9 @@ id: prometheus-config-endpoint info: name: Exposure of sensitive operational information via Prometheus config API endpoint author: geeknik + severity: high description: The config endpoint returns the loaded Prometheus configuration file. This file also contains addresses of targets and alerting/discovery services alongside the credentials required to access them. Usually, Prometheus replaces the passwords in the credentials config configuration field with the placeholder (although this still leaks the username). reference: https://jfrog.com/blog/dont-let-prometheus-steal-your-fire/ - severity: high tags: prometheus,exposure requests: