It was discovered that prometheus-alertmanager didn't properly sanitize input it received through an API endpoint. An attacker with permission to send requests to this endpoint could potentially inject arbitrary code.
On Ubuntu 20.04 LTS and Ubuntu 22.04 LTS, this vulnerability is only present if the UI has been explicitly activated.
{ "availability": "Available with Ubuntu Pro: https://ubuntu.com/pro", "binaries": [ { "binary_version": "0.6.2+ds-3ubuntu0.1+esm1", "binary_name": "golang-github-prometheus-alertmanager-dev" }, { "binary_version": "0.6.2+ds-3ubuntu0.1+esm1", "binary_name": "prometheus-alertmanager" }, { "binary_version": "0.6.2+ds-3ubuntu0.1+esm1", "binary_name": "prometheus-alertmanager-dbgsym" } ] }
{ "availability": "No subscription required", "binaries": [ { "binary_version": "0.15.3+ds-3ubuntu1.2", "binary_name": "golang-github-prometheus-alertmanager-dev" }, { "binary_version": "0.15.3+ds-3ubuntu1.2", "binary_name": "prometheus-alertmanager" }, { "binary_version": "0.15.3+ds-3ubuntu1.2", "binary_name": "prometheus-alertmanager-dbgsym" } ] }
{ "availability": "Available with Ubuntu Pro: https://ubuntu.com/pro", "binaries": [ { "binary_version": "0.23.0-4ubuntu0.2+esm1", "binary_name": "golang-github-prometheus-alertmanager-dev" }, { "binary_version": "0.23.0-4ubuntu0.2+esm1", "binary_name": "prometheus-alertmanager" }, { "binary_version": "0.23.0-4ubuntu0.2+esm1", "binary_name": "prometheus-alertmanager-dbgsym" } ] }