Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

Exposed Prometheus instance at prometheus.qa.r3.com

Medium
R
R3
Submitted None

Team Summary

Official summary from R3

An exposed prometheus dashboard at the endpoint https://prometheus.qa.r3.com/ was discovered. Internal metrics of QA systems were exposed.

Actions:
View on HackerOne
Reported by ian

Vulnerability Details

Technical details and impact analysis

Information Disclosure
## Summary Hi there, just wanted to note that all of your assets are listed as out of scope on HackerOne right now, which is a bit confusing. Nevertheless, I noticed that your Prometheus server at prometheus.qa.r3.com is exposed to the internet, which appears to let you view all of the internal metrics of all of your QA systems. This seems to be connected to your Kubernetes API server, so it seems pretty concerning. I don't think this is incredibly concerning, as after all Prometheus is just metrics. But I don't think they are intended to be publicly exposed. :) {F1305158} {F1305159} ## Steps To Reproduce: Visit https://prometheus.qa.r3.com/. ## Impact Disclosure of normally private metrics

Report Details

Additional information and metadata

State

Closed

Substate

Resolved

Submitted

Weakness

Information Disclosure