Unrestricted access to Prometheus Metrics
Description
Prometheus is an open-source monitoring and alerting toolkit that collects and stores metrics as time-series data. This vulnerability occurs when a web application's Prometheus metrics endpoint (typically /metrics) is publicly accessible without authentication. The metrics endpoint exposes operational data about the application, which may include sensitive information about system architecture, performance characteristics, and internal configurations.
Remediation
Implement authentication and access controls to restrict access to the Prometheus metrics endpoint. Choose one of the following approaches based on your infrastructure:
1. Network-level restriction:
Configure your firewall or web server to allow access only from trusted IP addresses (e.g., your Prometheus server).
Example for Nginx:
location /metrics {
allow 10.0.0.0/8; # Internal network
deny all;
proxy_pass http://app:8080;
}2. Application-level authentication:
Implement HTTP Basic Authentication or token-based authentication for the metrics endpoint.
Example using middleware (Go):
func metricsAuth(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
token := r.Header.Get("Authorization")
if token != "Bearer "+expectedToken {
http.Error(w, "Unauthorized", http.StatusUnauthorized)
return
}
next.ServeHTTP(w, r)
})
}3. Use a reverse proxy with authentication:
Deploy a reverse proxy (such as Nginx or Traefik) with built-in authentication in front of your application.
Verify that the metrics endpoint is no longer publicly accessible after implementing controls.