Security Experts:

Connect with us

Hi, what are you looking for?


Data Protection

Many Prometheus Endpoints Expose Sensitive Data

Unprotected instances of open source event monitoring solution Prometheus may leak metric and label data to the Internet, software company JFrog warns.

Unprotected instances of open source event monitoring solution Prometheus may leak metric and label data to the Internet, software company JFrog warns.

Designed to harvest real-time metrics from various endpoints, Prometheus enables organizations to keep a close eye on systems’ state, network usage, and the like. Close to 800 cloud-native platforms, including Slack and Uber, leverage the solution.

In January 2021, Prometheus added support for Transport Layer Security (TLS) and basic authentication, to prevent access to the captured metrics. However, numerous Prometheus endpoints that are accessible from the Internet were found to leak metric and label data, JFrog reveals.

Prometheus, the software company says, has long avoided built-in support for security features, to focus on monitoring-related features, which has resulted in the leak of many types of sensitive data, of which developers often had no clue.

JFrog performed “a large-scale unauthenticated scraping of publicly available and non-secured Prometheus endpoints,” which by default allow for untrusted, public access.

This means that most publicly-exposed Prometheus endpoints could be accessed from the Internet without authentication, and JFrog found nearly 27,000 of them using Shodan, and 43,000 hosts using ZoomEye.

Some of the exposed data includes addresses of targets and services and usernames for accessing them, credentials in URL strings, infrastructure services, machine addresses and metadata labels, SSH public keys, environment variables for Kubelet, and more.

Non-secure deployments of Prometheus, JFrog warns, may pose an even larger security risk, via an optional management API that can be used to delete metrics and close the monitoring server. Roughly 15 percent of the identified exposed Prometheus endpoints had the API management feature enabled (it is disabled by default).

“This means that right off the bat, an unauthenticated attacker can trivially shutdown and/or delete the metrics of these Prometheus endpoints,” JFrog notes.

Basic authentication capabilities and TLS support were added in Prometheus version 2.24.0, and developers and organizations are advised to update to that or newer versions of the monitoring solution, to prevent sensitive data leaks.

“We highly recommend using authentication and encryption mechanisms when deploying Prometheus to help secure against the inadvertent leakage of sensitive information. Implementing these features in Prometheus 2.24.0 and later versions is easier than ever due to the built-in support that was added by the Prometheus team in January,” JFrog notes.

Related: FBI Reportedly Exposed Secret Terrorist Watchlist

Related: ImmuniWeb Launches Free Tool for Identifying Unprotected Cloud Storage

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Protection

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.