CVE-2021-29622

Name
CVE-2021-29622
Description
Prometheus is an open-source monitoring system and time series database. In 2.23.0, Prometheus changed its default UI to the New ui. To ensure a seamless transition, the URL's prefixed by /new redirect to /. Due to a bug in the code, it is possible for an attacker to craft an URL that can redirect to any other URL, in the /new endpoint. If a user visits a prometheus server with a specially crafted address, they can be redirected to an arbitrary URL. The issue was patched in the 2.26.1 and 2.27.1 releases. In 2.28.0, the /new endpoint will be removed completely. The workaround is to disable access to /new via a reverse proxy in front of Prometheus.
NVD Severity
medium
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
CONFIRM https://github.com/prometheus/prometheus/security/advisories/GHSA-vx57-7f4q-fpc7
MISC https://github.com/prometheus/prometheus/releases/tag/v2.26.1
MISC https://github.com/prometheus/prometheus/releases/tag/v2.27.1

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:prometheus:prometheus:*:*:*:*:*:*:*:* prometheus >= 2.23.0 < 2.26.1
cpe:2.3:a:prometheus:prometheus:2.27.0:-:*:*:*:*:*:* prometheus == None == 2.27.0

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
prometheus 3.13-community 2.24.0-r0 Drew DeVault <sir@cmpwn.com> possibly vulnerable