CVE-2021-29622

Prometheus is an open-source monitoring system and time series database. In 2.23.0, Prometheus changed its default UI to the New ui. To ensure a seamless transition, the URL's prefixed by /new redirect to /. Due to a bug in the code, it is possible for an attacker to craft an URL that can redirect to any other URL, in the /new endpoint. If a user visits a prometheus server with a specially crafted address, they can be redirected to an arbitrary URL. The issue was patched in the 2.26.1 and 2.27.1 releases. In 2.28.0, the /new endpoint will be removed completely. The workaround is to disable access to /new via a reverse proxy in front of Prometheus.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:prometheus:prometheus:*:*:*:*:*:*:*:*
cpe:2.3:a:prometheus:prometheus:2.27.0:-:*:*:*:*:*:*
cpe:2.3:a:prometheus:prometheus:2.27.0:rc0:*:*:*:*:*:*

History

26 May 2021, 22:29

Type Values Removed Values Added
CPE cpe:2.3:a:prometheus:prometheus:2.27.0:-:*:*:*:*:*:*
cpe:2.3:a:prometheus:prometheus:*:*:*:*:*:*:*:*
cpe:2.3:a:prometheus:prometheus:2.27.0:rc0:*:*:*:*:*:*
CVSS v2 : unknown
v3 : unknown
v2 : 5.8
v3 : 6.1
References (MISC) https://github.com/prometheus/prometheus/releases/tag/v2.26.1 - (MISC) https://github.com/prometheus/prometheus/releases/tag/v2.26.1 - Third Party Advisory
References (MISC) https://github.com/prometheus/prometheus/releases/tag/v2.27.1 - (MISC) https://github.com/prometheus/prometheus/releases/tag/v2.27.1 - Third Party Advisory
References (CONFIRM) https://github.com/prometheus/prometheus/security/advisories/GHSA-vx57-7f4q-fpc7 - (CONFIRM) https://github.com/prometheus/prometheus/security/advisories/GHSA-vx57-7f4q-fpc7 - Third Party Advisory

19 May 2021, 20:21

Type Values Removed Values Added
CWE CWE-601

19 May 2021, 20:15

Type Values Removed Values Added
New CVE

Information

Published : 2021-05-19 20:15

Updated : 2023-12-10 13:55


NVD link : CVE-2021-29622

Mitre link : CVE-2021-29622

CVE.ORG link : CVE-2021-29622


JSON object : View

Products Affected

prometheus

  • prometheus
CWE
CWE-601

URL Redirection to Untrusted Site ('Open Redirect')