CVE-2021-29622

Description

### Impact In 2.23.0, Prometheus changed its default UI to the New ui. To ensure a seamless transition, the URL's prefixed by /new redirect to /. Due to a bug in the code, it is possible for an attacker to craft an URL that can redirect to any other URL, in the /new endpoint. If a user visits a prometheus server with a specially crafted address (e.g.: `http://127.0.0.1:9090/new/new<url>`), they can be redirected to an arbitrary URL. e.g. if a user visits http://127.0.0.1:9090/new/newhttp://www.google.com/, they will be redirected to http://google.com. ### Patches The issue will be patched in 2.26.1 and 2.27.1 releases. In 2.28.0, the /new endpoint will be removed completely. ### Workarounds The workaround is to disable access to /new via a reverse proxy in front of Prometheus. Note: Users who use a `--web.external-url=` flag _with a path_ (e.g. `--web.external-url=http://example.com/prometheus`) are not affected. ### For more information If you have any questions or comments about this advisory, please use our community channels (https://prometheus.io/community). Our security policy is available at https://prometheus.io/docs/operating/security/

Affected packages (2)

• Bitnami/prometheus>= 2.23.0, < 2.26.1, >= 2.27.0, < 2.27.1
• Go/github.com/prometheus/prometheus>= 2.23.0, < 2.26.1

CVSS scores

References (4)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-29622
• WEBhttps://github.com/prometheus/prometheus/releases/tag/v2.26.1
• WEBhttps://github.com/prometheus/prometheus/releases/tag/v2.27.1
• WEBhttps://github.com/prometheus/prometheus/security/advisories/GHSA-vx57-7f4q-fpc7