CVE-2021-29622 Arbitrary redirects under /new endpoint

2021-05-1920:00:13

CWE-601

GitHub_M

www.cve.org

cve-2021-29622

security issue

url redirection

bug

patch

reverse proxy

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

AI Score

6.5

Confidence

High

EPSS

0.003

Percentile

68.9%

JSON

Prometheus is an open-source monitoring system and time series database. In 2.23.0, Prometheus changed its default UI to the New ui. To ensure a seamless transition, the URL’s prefixed by /new redirect to /. Due to a bug in the code, it is possible for an attacker to craft an URL that can redirect to any other URL, in the /new endpoint. If a user visits a prometheus server with a specially crafted address, they can be redirected to an arbitrary URL. The issue was patched in the 2.26.1 and 2.27.1 releases. In 2.28.0, the /new endpoint will be removed completely. The workaround is to disable access to /new via a reverse proxy in front of Prometheus.

CNA Affected

[
  {
    "product": "prometheus",
    "vendor": "prometheus",
    "versions": [
      {
        "status": "affected",
        "version": ">= 2.23.0, < 2.27.1"
      }
    ]
  }
]