Dodek

**Name of the Vulnerable Software and Affected Versions** Prometheus versions 2.23.0 through 2.26.0 Prometheus versions 2.27.0 **Description** Prometheus is an open-source monitoring system and time series database. In version 2.23.0, Prometheus changed its default UI to the New UI. To ensure a seamless transition, URLs prefixed by `/new` redirect to `/`. Due to a bug in the code, it is possible for an attacker to craft a URL that can redirect to any other URL in the `/new` endpoint. If a user visits a Prometheus server with a specially crafted address, they can be redirected to an arbitrary URL. For example, if a user visits `http://127.0.0.1:9090/new/newhttp://www.google.com/`, they will be redirected to `http://google.com`. **Recommendations** For Prometheus versions 2.23.0 through 2.26.0, update to version 2.26.1 or later. For Prometheus version 2.27.0, update to version 2.27.1 or later. As a temporary workaround, consider disabling access to `/new` via a reverse proxy in front of Prometheus. Note: Users who use a `--web.external-url=` flag with a path are not affected.