CVE-2021-29622

Name of the Vulnerable Software and Affected Versions Prometheus versions 2.23.0 through 2.26.0 Prometheus versions 2.27.0

Description Prometheus is an open-source monitoring system and time series database. In version 2.23.0, Prometheus changed its default UI to the New UI. To ensure a seamless transition, URLs prefixed by /new redirect to /. Due to a bug in the code, it is possible for an attacker to craft a URL that can redirect to any other URL in the /new endpoint. If a user visits a Prometheus server with a specially crafted address, they can be redirected to an arbitrary URL. For example, if a user visits http://127.0.0.1:9090/new/newhttp://www.google.com/, they will be redirected to http://google.com.

Recommendations For Prometheus versions 2.23.0 through 2.26.0, update to version 2.26.1 or later. For Prometheus version 2.27.0, update to version 2.27.1 or later. As a temporary workaround, consider disabling access to /new via a reverse proxy in front of Prometheus. Note: Users who use a --web.external-url= flag with a path are not affected.