CVE-2021-29622

Aliases:GHSA-vx57-7f4q-fpc7BIT-prometheus-2021-29622
Advisory lineage Upstream: 0 Downstream: 8
Modified
Published: 19 May 2021, 20:00
Last modified:03 Aug 2024, 22:11

Vulnerability Summary

Overall Risk (default)
medium
43/100
CVSS Score
6.5 MEDIUM
v3.1 (cve.org)
EPSS Score
87.48% CRITICAL
87% probability +0.85%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

19 May 2021, 20:00
Published
Vulnerability first disclosed
03 Aug 2024, 22:11
Last Modified
Vulnerability information updated

Description

Prometheus is an open-source monitoring system and time series database. In 2.23.0, Prometheus changed its default UI to the New ui. To ensure a seamless transition, the URL's prefixed by /new redirect to /. Due to a bug in the code, it is possible for an attacker to craft an URL that can redirect to any other URL, in the /new endpoint. If a user visits a prometheus server with a specially crafted address, they can be redirected to an arbitrary URL. The issue was patched in the 2.26.1 and 2.27.1 releases. In 2.28.0, the /new endpoint will be removed completely. The workaround is to disable access to /new via a reverse proxy in front of Prometheus.

CVSS Metrics

  • v3.1MEDIUMScore: 6.5CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
  • v3.1MEDIUMScore: 6.1CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
  • v2.0MEDIUMScore: 5.8AV:N/AC:M/Au:N/C:P/I:P/A:N

EPSS Trends

Current EPSS score: 87.48% Percentile: 99%

Techniques & Countermeasures

  • CWE-601URL Redirection to Untrusted Site ('Open Redirect')

    The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.

Affected Systems

  • github.com/prometheusprometheus

    ≥ 2.23.0, < 2.26.1 | ≥ 2.27.0, < 2.27.1

  • prometheusprometheus

    ≥ 2.23.0, < 2.26.1 | 2.27.0 | 2.27.0:rc0 | ≥ 2.23.0, < 2.27.1

References (4)