CVE-2021-29622

Source
https://nvd.nist.gov/vuln/detail/CVE-2021-29622
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-29622.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2021-29622
Aliases
Related
Published
2021-05-19T20:15:07Z
Modified
2025-05-28T10:26:22.865750Z
Downstream
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

Prometheus is an open-source monitoring system and time series database. In 2.23.0, Prometheus changed its default UI to the New ui. To ensure a seamless transition, the URL's prefixed by /new redirect to /. Due to a bug in the code, it is possible for an attacker to craft an URL that can redirect to any other URL, in the /new endpoint. If a user visits a prometheus server with a specially crafted address, they can be redirected to an arbitrary URL. The issue was patched in the 2.26.1 and 2.27.1 releases. In 2.28.0, the /new endpoint will be removed completely. The workaround is to disable access to /new via a reverse proxy in front of Prometheus.

References

Affected packages

Git / github.com/prometheus/prometheus

Affected ranges

Type
GIT
Repo
https://github.com/prometheus/prometheus
Events

Affected versions

0.*

0.1.0
0.10.0
0.11.0
0.11.1
0.12.0
0.13.0
0.13.0rc2
0.13.1
0.13.2
0.13.3
0.14.0
0.14.0rc1
0.14.0rc2
0.14.0rc3
0.15.0
0.15.0rc1
0.15.0rc2
0.15.0rc3
0.15.1
0.16.0
0.16.0rc1
0.16.0rc2
0.17.0rc1
0.17.0rc2
0.18.0
0.18.0rc1
0.19.0
0.19.1
0.19.2
0.19.3
0.2.0
0.2.1
0.20.0
0.3.0
0.4.0
0.5.0
0.6.0
0.7.0
0.8.0
0.9.0
0.9.0rc1
0.9.0rc2
0.9.0rc3
0.9.0rc4
0.9.0rc5

Other

checkout
dev
discovery-handle-discoverer-updates

v1.*

v1.0.0
v1.0.0-rc.0
v1.0.1
v1.0.2
v1.1.0
v1.1.1
v1.1.2
v1.1.3
v1.2.0
v1.2.1
v1.2.2
v1.2.3
v1.3.0
v1.3.0-beta.0
v1.3.1
v1.4.0
v1.4.1
v1.5.0
v1.5.1
v1.5.2
v1.5.3
v1.6.0
v1.6.2
v1.7.0
v1.7.1
v1.7.2
v1.8.0
v1.8.1

v2.*

v2.0.0
v2.0.0-alpha.0
v2.0.0-alpha.1
v2.0.0-alpha.2
v2.0.0-alpha.3
v2.0.0-beta.0
v2.0.0-beta.1
v2.0.0-beta.2
v2.0.0-beta.4
v2.0.0-beta.5
v2.0.0-rc.0
v2.0.0-rc.1
v2.0.0-rc.2
v2.0.0-rc.3
v2.1.0
v2.10.0
v2.10.0-rc.0
v2.11.0
v2.11.0-rc.0
v2.11.1
v2.11.2
v2.12.0
v2.12.0-rc.0
v2.13.0
v2.13.0-rc.0
v2.14.0
v2.14.0-rc.0
v2.15.0
v2.15.0-rc.0
v2.15.1
v2.15.2
v2.16.0
v2.16.0-rc.0
v2.16.0-rc.1
v2.17.0
v2.17.0-rc.0
v2.17.0-rc.1
v2.17.0-rc.2
v2.17.0-rc.3
v2.17.0-rc.4
v2.17.1
v2.17.2
v2.18.0
v2.18.0-rc.0
v2.18.0-rc.1
v2.18.1
v2.18.2
v2.19.0
v2.19.0-rc.0
v2.19.1
v2.19.2
v2.19.3
v2.2.0
v2.2.0-rc.0
v2.2.0-rc.1
v2.2.1
v2.20.0
v2.20.0-rc.0
v2.20.0-rc.1
v2.20.1
v2.21.0
v2.21.0-rc.0
v2.21.0-rc.1
v2.22.0
v2.22.0-rc.0
v2.22.1
v2.22.2
v2.23.0
v2.23.0-rc.0
v2.24.0
v2.24.0-rc.0
v2.24.1
v2.25.0
v2.25.0-rc.0
v2.25.1
v2.25.2
v2.26.0
v2.26.0-rc.0
v2.27.0
v2.27.0-rc.0
v2.3.0
v2.3.1
v2.3.2
v2.4.0
v2.4.0-rc.0
v2.4.1
v2.4.2
v2.4.3
v2.5.0
v2.5.0-rc.0
v2.5.0-rc.1
v2.5.0-rc.2
v2.6.0
v2.6.0-rc.0
v2.6.0-rc.1
v2.6.1
v2.7.0
v2.7.0-rc.0
v2.7.0-rc.1
v2.7.0-rc.2
v2.7.1
v2.7.2
v2.8.0
v2.8.0-rc.0
v2.8.1
v2.9.0
v2.9.0-rc.0
v2.9.1
v2.9.2