CVE-2021-29622
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2021-29622
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-29622.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2021-29622
- Aliases
- Related
- Published
- 2021-05-19T20:15:07Z
- Modified
- 2025-05-28T10:26:22.865750Z
- Downstream
- Severity
-
- 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- [none]
- Details
-
Prometheus is an open-source monitoring system and time series database. In 2.23.0, Prometheus changed its default UI to the New ui. To ensure a seamless transition, the URL's prefixed by /new redirect to /. Due to a bug in the code, it is possible for an attacker to craft an URL that can redirect to any other URL, in the /new endpoint. If a user visits a prometheus server with a specially crafted address, they can be redirected to an arbitrary URL. The issue was patched in the 2.26.1 and 2.27.1 releases. In 2.28.0, the /new endpoint will be removed completely. The workaround is to disable access to /new via a reverse proxy in front of Prometheus.
- References
Affected packages
Git / github.com/prometheus/prometheus
Affected ranges
- Type
- GIT
- Repo
- https://github.com/prometheus/prometheus
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedFixedFixedFixed
Affected versions
0.*
0.1.0
0.10.0
0.11.0
0.11.1
0.12.0
0.13.0
0.13.0rc2
0.13.1
0.13.2
0.13.3
0.14.0
0.14.0rc1
0.14.0rc2
0.14.0rc3
0.15.0
0.15.0rc1
0.15.0rc2
0.15.0rc3
0.15.1
0.16.0
0.16.0rc1
0.16.0rc2
0.17.0rc1
0.17.0rc2
0.18.0
0.18.0rc1
0.19.0
0.19.1
0.19.2
0.19.3
0.2.0
0.2.1
0.20.0
0.3.0
0.4.0
0.5.0
0.6.0
0.7.0
0.8.0
0.9.0
0.9.0rc1
0.9.0rc2
0.9.0rc3
0.9.0rc4
0.9.0rc5
Other
checkout
dev
discovery-handle-discoverer-updates
v1.*
v1.0.0
v1.0.0-rc.0
v1.0.1
v1.0.2
v1.1.0
v1.1.1
v1.1.2
v1.1.3
v1.2.0
v1.2.1
v1.2.2
v1.2.3
v1.3.0
v1.3.0-beta.0
v1.3.1
v1.4.0
v1.4.1
v1.5.0
v1.5.1
v1.5.2
v1.5.3
v1.6.0
v1.6.2
v1.7.0
v1.7.1
v1.7.2
v1.8.0
v1.8.1
v2.*
v2.0.0
v2.0.0-alpha.0
v2.0.0-alpha.1
v2.0.0-alpha.2
v2.0.0-alpha.3
v2.0.0-beta.0
v2.0.0-beta.1
v2.0.0-beta.2
v2.0.0-beta.4
v2.0.0-beta.5
v2.0.0-rc.0
v2.0.0-rc.1
v2.0.0-rc.2
v2.0.0-rc.3
v2.1.0
v2.10.0
v2.10.0-rc.0
v2.11.0
v2.11.0-rc.0
v2.11.1
v2.11.2
v2.12.0
v2.12.0-rc.0
v2.13.0
v2.13.0-rc.0
v2.14.0
v2.14.0-rc.0
v2.15.0
v2.15.0-rc.0
v2.15.1
v2.15.2
v2.16.0
v2.16.0-rc.0
v2.16.0-rc.1
v2.17.0
v2.17.0-rc.0
v2.17.0-rc.1
v2.17.0-rc.2
v2.17.0-rc.3
v2.17.0-rc.4
v2.17.1
v2.17.2
v2.18.0
v2.18.0-rc.0
v2.18.0-rc.1
v2.18.1
v2.18.2
v2.19.0
v2.19.0-rc.0
v2.19.1
v2.19.2
v2.19.3
v2.2.0
v2.2.0-rc.0
v2.2.0-rc.1
v2.2.1
v2.20.0
v2.20.0-rc.0
v2.20.0-rc.1
v2.20.1
v2.21.0
v2.21.0-rc.0
v2.21.0-rc.1
v2.22.0
v2.22.0-rc.0
v2.22.1
v2.22.2
v2.23.0
v2.23.0-rc.0
v2.24.0
v2.24.0-rc.0
v2.24.1
v2.25.0
v2.25.0-rc.0
v2.25.1
v2.25.2
v2.26.0
v2.26.0-rc.0
v2.27.0
v2.27.0-rc.0
v2.3.0
v2.3.1
v2.3.2
v2.4.0
v2.4.0-rc.0
v2.4.1
v2.4.2
v2.4.3
v2.5.0
v2.5.0-rc.0
v2.5.0-rc.1
v2.5.0-rc.2
v2.6.0
v2.6.0-rc.0
v2.6.0-rc.1
v2.6.1
v2.7.0
v2.7.0-rc.0
v2.7.0-rc.1
v2.7.0-rc.2
v2.7.1
v2.7.2
v2.8.0
v2.8.0-rc.0
v2.8.1
v2.9.0
v2.9.0-rc.0
v2.9.1
v2.9.2