GHSA-vx57-7f4q-fpc7

Source

https://github.com/advisories/GHSA-vx57-7f4q-fpc7

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-vx57-7f4q-fpc7/GHSA-vx57-7f4q-fpc7.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-vx57-7f4q-fpc7

Aliases

Related

CVE-2021-29622

Published

2022-02-15T01:57:18Z

Modified

2023-12-06T01:01:09.923926Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

Arbitrary redirects under /new endpoint

Details

Impact

In 2.23.0, Prometheus changed its default UI to the New ui. To ensure a seamless transition, the URL's prefixed by /new redirect to /. Due to a bug in the code, it is possible for an attacker to craft an URL that can redirect to any other URL, in the /new endpoint.

If a user visits a prometheus server with a specially crafted address (e.g.: http://127.0.0.1:9090/new/new<url>), they can be redirected to an arbitrary URL.

e.g. if a user visits http://127.0.0.1:9090/new/newhttp://www.google.com/, they will be redirected to http://google.com.

Patches

The issue will be patched in 2.26.1 and 2.27.1 releases. In 2.28.0, the /new endpoint will be removed completely.

Workarounds

The workaround is to disable access to /new via a reverse proxy in front of Prometheus.

Note: Users who use a --web.external-url= flag with a path (e.g. --web.external-url=http://example.com/prometheus) are not affected.

For more information

If you have any questions or comments about this advisory, please use our community channels (https://prometheus.io/community). Our security policy is available at https://prometheus.io/docs/operating/security/

Database specific

{
    "cwe_ids": [
        "CWE-601"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "nvd_published_at": "2021-05-19T20:15:00Z",
    "github_reviewed_at": "2021-05-19T17:58:51Z"
}

References

Affected packages

Go / github.com/prometheus/prometheus

Package

Name: github.com/prometheus/prometheus; View open source insights on deps.dev
Purl: pkg:golang/github.com/prometheus/prometheus

Affected ranges

Type: SEMVER
Events: Introduced

2.23.0

Fixed

2.26.1

Go / github.com/prometheus/prometheus

Package

Name: github.com/prometheus/prometheus; View open source insights on deps.dev
Purl: pkg:golang/github.com/prometheus/prometheus

GHSA-vx57-7f4q-fpc7

Impact

Patches

Workarounds

For more information

Affected packages

Go / github.com/prometheus/prometheus

Package

Affected ranges

Go / github.com/prometheus/prometheus

Package

Affected ranges

Affected versions

2.*