CVE-2021-29622 : Prometheus is an open-source monitoring system and time series database. In 2.23

Prometheus is an open-source monitoring system and time series database. In 2.23.0, Prometheus changed its default UI to the New ui. To ensure a seamless transition, the URL's prefixed by /new redirect to /. Due to a bug in the code, it is possible for an attacker to craft an URL that can redirect to any other URL, in the /new endpoint. If a user visits a prometheus server with a specially crafted address, they can be redirected to an arbitrary URL. The issue was patched in the 2.26.1 and 2.27.1 releases. In 2.28.0, the /new endpoint will be removed completely. The workaround is to disable access to /new via a reverse proxy in front of Prometheus.

Published 2021-05-19 20:15:07

Updated 2021-05-26 22:29:03

Source GitHub, Inc.

View at NVD, CVE.org

Vulnerability category: Open redirect

Products affected by CVE-2021-29622

Prometheus » Prometheus
Versions from including (>=) 2.23.0 and before (<) 2.26.1
cpe:2.3:a:prometheus:prometheus:*:*:*:*:*:*:*:*
Matching versions
Prometheus » Prometheus » Version: 2.27.0
cpe:2.3:a:prometheus:prometheus:2.27.0:-:*:*:*:*:*:*
Matching versions
Prometheus » Prometheus » Version: 2.27.0 Update RC0
cpe:2.3:a:prometheus:prometheus:2.27.0:rc0:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2021-29622

EPSS FAQ

86.63%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 99 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2021-29622

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.8	MEDIUM	AV:N/AC:M/Au:N/C:P/I:P/A:N	8.6	4.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: None
6.1	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	2.8	2.7	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Changed Confidentiality: Low Integrity: Low Availability: None
6.5	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N	2.8	3.6	GitHub, Inc.
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: None Integrity: High Availability: None

CWE ids for CVE-2021-29622

CWE-601 URL Redirection to Untrusted Site ('Open Redirect')

The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.

Assigned by: security-advisories@github.com (Primary)

References for CVE-2021-29622

https://github.com/prometheus/prometheus/security/advisories/GHSA-vx57-7f4q-fpc7

Open Redirect under the /new endpoint · Advisory · prometheus/prometheus · GitHub
Third Party Advisory
https://github.com/prometheus/prometheus/releases/tag/v2.26.1

Release 2.26.1 / 2021-05-18 · prometheus/prometheus · GitHub
Third Party Advisory
https://github.com/prometheus/prometheus/releases/tag/v2.27.1

Release 2.27.1 / 2021-05-18 · prometheus/prometheus · GitHub
Third Party Advisory

Jump to

Vulnerability Details : CVE-2021-29622

Products affected by CVE-2021-29622

Exploit prediction scoring system (EPSS) score for CVE-2021-29622

CVSS scores for CVE-2021-29622

CWE ids for CVE-2021-29622

References for CVE-2021-29622