6.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-29622

GHSA ID

GHSA-vx57-7f4q-fpc7

EPSS Score

0.99365%

CWE

CWE-601

Published

2/15/2022

Updated

2/1/2023

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-29622

CVE-2021-29622:
Arbitrary redirects under /new endpoint

Impact

In 2.23.0, Prometheus changed its default UI to the New ui. To ensure a seamless transition, the URL's prefixed by /new redirect to /. Due to a bug in the code, it is possible for an attacker to craft an URL that can redirect to any other URL, in the /new endpoint.

If a user visits a prometheus server with a specially crafted address (e.g.: http://127.0.0.1:9090/new/new<url>), they can be redirected to an arbitrary URL.

e.g. if a user visits http://127.0.0.1:9090/new/newhttp://www.google.com/, they will be redirected to http://google.com.

Patches

The issue will be patched in 2.26.1 and 2.27.1 releases. In 2.28.0, the /new endpoint will be removed completely.

Workarounds

The workaround is to disable access to /new via a reverse proxy in front of Prometheus.

Note: Users who use a --web.external-url= flag with a path (e.g. --web.external-url=http://example.com/prometheus) are not affected.

For more information

If you have any questions or comments about this advisory, please use our community channels (https://prometheus.io/community). Our security policy is available at https://prometheus.io/docs/operating/security/

(GitHub Advisory)

6.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-29622

GHSA ID

GHSA-vx57-7f4q-fpc7

EPSS Score

0.99365%

CWE

CWE-601

Published

2/15/2022

Updated

2/1/2023

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/prometheus/prometheus	go	>= 2.23.0, < 2.26.1	2.26.1
github.com/prometheus/prometheus	go	= 2.27.0	2.27.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability exists in the anonymous handler function registered for the '/new/*path' route within web/web.go. The key evidence is the patch removing 'strings.TrimPrefix(p, "/new")' from the redirect target construction. This trimming operation made it possible for attackers to inject additional path segments (including full URLs) after '/new/new' in the URL. The function would appear in profilers as an anonymous closure within the web.New function, which is where the router handler is defined. The direct manipulation of user-supplied 'path' parameter without proper validation makes this the primary vulnerable function.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t In *.**.*, Prom*t**us ***n*** its ****ult UI to t** N*w ui. To *nsur* * s**ml*ss tr*nsition, t** URL's pr**ix** *y /n*w r**ir**t to /. *u* to * *u* in t** *o**, it is possi*l* *or *n *tt**k*r to *r**t *n URL t**t **n r**ir**t to *ny ot**r

Reasoning

T** vuln*r**ility *xists in t** *nonymous **n*l*r *un*tion r**ist*r** *or t** '/n*w/*p*t*' rout* wit*in `w**/w**.*o`. T** k*y *vi**n** is t** p*t** r*movin* 'strin*s.TrimPr**ix(p, "/n*w")' *rom t** r**ir**t t*r**t *onstru*tion. T*is trimmin* op*r*tio

6.1

Basic Information

Concerned about an active attack path?

CVE-2021-29622: Arbitrary redirects under /new endpoint

Impact

Patches

Workarounds

For more information

6.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2021-29622:
Arbitrary redirects under /new endpoint

Vulnerability Intelligence
Miggo AI