CVE-2021-29622: Arbitrary redirects under /new endpoint
6.1
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.99365%
CWE
Published
2/15/2022
Updated
2/1/2023
KEV Status
No
Technology
Go
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
github.com/prometheus/prometheus | go | >= 2.23.0, < 2.26.1 | 2.26.1 |
github.com/prometheus/prometheus | go | = 2.27.0 | 2.27.1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability exists in the anonymous handler function registered for the '/new/*path' route within web/web.go
. The key evidence is the patch removing 'strings.TrimPrefix(p, "/new")' from the redirect target construction. This trimming operation made it possible for attackers to inject additional path segments (including full URLs) after '/new/new' in the URL. The function would appear in profilers as an anonymous closure within the web.New
function, which is where the router handler is defined. The direct manipulation of user-supplied 'path' parameter without proper validation makes this the primary vulnerable function.