Miggo Logo

CVE-2021-29622: Arbitrary redirects under /new endpoint

6.1

CVSS Score
3.1

Basic Information

EPSS Score
0.99365%
Published
2/15/2022
Updated
2/1/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/prometheus/prometheusgo>= 2.23.0, < 2.26.12.26.1
github.com/prometheus/prometheusgo= 2.27.02.27.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability exists in the anonymous handler function registered for the '/new/*path' route within web/web.go. The key evidence is the patch removing 'strings.TrimPrefix(p, "/new")' from the redirect target construction. This trimming operation made it possible for attackers to inject additional path segments (including full URLs) after '/new/new' in the URL. The function would appear in profilers as an anonymous closure within the web.New function, which is where the router handler is defined. The direct manipulation of user-supplied 'path' parameter without proper validation makes this the primary vulnerable function.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t In *.**.*, Prom*t**us ***n*** its ****ult UI to t** N*w ui. To *nsur* * s**ml*ss tr*nsition, t** URL's pr**ix** *y /n*w r**ir**t to /. *u* to * *u* in t** *o**, it is possi*l* *or *n *tt**k*r to *r**t *n URL t**t **n r**ir**t to *ny ot**r

Reasoning

T** vuln*r**ility *xists in t** *nonymous **n*l*r *un*tion r**ist*r** *or t** '/n*w/*p*t*' rout* wit*in `w**/w**.*o`. T** k*y *vi**n** is t** p*t** r*movin* 'strin*s.TrimPr**ix(p, "/n*w")' *rom t** r**ir**t t*r**t *onstru*tion. T*is trimmin* op*r*tio