CVE-2021-29622 — Vulnetix

Try Vulnetix Request Demo

CVE-2021-29622 PUBLISHED

Prometheus is an open-source monitoring system and time series database. In 2.23.0, Prometheus changed its default UI to the New ui. To ensure a seamless transition, the URL's prefixed by /new redirect to /. Due to a bug in the code, it is possible for an attacker to craft an URL that can redirect to any other URL, in the /new endpoint. If a user visits a prometheus server with a specially crafted address, they can be redirected to an arbitrary URL. The issue was patched in the 2.26.1 and 2.27.1 releases. In 2.28.0, the /new endpoint will be removed completely. The workaround is to disable access to /new via a reverse proxy in front of Prometheus.

EPSS 90.13% · 99.6th percentile

Risk Scores

EPSS Score

90.13%

99.6th percentile

Affected Products

Vendor	Product	Versions
Bitnami	prometheus	2.23.0, 2.27.0
Bitnami	prometheus	2.23.0, 2.27.0

Timeline

May 18, 2021 CVE Published
May 20, 2021 EPSS Score
Sep 21, 2021 EPSS Score
Nov 21, 2021 EPSS Score
Jan 21, 2022 EPSS Score
Mar 22, 2022 EPSS Score
Apr 1, 2022 EPSS Score
Jul 23, 2022 EPSS Score
Sep 22, 2022 EPSS Score
Nov 22, 2022 EPSS Score
Mar 7, 2023 EPSS Score
May 24, 2023 EPSS Score

References

Open in Interactive Console →