VDB
CVE-2021-29622
CVE-2021-29622
PUBLISHED
Prometheus is an open-source monitoring system and time series database. In 2.23.0, Prometheus changed its default UI to the New ui. To ensure a seamless transition, the URL's prefixed by /new redirect to /. Due to a bug in the code, it is possible for an attacker to craft an URL that can redirect to any other URL, in the /new endpoint. If a user visits a prometheus server with a specially crafted address, they can be redirected to an arbitrary URL. The issue was patched in the 2.26.1 and 2.27.1 releases. In 2.28.0, the /new endpoint will be removed completely. The workaround is to disable access to /new via a reverse proxy in front of Prometheus.
EPSS 87.48% · 99.5th percentile
Risk Scores
EPSS Score
87.48%
99.5th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Bitnami | prometheus | 2.23.0, 2.27.0 |
| Bitnami | prometheus | 2.23.0, 2.27.0 |
Exploit Intelligence
- https://github.com/prometheus/prometheus/security/advisories/GHSA-vx57-7f4q-fpc7 (circl)
- https://github.com/prometheus/prometheus/releases/tag/v2.26.1 (circl)
- https://github.com/prometheus/prometheus/releases/tag/v2.27.1 (circl)
- web_poc_map_v2.yaml (github-poc)
- web_poc_map_v2.yaml (github-poc)
- web_poc_map_v2.yaml (github-poc)
- web_poc_map_v2.yaml (github-poc)
- web_poc_map_v2.yaml (github-poc)
- web_poc_map_v2.yaml (github-poc)
- web_poc_map_v2.yaml (github-poc)
…and 29 more exploits
Timeline
- May 18, 2021 CVE Published
- May 20, 2021 EPSS Score
- Sep 22, 2021 EPSS Score
- Nov 22, 2021 EPSS Score
- Jan 23, 2022 EPSS Score
- Mar 25, 2022 EPSS Score
- May 26, 2022 EPSS Score
- Jul 27, 2022 EPSS Score
- Sep 27, 2022 EPSS Score
- Jan 28, 2023 EPSS Score
- Mar 30, 2023 EPSS Score
- May 31, 2023 EPSS Score