CVE-2021-29622
published 2021-05-19CVE-2021-29622: Prometheus is an open-source monitoring system and time series database. In 2.23.0, Prometheus changed its default UI to the New ui. To ensure a seamless…
PriorityP352medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
19.56%
97.0th percentile
Prometheus is an open-source monitoring system and time series database. In 2.23.0, Prometheus changed its default UI to the New ui. To ensure a seamless transition, the URL's prefixed by /new redirect to /. Due to a bug in the code, it is possible for an attacker to craft an URL that can redirect to any other URL, in the /new endpoint. If a user visits a prometheus server with a specially crafted address, they can be redirected to an arbitrary URL. The issue was patched in the 2.26.1 and 2.27.1 releases. In 2.28.0, the /new endpoint will be removed completely. The workaround is to disable access to /new via a reverse proxy in front of Prometheus.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | prometheus | — | — |
| github.com | prometheus_prometheus | >= 2.23.0 < 2.26.1 | 2.26.1 |
| github.com | prometheus_prometheus | >= 2.27.0 < 2.27.1 | 2.27.1 |
| msrc | cbl2_prometheus_2.36.0-2_on_cbl_mariner_2.0 | — | — |
| msrc | cbl_mariner_2.0_arm | — | — |
| msrc | cbl_mariner_2.0_x64 | — | — |
| prometheus | prometheus | — | — |
| prometheus | prometheus | — | — |
| prometheus | prometheus | >= 2.23.0 < 2.26.1 | 2.26.1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect open redirect exploitation attempts by monitoring HTTP GET requests to the /new endpoint where the path contains an embedded absolute URL (e.g., /new/newhttp:// or /new/newhttps://), indicating an attempt to abuse the redirect logic. ↗
- →Inspect HTTP response Location headers for redirects to unexpected external domains originating from requests to the /new path prefix; a crafted URL causes Prometheus to issue a 3xx redirect to an attacker-controlled site. ↗
- →The nuclei template proof-of-concept payload pattern is GET /new/newhttp://<attacker-domain> — look for this double-scheme pattern in web server access logs targeting Prometheus instances.
- →Affected versions are Prometheus 2.23.0 through 2.26.0 and 2.27.0; triage alerts by confirming the running Prometheus version falls within this range before escalating.
- ·The /new endpoint (and therefore this vulnerability) was introduced in Prometheus 2.23.0; versions prior to 2.23.0 are not affected and do not require detection tuning for this CVE. ↗
- ·As a workaround, blocking access to the /new path via a reverse proxy fully mitigates the vulnerability without patching; detection rules should account for environments where /new is already blocked at the proxy layer (true positives would not reach Prometheus). ↗
- ·In Prometheus 2.28.0 the /new endpoint is removed entirely; any detection rule keying on /new requests should be scoped to instances running versions below 2.28.0 to avoid false positives on upgraded deployments. ↗
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.05.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:N
osv6.1MEDIUM
vendor_debian6.5LOW
vendor_redhat6.5MEDIUM
vendor_msrc6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
prometheus: open redirect under the /new endpoint
vendor_redhat·2021-05-18·CVSS 6.5
CVE-2021-29622 [MEDIUM] CWE-601 prometheus: open redirect under the /new endpoint
prometheus: open redirect under the /new endpoint
Prometheus is an open-source monitoring system and time series database. In 2.23.0, Prometheus changed its default UI to the New ui. To ensure a seamless transition, the URL's prefixed by /new redirect to /. Due to a bug in the code, it is possible for an attacker to craft an URL that can redirect to any other URL, in the /new endpoint. If a user visits a prometheus server with a specially crafted address, they can be redirected to an arbitrary URL. The issue was patched in the 2.26.1 and 2.27.1 releases. In 2.28.0, the /new endpoint will be removed completely. The workaround is to disable access to /new via a reverse proxy in front of Prometheus.
An open redirect vulnerability was found in Prometheus. By specially crafted URL and a /new
Microsoft
Arbitrary redirects under /new endpoint
vendor_msrc·2021-05-11·CVSS 6.1
CVE-2021-29622 [MEDIUM] CWE-601 Arbitrary redirects under /new endpoint
Arbitrary redirects under /new endpoint
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
GitHub_M: GitHub_M
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: https://learn.microsoft
Debian
CVE-2021-29622: prometheus - Prometheus is an open-source monitoring system and time series database. In 2.23...
vendor_debian·2021·CVSS 6.5
CVE-2021-29622 [MEDIUM] CVE-2021-29622: prometheus - Prometheus is an open-source monitoring system and time series database. In 2.23...
Prometheus is an open-source monitoring system and time series database. In 2.23.0, Prometheus changed its default UI to the New ui. To ensure a seamless transition, the URL's prefixed by /new redirect to /. Due to a bug in the code, it is possible for an attacker to craft an URL that can redirect to any other URL, in the /new endpoint. If a user visits a prometheus server with a specially crafted address, they can be redirected to an arbitrary URL. The issue was patched in the 2.26.1 and 2.27.1 releases. In 2.28.0, the /new endpoint will be removed completely. The workaround is to disable access to /new via a reverse proxy in front of Prometheus.
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved
sid: resolved
trixie: resolved
OSV
Arbitrary redirects under /new endpoint
osv·2022-02-15
CVE-2021-29622 [MEDIUM] Arbitrary redirects under /new endpoint
Arbitrary redirects under /new endpoint
### Impact
In 2.23.0, Prometheus changed its default UI to the New ui. To ensure a seamless transition, the URL's prefixed by /new redirect to /.
Due to a bug in the code, it is possible for an attacker to craft an URL that can redirect to any other URL, in the /new endpoint.
If a user visits a prometheus server with a specially crafted address (e.g.: `http://127.0.0.1:9090/new/new`), they can be redirected to an arbitrary URL.
e.g. if a user visits http://127.0.0.1:9090/new/newhttp://www.google.com/, they will be redirected to http://google.com.
### Patches
The issue will be patched in 2.26.1 and 2.27.1 releases.
In 2.28.0, the /new endpoint will be removed completely.
### Workarounds
The workaround is to disable access to /new via a reverse
OSV
CVE-2021-29622: Prometheus is an open-source monitoring system and time series database
osv·2021-05-19·CVSS 6.1
CVE-2021-29622 [MEDIUM] CVE-2021-29622: Prometheus is an open-source monitoring system and time series database
Prometheus is an open-source monitoring system and time series database. In 2.23.0, Prometheus changed its default UI to the New ui. To ensure a seamless transition, the URL's prefixed by /new redirect to /. Due to a bug in the code, it is possible for an attacker to craft an URL that can redirect to any other URL, in the /new endpoint. If a user visits a prometheus server with a specially crafted address, they can be redirected to an arbitrary URL. The issue was patched in the 2.26.1 and 2.27.1 releases. In 2.28.0, the /new endpoint will be removed completely. The workaround is to disable access to /new via a reverse proxy in front of Prometheus.
No detection rules found.
Nuclei
Prometheus - Open Redirect
nuclei·CVSS 6.1
CVE-2021-29622 [MEDIUM] Prometheus - Open Redirect
Prometheus - Open Redirect
Prometheus 2.23.0 through 2.26.0 and 2.27.0 contains an open redirect vulnerability. To ensure a seamless transition to 2.27.0, the default UI was changed to the new UI with a URL prefixed by /new redirect to /. Due to a bug in the code, an attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
Template:
id: CVE-2021-29622
info:
name: Prometheus - Open Redirect
author: geeknik
severity: medium
description: Prometheus 2.23.0 through 2.26.0 and 2.27.0 contains an open redirect vulnerability. To ensure a seamless transition to 2.27.0, the default UI was changed to the new UI with a URL prefixed by /new redirect to /. Due to a bug in the code, an attacker can redirect a user
No writeups or analysis indexed.
https://github.com/prometheus/prometheus/releases/tag/v2.26.1https://github.com/prometheus/prometheus/releases/tag/v2.27.1https://github.com/prometheus/prometheus/security/advisories/GHSA-vx57-7f4q-fpc7https://github.com/prometheus/prometheus/releases/tag/v2.26.1https://github.com/prometheus/prometheus/releases/tag/v2.27.1https://github.com/prometheus/prometheus/security/advisories/GHSA-vx57-7f4q-fpc7
2021-05-19
Published