cbcvebase.
CVE-2021-29622
published 2021-05-19

CVE-2021-29622: Prometheus is an open-source monitoring system and time series database. In 2.23.0, Prometheus changed its default UI to the New ui. To ensure a seamless…

PriorityP352medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
19.56%
97.0th percentile
Prometheus is an open-source monitoring system and time series database. In 2.23.0, Prometheus changed its default UI to the New ui. To ensure a seamless transition, the URL's prefixed by /new redirect to /. Due to a bug in the code, it is possible for an attacker to craft an URL that can redirect to any other URL, in the /new endpoint. If a user visits a prometheus server with a specially crafted address, they can be redirected to an arbitrary URL. The issue was patched in the 2.26.1 and 2.27.1 releases. In 2.28.0, the /new endpoint will be removed completely. The workaround is to disable access to /new via a reverse proxy in front of Prometheus.

Affected

9 ranges
VendorProductVersion rangeFixed in
debianprometheus
github.comprometheus_prometheus>= 2.23.0 < 2.26.12.26.1
github.comprometheus_prometheus>= 2.27.0 < 2.27.12.27.1
msrccbl2_prometheus_2.36.0-2_on_cbl_mariner_2.0
msrccbl_mariner_2.0_arm
msrccbl_mariner_2.0_x64
prometheusprometheus
prometheusprometheus
prometheusprometheus>= 2.23.0 < 2.26.12.26.1

Detection & IOCsextracted from sources · hover to see the quote

path/new
  • Detect open redirect exploitation attempts by monitoring HTTP GET requests to the /new endpoint where the path contains an embedded absolute URL (e.g., /new/newhttp:// or /new/newhttps://), indicating an attempt to abuse the redirect logic.
  • Inspect HTTP response Location headers for redirects to unexpected external domains originating from requests to the /new path prefix; a crafted URL causes Prometheus to issue a 3xx redirect to an attacker-controlled site.
  • The nuclei template proof-of-concept payload pattern is GET /new/newhttp://<attacker-domain> — look for this double-scheme pattern in web server access logs targeting Prometheus instances.
  • Affected versions are Prometheus 2.23.0 through 2.26.0 and 2.27.0; triage alerts by confirming the running Prometheus version falls within this range before escalating.
  • ·The /new endpoint (and therefore this vulnerability) was introduced in Prometheus 2.23.0; versions prior to 2.23.0 are not affected and do not require detection tuning for this CVE.
  • ·As a workaround, blocking access to the /new path via a reverse proxy fully mitigates the vulnerability without patching; detection rules should account for environments where /new is already blocked at the proxy layer (true positives would not reach Prometheus).
  • ·In Prometheus 2.28.0 the /new endpoint is removed entirely; any detection rule keying on /new requests should be scoped to instances running versions below 2.28.0 to avoid false positives on upgraded deployments.

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.05.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:N
osv6.1MEDIUM
vendor_debian6.5LOW
vendor_redhat6.5MEDIUM
vendor_msrc6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.