oss-sec mailing list archives
Prometheus 2.26.1-2.27.1 released to fix an Open Redirect security issue
From: Julien Pivotto <roidelapluie () prometheus io>
Date: Wed, 19 May 2021 10:08:13 +0200
Hello, The Prometheus team has released bugfix releases about an Open Redirect (CWE-601) security issue. The issue has been assigned the CVE number CVE-2021-29622. --- In 2.23.0, Prometheus changed its default UI to the New ui. To ensure a seamless transition, the URL's prefixed by /new redirect to /. Due to a bug in the code, it is possible for an attacker to craft an URL that can redirect to any other URL, in the /new endpoint. If a user visits a prometheus server with a specially crafted address (e.g.: http://127.0.0.1:9090/new/new<url>), they can be redirected to an arbitrary URL. e.g. if a user visits http://127.0.0.1:9090/new/newhttp://www.google.com/, they will be redirected to http://google.com. --- The security issue affects Prometheus v2.23.0 to v2.26.0, and v2.27.0. Please find more information here: https://github.com/prometheus/prometheus/security/advisories/GHSA-vx57-7f4q-fpc7 The Prometheus team thanks Aaron Devaney from MDSec for reporting this issue. Timeline: May 12, 2021: Issue reported privately to Prometheus team May 12, 2021: A fix is proposed and reviewed May 13, 2021: CVE-2021-29622 issued by GitHub staff May 18, 2021: Bugfix released for the last two minor releases of Prometheus. The releases can be found in the usual locations: v2.26.1: https://github.com/prometheus/prometheus/releases/tag/v2.26.1 v2.27.1: https://github.com/prometheus/prometheus/releases/tag/v2.27.1 Thanks, The Prometheus Team
Attachment:
signature.asc
Description:
Current thread:
- Prometheus 2.26.1-2.27.1 released to fix an Open Redirect security issue Julien Pivotto (May 19)