Prometheus 2.26.1-2.27.1 released to fix an Open Redirect security issue

[Julien Pivotto <roidelapluie () prometheus io>]

Hello,

The Prometheus team has released bugfix releases about an Open Redirect
(CWE-601) security issue.
The issue has been assigned the CVE number CVE-2021-29622.

---

In 2.23.0, Prometheus changed its default UI to the New ui. To ensure a
seamless transition, the URL's prefixed by /new redirect to /.
Due to a bug in the code, it is possible for an attacker to craft an URL
that can redirect to any other URL, in the /new endpoint.

If a user visits a prometheus server with a specially crafted address
(e.g.: http://127.0.0.1:9090/new/new<url>), they can be redirected to an
arbitrary URL.

e.g. if a user visits
http://127.0.0.1:9090/new/newhttp://www.google.com/, they will be
redirected to http://google.com.

---

The security issue affects Prometheus v2.23.0 to v2.26.0, and v2.27.0.

Please find more information here:
https://github.com/prometheus/prometheus/security/advisories/GHSA-vx57-7f4q-fpc7

The Prometheus team thanks Aaron Devaney from MDSec for reporting this
issue.

Timeline:
May 12, 2021: Issue reported privately to Prometheus team
May 12, 2021: A fix is proposed and reviewed
May 13, 2021: CVE-2021-29622 issued by GitHub staff
May 18, 2021: Bugfix released for the last two minor releases of
Prometheus.

The releases can be found in the usual locations:

v2.26.1: https://github.com/prometheus/prometheus/releases/tag/v2.26.1
v2.27.1: https://github.com/prometheus/prometheus/releases/tag/v2.27.1

Thanks,

The Prometheus Team

Attachment: signature.asc
Description: