Arbitrary redirects under /new endpoint
Description
Prometheus is an open-source monitoring system and time series database. In 2.23.0, Prometheus changed its default UI to the New ui. To ensure a seamless transition, the URL's prefixed by /new redirect to /. Due to a bug in the code, it is possible for an attacker to craft an URL that can redirect to any other URL, in the /new endpoint. If a user visits a prometheus server with a specially crafted address, they can be redirected to an arbitrary URL. The issue was patched in the 2.26.1 and 2.27.1 releases. In 2.28.0, the /new endpoint will be removed completely. The workaround is to disable access to /new via a reverse proxy in front of Prometheus.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
52>=2.23.0, <2.27.1+ 1 more
- (no CPE)range: >=2.23.0, <2.27.1
- (no CPE)range: >= 2.23.0, < 2.27.1
- osv-coords50 versionspkg:bitnami/prometheuspkg:rpm/opensuse/ansible&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/ansible&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/dracut-saltboot&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/dracut-saltboot&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/golang-github-prometheus-prometheus&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/golang-github-prometheus-prometheus&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/golang-github-prometheus-prometheus&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/mgr-cfg&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/mgr-custom-info&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/mgr-osad&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/mgr-push&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/mgr-virtualization&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/rhnlib&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/spacecmd&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/spacewalk-client-tools&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/spacewalk-koan&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/spacewalk-oscap&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/suseRegisterInfo&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/uyuni-common-libs&distro=openSUSE%20Leap%2015.3pkg:rpm/suse/ansible&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/dracut-saltboot&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/golang-github-prometheus-prometheus&distro=SUSE%20Enterprise%20Storage%206pkg:rpm/suse/golang-github-prometheus-prometheus&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/golang-github-prometheus-prometheus&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/grafana&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/mgr-cfg&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/mgr-cfg&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/mgr-custom-info&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/mgr-custom-info&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/mgr-osad&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/mgr-osad&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/mgr-push&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/mgr-push&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/mgr-virtualization&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/mgr-virtualization&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/rhnlib&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/rhnlib&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/spacecmd&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/spacecmd&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/spacewalk-client-tools&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/spacewalk-client-tools&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/spacewalk-koan&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/spacewalk-koan&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/spacewalk-oscap&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/spacewalk-oscap&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/suseRegisterInfo&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/suseRegisterInfo&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/uyuni-common-libs&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/uyuni-common-libs&distro=SUSE%20Manager%20Client%20Tools%2015
>= 2.23.0, < 2.26.1+ 49 more
- (no CPE)range: >= 2.23.0, < 2.26.1
- (no CPE)range: < 2.9.21-lp152.2.7.1
- (no CPE)range: < 2.9.21-1.5.1
- (no CPE)range: < 0.1.1627546504.96a0b3e-lp152.2.26.1
- (no CPE)range: < 0.1.1627546504.96a0b3e-1.27.1
- (no CPE)range: < 2.27.1-lp152.3.13.1
- (no CPE)range: < 2.27.1-3.8.1
- (no CPE)range: < 2.27.1-4.2
- (no CPE)range: < 4.2.3-1.18.1
- (no CPE)range: < 4.2.2-1.12.1
- (no CPE)range: < 4.2.6-1.30.1
- (no CPE)range: < 4.2.3-1.12.1
- (no CPE)range: < 4.2.2-1.20.1
- (no CPE)range: < 4.2.4-3.28.1
- (no CPE)range: < 4.2.11-3.62.1
- (no CPE)range: < 4.2.12-3.44.1
- (no CPE)range: < 4.2.4-3.21.1
- (no CPE)range: < 4.2.2-3.12.1
- (no CPE)range: < 4.2.4-3.15.1
- (no CPE)range: < 4.2.5-1.15.1
- (no CPE)range: < 2.9.21-1.5.1
- (no CPE)range: < 0.1.1627546504.96a0b3e-1.27.1
- (no CPE)range: < 2.27.1-3.8.1
- (no CPE)range: < 2.27.1-1.29.2
- (no CPE)range: < 2.27.1-3.31.1
- (no CPE)range: < 7.5.7-1.21.2
- (no CPE)range: < 4.2.3-1.18.2
- (no CPE)range: < 4.2.3-1.18.1
- (no CPE)range: < 4.2.2-1.12.2
- (no CPE)range: < 4.2.2-1.12.1
- (no CPE)range: < 4.2.6-1.30.2
- (no CPE)range: < 4.2.6-1.30.1
- (no CPE)range: < 4.2.3-1.12.2
- (no CPE)range: < 4.2.3-1.12.1
- (no CPE)range: < 4.2.2-1.20.2
- (no CPE)range: < 4.2.2-1.20.1
- (no CPE)range: < 4.2.4-21.34.2
- (no CPE)range: < 4.2.4-3.28.1
- (no CPE)range: < 4.2.11-38.85.2
- (no CPE)range: < 4.2.11-3.62.1
- (no CPE)range: < 4.2.12-52.53.2
- (no CPE)range: < 4.2.12-3.44.1
- (no CPE)range: < 4.2.4-24.24.2
- (no CPE)range: < 4.2.4-3.21.1
- (no CPE)range: < 4.2.2-19.18.2
- (no CPE)range: < 4.2.2-3.12.1
- (no CPE)range: < 4.2.4-25.18.2
- (no CPE)range: < 4.2.4-3.15.1
- (no CPE)range: < 4.2.5-1.15.2
- (no CPE)range: < 4.2.5-1.15.1
Patches
Vulnerability mechanics
References
3- github.com/prometheus/prometheus/releases/tag/v2.26.1mitrex_refsource_MISC
- github.com/prometheus/prometheus/releases/tag/v2.27.1mitrex_refsource_MISC
- github.com/prometheus/prometheus/security/advisories/GHSA-vx57-7f4q-fpc7mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.