CVE-2021-29622: 
Prometheus vulnerability analysis and mitigation

CVE-2021-29622 is an Open Redirect vulnerability affecting Prometheus versions 2.23.0 through 2.26.0 and 2.27.0, discovered in May 2021. The vulnerability was introduced when Prometheus changed its default UI to the New UI in version 2.23.0, where URLs prefixed with /new would redirect to /. The issue was reported by Aaron Devaney from MDSec and was patched in versions 2.26.1 and 2.27.1 (GitHub Advisory, Openwall).

The vulnerability is classified as an Open Redirect (CWE-601) with a CVSS score of 6.0. Due to a bug in the code implementation, an attacker could craft a special URL under the /new endpoint that would redirect users to arbitrary URLs. For example, if a user visits a specially crafted address like 'http://127.0.0.1:9090/new/newhttp://www.google.com/', they would be redirected to 'http://google.com'. Users who use a --web.external-url= flag with a path were not affected by this vulnerability (GitHub Advisory, Rapid7).

The vulnerability could be exploited to redirect users to malicious websites, potentially enabling phishing attacks. When users visit a Prometheus server with a specially crafted address, they could be redirected to any arbitrary URL without their knowledge or consent (Red Hat).

The vulnerability was patched in Prometheus versions 2.26.1 and 2.27.1. Additionally, the /new endpoint was completely removed in version 2.28.0. For users unable to update immediately, a workaround is available by disabling access to the /new endpoint via a reverse proxy in front of Prometheus (GitHub Advisory, Openwall).