Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 19 May 2021 10:08:13 +0200
From: Julien Pivotto <>
Subject: Prometheus 2.26.1-2.27.1 released to fix an Open Redirect security


The Prometheus team has released bugfix releases about an Open Redirect
(CWE-601) security issue.
The issue has been assigned the CVE number CVE-2021-29622.


In 2.23.0, Prometheus changed its default UI to the New ui. To ensure a
seamless transition, the URL's prefixed by /new redirect to /.
Due to a bug in the code, it is possible for an attacker to craft an URL
that can redirect to any other URL, in the /new endpoint.

If a user visits a prometheus server with a specially crafted address
(e.g.:<url>), they can be redirected to an
arbitrary URL.

e.g. if a user visits, they will be
redirected to


The security issue affects Prometheus v2.23.0 to v2.26.0, and v2.27.0.

Please find more information here:

The Prometheus team thanks Aaron Devaney from MDSec for reporting this

May 12, 2021: Issue reported privately to Prometheus team
May 12, 2021: A fix is proposed and reviewed
May 13, 2021: CVE-2021-29622 issued by GitHub staff
May 18, 2021: Bugfix released for the last two minor releases of

The releases can be found in the usual locations:



The Prometheus Team

Download attachment "signature.asc" of type "application/pgp-signature" (229 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.