CVE-2021-29622 Overview
CVE-2021-29622 is an open redirect vulnerability affecting Prometheus, the widely-used open-source monitoring system and time series database. Starting with version 2.23.0, Prometheus introduced a new UI with URL prefixes under /new that redirect to / to ensure a seamless transition. A bug in the redirect logic allows attackers to craft malicious URLs that can redirect users to arbitrary external URLs through the /new endpoint.
Critical Impact
Attackers can leverage this open redirect vulnerability to perform phishing attacks by directing users of Prometheus servers to malicious websites, potentially leading to credential theft or malware distribution.
Affected Products
- Prometheus versions 2.23.0 through 2.26.0
- Prometheus version 2.27.0 (including 2.27.0-rc0)
- Any Prometheus deployment exposing the /new endpoint to users
Discovery Timeline
- May 19, 2021 - CVE-2021-29622 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2021-29622
Vulnerability Analysis
This vulnerability falls under CWE-601 (URL Redirection to Untrusted Site, also known as Open Redirect). The issue stems from improper validation of redirect URLs in the /new endpoint handler. When Prometheus transitioned to its new UI in version 2.23.0, the development team implemented redirects from /new/* paths to their corresponding paths without the prefix to maintain backward compatibility.
The redirect logic fails to properly validate that the target URL is within the same origin or is a relative path. This allows an attacker to construct a specially crafted URL containing an external domain that the Prometheus server will accept and redirect the user to.
Root Cause
The root cause is insufficient input validation in the URL redirect handler for the /new endpoint. The code responsible for processing redirect paths does not adequately sanitize or validate the destination URL, allowing absolute URLs or specially formatted paths that resolve to external domains to be accepted as valid redirect targets.
Attack Vector
The attack requires user interaction—a victim must click on or visit a maliciously crafted URL pointing to a vulnerable Prometheus server. The attacker creates a URL that appears to link to a legitimate Prometheus instance but includes redirect parameters that will send the victim to an attacker-controlled site.
This vulnerability is exploited through network-based attacks where the attacker distributes the malicious link through phishing emails, social media, or other channels. When a user clicks the link expecting to access their Prometheus dashboard, they are instead redirected to a malicious destination where credential harvesting or malware distribution can occur.
The exploitation pattern typically involves crafting a URL that leverages path manipulation techniques to bypass basic validation. For technical details on the specific exploitation method, refer to the GitHub Security Advisory GHSA-vx57-7f4q-fpc7.
Detection Methods for CVE-2021-29622
Indicators of Compromise
- Unusual HTTP requests to the /new endpoint containing external URLs or suspicious path patterns
- Access logs showing requests to /new/ followed by encoded or malformed URL paths
- User reports of unexpected redirects when accessing Prometheus dashboards
- Web server logs indicating 302/301 redirects from Prometheus to external domains
Detection Strategies
- Monitor web server access logs for requests to /new/* paths containing URL-encoded characters or external domain references
- Implement web application firewall (WAF) rules to detect and block open redirect attempts targeting the /new endpoint
- Review network traffic for outbound connections from user browsers that originated from Prometheus server redirects
- Set up alerts for any redirect responses from the Prometheus server that point to external domains
Monitoring Recommendations
- Enable detailed access logging on the Prometheus server and any reverse proxy in front of it
- Configure log analysis tools to flag requests containing suspicious redirect patterns in the /new path
- Monitor for phishing campaigns that may be leveraging your organization's Prometheus URLs
- Implement Content Security Policy headers to limit redirect destinations where possible
How to Mitigate CVE-2021-29622
Immediate Actions Required
- Upgrade Prometheus to version 2.26.1, 2.27.1, or 2.28.0 and later where the issue is resolved
- If immediate patching is not possible, implement a reverse proxy rule to block or restrict access to the /new endpoint
- Review access logs for any historical exploitation attempts
- Notify users who may have accessed suspicious Prometheus URLs to check for credential compromise
Patch Information
Prometheus has released security patches addressing this vulnerability in versions 2.26.1 and 2.27.1. Starting with version 2.28.0, the /new endpoint has been completely removed, eliminating the attack surface entirely.
For detailed release information, see:
Workarounds
- Deploy a reverse proxy (such as nginx or Apache) in front of Prometheus and configure it to deny all requests to the /new endpoint
- Implement URL filtering at the network perimeter to block or alert on requests targeting vulnerable paths
- Restrict Prometheus server access to trusted networks or users via authentication and authorization controls
- Use network segmentation to limit exposure of Prometheus instances to only necessary internal traffic
# Example nginx configuration to block /new endpoint
location /new {
deny all;
return 403;
}
# Alternative: Redirect /new requests to root without external redirect capability
location ~ ^/new(.*)$ {
return 301 /;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
