Merge pull request from GHSA-vx57-7f4q-fpc7

* Do not remove /new because it is not part of the route parameter (CVE-2021-29622) Signed-off-by: Julien Pivotto <roidelapluie@inuits.eu> * Release 2.26.1 Signed-off-by: Julien Pivotto <roidelapluie@inuits.eu>
2025-03-05 20:59:13 -08:00 · 2021-05-18 14:47:45 +02:00 · 2021-05-18 14:47:45 +02:00 · 6eeded0fdf
parent 3cafc58827
commit 6eeded0fdf
3 changed files with 14 additions and 2 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,3 +1,15 @@
+## 2.26.1 / 2021-05-18
+
+This release contains a bug fix for a security issue in the API endpoint. An
+attacker can craft a special URL that redirects a user to any endpoint via an
+HTTP 302 response. See the [security advisory][GHSA-vx57-7f4q-fpc7] for more details.
+
+[GHSA-vx57-7f4q-fpc7]:https://github.com/prometheus/prometheus/security/advisories/GHSA-vx57-7f4q-fpc7
+
+This vulnerability has been reported by Aaron Devaney from MDSec.
+
+* [BUGFIX] SECURITY: Fix arbitrary redirects under the /new endpoint (CVE-2021-29622)
+
 ## 2.26.0 / 2021-03-31

 Prometheus is now built and supporting Go 1.16 (#8544). This reverts the memory release pattern added in Go 1.12. This makes common RSS usage metrics showing more accurate number for actual memory used by Prometheus. You can read more details [here](https://www.bwplotka.dev/2019/golang-memory-monitoring/).
--- a/2
+++ b/2
@ -1 +1 @@
-2.26.0
+2.26.1
--- a/web/web.go
+++ b/web/web.go
@ -354,7 +354,7 @@ func New(logger log.Logger, o *Options) *Handler {
 	// Redirect the original React UI's path (under "/new") to its new path at the root.
 	router.Get("/new/*path", func(w http.ResponseWriter, r *http.Request) {
 		p := route.Param(r.Context(), "path")
-		http.Redirect(w, r, path.Join(o.ExternalURL.Path, strings.TrimPrefix(p, "/new"))+"?"+r.URL.RawQuery, http.StatusFound)
+		http.Redirect(w, r, path.Join(o.ExternalURL.Path, p)+"?"+r.URL.RawQuery, http.StatusFound)
 	})

 	router.Get("/classic/alerts", readyf(h.alerts))
 @ -1 +1 @@
 .26.0
 .26.1