SUSE: CVE-2021-29622: SUSE Linux Security Advisory
Description
Prometheus is an open-source monitoring system and time series database. In 2.23.0, Prometheus changed its default UI to the New ui. To ensure a seamless transition, the URL's prefixed by /new redirect to /. Due to a bug in the code, it is possible for an attacker to craft an URL that can redirect to any other URL, in the /new endpoint. If a user visits a prometheus server with a specially crafted address, they can be redirected to an arbitrary URL. The issue was patched in the 2.26.1 and 2.27.1 releases. In 2.28.0, the /new endpoint will be removed completely. The workaround is to disable access to /new via a reverse proxy in front of Prometheus.
Solution(s)
- suse-upgrade-ansible
- suse-upgrade-ansible-doc
- suse-upgrade-ansible-test
- suse-upgrade-dracut-saltboot
- suse-upgrade-golang-github-prometheus-prometheus
- suse-upgrade-mgr-cfg
- suse-upgrade-mgr-cfg-actions
- suse-upgrade-mgr-cfg-client
- suse-upgrade-mgr-cfg-management
- suse-upgrade-mgr-custom-info
- suse-upgrade-mgr-osa-dispatcher
- suse-upgrade-mgr-osad
- suse-upgrade-mgr-push
- suse-upgrade-mgr-virtualization-host
- suse-upgrade-python2-mgr-cfg
- suse-upgrade-python2-mgr-cfg-actions
- suse-upgrade-python2-mgr-cfg-client
- suse-upgrade-python2-mgr-cfg-management
- suse-upgrade-python2-mgr-osa-common
- suse-upgrade-python2-mgr-osa-dispatcher
- suse-upgrade-python2-mgr-osad
- suse-upgrade-python2-mgr-push
- suse-upgrade-python2-mgr-virtualization-common
- suse-upgrade-python2-mgr-virtualization-host
- suse-upgrade-python2-rhnlib
- suse-upgrade-python2-spacewalk-check
- suse-upgrade-python2-spacewalk-client-setup
- suse-upgrade-python2-spacewalk-client-tools
- suse-upgrade-python2-spacewalk-koan
- suse-upgrade-python2-spacewalk-oscap
- suse-upgrade-python2-suseregisterinfo
- suse-upgrade-python2-uyuni-common-libs
- suse-upgrade-python3-mgr-cfg
- suse-upgrade-python3-mgr-cfg-actions
- suse-upgrade-python3-mgr-cfg-client
- suse-upgrade-python3-mgr-cfg-management
- suse-upgrade-python3-mgr-osa-common
- suse-upgrade-python3-mgr-osa-dispatcher
- suse-upgrade-python3-mgr-osad
- suse-upgrade-python3-mgr-push
- suse-upgrade-python3-mgr-virtualization-common
- suse-upgrade-python3-mgr-virtualization-host
- suse-upgrade-python3-rhnlib
- suse-upgrade-python3-spacewalk-check
- suse-upgrade-python3-spacewalk-client-setup
- suse-upgrade-python3-spacewalk-client-tools
- suse-upgrade-python3-spacewalk-koan
- suse-upgrade-python3-spacewalk-oscap
- suse-upgrade-python3-suseregisterinfo
- suse-upgrade-python3-uyuni-common-libs
- suse-upgrade-spacecmd
- suse-upgrade-spacewalk-check
- suse-upgrade-spacewalk-client-setup
- suse-upgrade-spacewalk-client-tools
- suse-upgrade-spacewalk-koan
- suse-upgrade-spacewalk-oscap
- suse-upgrade-suseregisterinfo
- Lightweight Endpoint Agent
- Live Dashboards
- Real Risk Prioritization
- IT-Integrated Remediation Projects
- Cloud, Virtual, and Container Assessment
- Integrated Threat Feeds
- Easy-to-Use RESTful API
- Automation-Assisted Patching
- Automated Containment
With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.
– Scott Cheney, Manager of Information Security, Sierra View Medical Center