Merge pull request from GHSA-vx57-7f4q-fpc7

* Do not remove /new because it is not part of the route parameter (CVE-2021-29622) Signed-off-by: Julien Pivotto <roidelapluie@inuits.eu> * Release 2.27.1 Signed-off-by: Julien Pivotto <roidelapluie@inuits.eu>
2021-05-18 14:47:45 +02:00 · 2021-05-18 14:47:45 +02:00 · db7f0bcec2
parent 24c9b61221
commit db7f0bcec2
3 changed files with 14 additions and 2 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,3 +1,15 @@
+## 2.27.1 / 2021-05-18
+
+This release contains a bug fix for a security issue in the API endpoint. An
+attacker can craft a special URL that redirects a user to any endpoint via an
+HTTP 302 response. See the [security advisory][GHSA-vx57-7f4q-fpc7] for more details.
+
+[GHSA-vx57-7f4q-fpc7]:https://github.com/prometheus/prometheus/security/advisories/GHSA-vx57-7f4q-fpc7
+
+This vulnerability has been reported by Aaron Devaney from MDSec.
+
+* [BUGFIX] SECURITY: Fix arbitrary redirects under the /new endpoint (CVE-2021-29622)
+
 ## 2.27.0 / 2021-05-12

 * [FEATURE] Promtool: Retroactive rule evaluation functionality. #7675
--- a/2
+++ b/2
@ -1 +1 @@
-2.27.0
+2.27.1
--- a/web/web.go
+++ b/web/web.go
@ -354,7 +354,7 @@ func New(logger log.Logger, o *Options) *Handler {
 	// Redirect the original React UI's path (under "/new") to its new path at the root.
 	router.Get("/new/*path", func(w http.ResponseWriter, r *http.Request) {
 		p := route.Param(r.Context(), "path")
-		http.Redirect(w, r, path.Join(o.ExternalURL.Path, strings.TrimPrefix(p, "/new"))+"?"+r.URL.RawQuery, http.StatusFound)
+		http.Redirect(w, r, path.Join(o.ExternalURL.Path, p)+"?"+r.URL.RawQuery, http.StatusFound)
 	})

 	router.Get("/classic/alerts", readyf(h.alerts))
 @ -1 +1 @@
 .27.0
 .27.1