diff options
| author | David O'Rourke <dor.bsd@xm0.uk> | 2021-06-01 03:02:51 +0000 |
|---|---|---|
| committer | Guangyuan Yang <ygy@FreeBSD.org> | 2021-06-01 03:02:51 +0000 |
| commit | 6890a3c0b215c66ee4ac27745dc8caee73dda7f8 (patch) | |
| tree | 82cf4b253e4789acd40a8fee4a5157ef465f9610 | |
| parent | a70377ab661d1bbf64f5b84050aedc1b7748e26f (diff) | |
security/vuxml: Document vulnerability in net-mgmt/prometheus2
PR: 255976
Security: CVE-2021-29622
Approved by: lwhsu (mentor)
| -rw-r--r-- | security/vuxml/vuln.xml | 39 |
1 files changed, 39 insertions, 0 deletions
diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index 547d51e10b82..70fc3181c123 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -76,6 +76,45 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> + <vuln vid="59ab72fb-bccf-11eb-a38d-6805ca1caf5c"> + <topic>Prometheus -- arbitrary redirects</topic> + <affects> + <package> + <name>prometheus2</name> + <range><ge>2.23.0</ge><lt>2.26.1</lt></range> + <range><eq>2.27.0</eq></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Prometheus reports:</p> + <blockquote cite="https://nvd.nist.gov/vuln/detail/CVE-2021-29622"> + <p> + Prometheus is an open-source monitoring system and time series + database. In 2.23.0, Prometheus changed its default UI to the New + ui. To ensure a seamless transition, the URL's prefixed by /new + redirect to /. Due to a bug in the code, it is possible for an + attacker to craft an URL that can redirect to any other URL, in the + /new endpoint. If a user visits a prometheus server with a + specially crafted address, they can be redirected to an arbitrary + URL. The issue was patched in the 2.26.1 and 2.27.1 releases. In + 2.28.0, the /new endpoint will be removed completely. The + workaround is to disable access to /new via a reverse proxy in + front of Prometheus. + </p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2021-29622</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2021-29622</url> + </references> + <dates> + <discovery>2021-05-18</discovery> + <entry>2021-06-01</entry> + </dates> + </vuln> + <vuln vid="fd24a530-c202-11eb-b217-b42e99639323"> <topic>wayland -- integer overflow</topic> <affects> |