Hello,
The Prometheus team has released bugfix releases about an Open Redirect
(CWE-601) security issue.
The issue has been assigned the CVE number CVE-2021-29622.
The security issue affects Prometheus v2.23.0 to v2.26.0, and v2.27.0.
Please find more information here:
The Prometheus team thanks Aaron Devaney from MDSec for reporting this
issue.
Timeline:
May 12, 2021: Issue reported privately to Prometheus team
May 12, 2021: A fix is proposed and reviewed
May 13, 2021: CVE-2021-29622 issued by GitHub staff
May 18, 2021: Bugfix released for the last two minor releases of
Prometheus.
The releases can be found in the usual locations:
v2.26.1: Release 2.26.1 / 2021-05-18 · prometheus/prometheus · GitHub
v2.27.1: Release 2.27.1 / 2021-05-18 · prometheus/prometheus · GitHub
Thanks,
The Prometheus Team