Local File Disclosure Vulnerability in Grafana Enterprise Metrics
CVE-2021-31231

5.5MEDIUM

Key Information:

Vendor
Grafana
Status
Enterprise Metrics
Vendor
CVE Published:
30 April 2021

Summary

The Alertmanager component in Grafana Enterprise Metrics versions prior to 1.2.1 is susceptible to local file disclosure. This vulnerability can be exploited when the experimental.alertmanager.enable-api feature is enabled. An attacker could leverage this flaw to access sensitive file content by using the HTTP basic authentication password_file as an attack vector, as well as through alertmanager templates that can reference any specified text file. It is crucial for organizations using affected versions to take immediate action to secure their deployments and patch to the latest version.

References

https://grafana.com/docs/metrics-enterprise/
x_refsource_MISC
https://community.grafana.com/c/security-announcements
x_refsource_MISC
https://grafana.com/docs/metrics-enterprise/latest/downlo...
x_refsource_MISC

CVSS V3.1

Score:
5.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.