CVE-2021-31232

5.5MEDIUM

Key Information:

Vendor
Linux
Status
Cortex
Vendor
CVE Published:
30 April 2021

Summary

The Alertmanager in CNCF Cortex before 1.8.1 has a local file disclosure vulnerability when -experimental.alertmanager.enable-api is used. The HTTP basic auth password_file can be used as an attack vector to send any file content via a webhook. The alertmanager templates can be used as an attack vector to send any file content because the alertmanager can load any text file specified in the templates list.

References

https://community.grafana.com/c/security-announcements
x_refsource_MISC
https://github.com/cortexproject/cortex
x_refsource_MISC
https://github.com/cortexproject/cortex/pull/4129/files
x_refsource_MISC

CVSS V3.1

Score:
5.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.