MEDIUM🇬🇧 English

CVE-2021-31232

CVSS 5.5v3.1pub. 2021-04-30upd. 2024-11-21

The Alertmanager in CNCF Cortex before 1.8.1 has a local file disclosure vulnerability when -experimental.alertmanager.enable-api is used. The HTTP basic auth password_file can be used as an attack vector to send any file content via a webhook. The alertmanager templates can be used as an attack vector to send any file content because the alertmanager can load any text file specified in the templates list.

oryginał EN
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
  • Linuxfoundation Cortex

    APP
    Linuxfoundation
    < 1.8.1
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
CWE
Referencje

Powiązane podatności

CVE-2022-23536MEDIUM6.5ten sam produkt

Cortex provides multi-tenant, long term storage for Prometheus. A local file inclusion vulnerability exists in...

CVE-2021-36157MEDIUM5.3ten sam produkt

An issue was discovered in Grafana Cortex through 1.9.0. The header value X-Scope-OrgID is used to construct f...

CVE-2026-53488CRITICAL9.4ten sam vendor

containerd is an open-source container runtime. In versions prior to 1.7.33, 2.3.2, 2.2.5, 2.1.9, and 2.0.10 t...

CVE-2026-44477CRITICAL9.4PL ✓ten sam vendor

CloudNativePG: eskalacja uprawnień do superużytkownika PostgreSQL przez metrics exporter

CVE-2026-37531CRITICAL9.8PL ✓ten sam vendor

AGL app-framework-main: Zip Slip + TOCTOU umożliwiają zapis dowolnych plików