Bug 1955751 (CVE-2021-31232)
Summary: | CVE-2021-31232 cortex: Alertmanager can expose local files content via specially crafted config | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED WONTFIX | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | amctagga, gghezzo, gparvin, grafana-maint, jcantril, jkurik, jramanat, jweiser, muagarwa, nathans, nbecker, njean, ocs-bugs, owatkins, pahickey, periklis, scox, stcannon, teagle, thee |
Target Milestone: | --- | Keywords: | Reopened, Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | cortex 1.8.1 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in Cortex that may allow a local attacker to obtain sensitive information. This is due to an issue in the Alertmanager when -experimental.alertmanager.enable-api is used. By using a webhook to send file content, an attacker can load any text file specified in the templates list, obtain sensitive information, and use this information to launch further attacks against the affected system.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2023-04-14 12:39:49 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2183174 | ||
Bug Blocks: | 1955753 |
Description
Pedro Sampaio
2021-04-30 18:08:34 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-31232 Created grafana tracking bugs for this issue: Affects: fedora-all [bug 2183174] This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-31232 |