Cortex provides multi-tenant, long term storage for Prometheus. A local file inclusion vulnerability exists in Cortex versions 1.13.0, 1.13.1 and 1.14.0, where a malicious actor could remotely read local files as a result of parsing maliciously crafted Alertmanager configurations when submitted to the Alertmanager Set Configuration API. Only users of the Alertmanager service where `-experimental.alertmanager.enable-api` or `enable_api: true` is configured are affected. Affected Cortex users are advised to upgrade to patched versions 1.13.2 or 1.14.1. However as a workaround, Cortex administrators may reject Alertmanager configurations containing the `api_key_file` setting in the `opsgenie_configs` section before sending to the Set Alertmanager Configuration API.
References
| Link | Resource |
|---|---|
| https://cortexmetrics.io/docs/api/#set-alertmanager-configuration | Vendor Advisory |
| https://github.com/cortexproject/cortex/releases/tag/v1.13.2 | Release Notes Third Party Advisory |
| https://github.com/cortexproject/cortex/releases/tag/v1.14.1 | Release Notes Third Party Advisory |
| https://github.com/cortexproject/cortex/security/advisories/GHSA-cq2g-pw6q-hf7j | Third Party Advisory |
Configurations
Configuration 1 (hide)
|
History
07 Nov 2023, 03:44
| Type | Values Removed | Values Added |
|---|---|---|
| Summary | Cortex provides multi-tenant, long term storage for Prometheus. A local file inclusion vulnerability exists in Cortex versions 1.13.0, 1.13.1 and 1.14.0, where a malicious actor could remotely read local files as a result of parsing maliciously crafted Alertmanager configurations when submitted to the Alertmanager Set Configuration API. Only users of the Alertmanager service where `-experimental.alertmanager.enable-api` or `enable_api: true` is configured are affected. Affected Cortex users are advised to upgrade to patched versions 1.13.2 or 1.14.1. However as a workaround, Cortex administrators may reject Alertmanager configurations containing the `api_key_file` setting in the `opsgenie_configs` section before sending to the Set Alertmanager Configuration API. |
27 Dec 2022, 18:54
| Type | Values Removed | Values Added |
|---|---|---|
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 6.5 |
| CWE | CWE-184 CWE-641 |
NVD-CWE-noinfo |
| First Time |
Linuxfoundation cortex
Linuxfoundation |
|
| CPE | cpe:2.3:a:linuxfoundation:cortex:1.14.0:*:*:*:*:*:*:* cpe:2.3:a:linuxfoundation:cortex:1.13.0:*:*:*:*:*:*:* cpe:2.3:a:linuxfoundation:cortex:1.13.1:*:*:*:*:*:*:* |
|
| References | (MISC) https://cortexmetrics.io/docs/api/#set-alertmanager-configuration - Vendor Advisory | |
| References | (MISC) https://github.com/cortexproject/cortex/releases/tag/v1.13.2 - Release Notes, Third Party Advisory | |
| References | (MISC) https://github.com/cortexproject/cortex/security/advisories/GHSA-cq2g-pw6q-hf7j - Third Party Advisory | |
| References | (MISC) https://github.com/cortexproject/cortex/releases/tag/v1.14.1 - Release Notes, Third Party Advisory |
19 Dec 2022, 22:15
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2022-12-19 22:15
Updated : 2023-12-10 14:48
NVD link : CVE-2022-23536
Mitre link : CVE-2022-23536
CVE.ORG link : CVE-2022-23536
JSON object : View
Products Affected
linuxfoundation
- cortex
CWE
NVD-CWE-noinfo
CWE-184
Incomplete List of Disallowed Inputs
CWE-641Improper Restriction of Names for Files and Other Resources
CWE-73External Control of File Name or Path