Fix for Cortex Alertmanager security issue CVE-2021-31232

Marco Pracucci

Grafana Labs has proactively discovered a security vulnerability in Cortex 1.8 and previous versions, which allows local file disclosure when the Alertmanager is run with its API enabled through -experimental.alertmanager.enable-api (CVE-2021-31232).

The HTTP basic auth password_file could be used as an attack vector to send any local file content via a webhook. The Alertmanager templates could also be used as an attack vector to send any file content because the Alertmanager can load any text file specified in the templates list.

Cortex team has just published versions 1.7.1 and 1.8.1 with a fix for this security issue:
- 1.8.1:
- 1.7.1:

Marco Pracucci

Join { to automatically receive all group messages.