Fix for Cortex Alertmanager security issue CVE-2021-31232
Marco Pracucci
Grafana Labs has proactively discovered a security vulnerability in Cortex 1.8 and previous versions, which allows local file disclosure when the Alertmanager is run with its API enabled through -experimental.alertmanager.enable-api (CVE-2021-31232).
The HTTP basic auth password_file could be used as an attack vector to send any local file content via a webhook. The Alertmanager templates could also be used as an attack vector to send any file content because the Alertmanager can load any text file specified in the templates list.
Cortex team has just published versions 1.7.1 and 1.8.1 with a fix for this security issue:
- 1.8.1: https://github.com/cortexproject/cortex/releases/tag/v1.8.1
- 1.7.1: https://github.com/cortexproject/cortex/releases/tag/v1.7.1
The HTTP basic auth password_file could be used as an attack vector to send any local file content via a webhook. The Alertmanager templates could also be used as an attack vector to send any file content because the Alertmanager can load any text file specified in the templates list.
Cortex team has just published versions 1.7.1 and 1.8.1 with a fix for this security issue:
- 1.8.1: https://github.com/cortexproject/cortex/releases/tag/v1.8.1
- 1.7.1: https://github.com/cortexproject/cortex/releases/tag/v1.7.1
Marco Pracucci