Vulnerability Details CVE-2021-36157
An issue was discovered in Grafana Cortex through 1.9.0. The header value X-Scope-OrgID is used to construct file paths for rules files, and if crafted to conduct directory traversal such as ae ../../sensitive/path/in/deployment pathname, then Cortex will attempt to parse a rules file at that location and include some of the contents in the error message. (Other Cortex API requests can also be sent a malicious OrgID header, e.g., tricking the ingester into writing metrics to a different location, but the effect is nuisance rather than information disclosure.)
Exploit prediction scoring system (EPSS) score
EPSS Score 0.003
EPSS Ranking 54.3%
CVSS Severity
CVSS v3 Score 5.3
CVSS v2 Score 5.0
References
Products affected by CVE-2021-36157
-
cpe:2.3:a:linuxfoundation:cortex:-
-
cpe:2.3:a:linuxfoundation:cortex:0.1.0
-
cpe:2.3:a:linuxfoundation:cortex:0.2.0
-
cpe:2.3:a:linuxfoundation:cortex:0.3.0
-
cpe:2.3:a:linuxfoundation:cortex:0.4.0
-
cpe:2.3:a:linuxfoundation:cortex:0.5.0
-
cpe:2.3:a:linuxfoundation:cortex:0.6.0
-
cpe:2.3:a:linuxfoundation:cortex:0.6.1
-
cpe:2.3:a:linuxfoundation:cortex:0.7.0
-
cpe:2.3:a:linuxfoundation:cortex:1.0.0
-
cpe:2.3:a:linuxfoundation:cortex:1.0.1
-
cpe:2.3:a:linuxfoundation:cortex:1.1.0
-
cpe:2.3:a:linuxfoundation:cortex:1.2.0
-
cpe:2.3:a:linuxfoundation:cortex:1.3.0
-
cpe:2.3:a:linuxfoundation:cortex:1.4.0
-
cpe:2.3:a:linuxfoundation:cortex:1.5.0
-
cpe:2.3:a:linuxfoundation:cortex:1.6.0
-
cpe:2.3:a:linuxfoundation:cortex:1.7.0
-
cpe:2.3:a:linuxfoundation:cortex:1.7.1
-
cpe:2.3:a:linuxfoundation:cortex:1.8.0
-
cpe:2.3:a:linuxfoundation:cortex:1.8.1
-
cpe:2.3:a:linuxfoundation:cortex:1.9.0