CVE-2022-23536 Alertmanager can expose local files content via specially crafted config

2022-12-1921:10:21

CWE-184

CWE-73

CWE-641

GitHub_M

www.cve.org

cve-2022-23536

alertmanager

cortex

multi-tenant

local file inclusion

vulnerability

file exposure

crafted config

api

configuration

upgrade

workaround

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

0.001 Low

EPSS

Percentile

35.2%

JSON

Cortex provides multi-tenant, long term storage for Prometheus. A local file inclusion vulnerability exists in Cortex versions 1.13.0, 1.13.1 and 1.14.0, where a malicious actor could remotely read local files as a result of parsing maliciously crafted Alertmanager configurations when submitted to the Alertmanager Set Configuration API. Only users of the Alertmanager service where -experimental.alertmanager.enable-api or enable_api: true is configured are affected. Affected Cortex users are advised to upgrade to patched versions 1.13.2 or 1.14.1. However as a workaround, Cortex administrators may reject Alertmanager configurations containing the api_key_file setting in the opsgenie_configs section before sending to the Set Alertmanager Configuration API.

CNA Affected

[
  {
    "vendor": "cortexproject",
    "product": "cortex",
    "versions": [
      {
        "version": ">= 1.13.0, <= 1.13.1",
        "status": "affected"
      },
      {
        "version": "= 1.14.0",
        "status": "affected"
      }
    ]
  }
]