{ "schema_version": "1.4.0", "id": "GHSA-cq2g-pw6q-hf7j", "modified": "2023-10-02T11:04:41Z", "published": "2022-12-19T21:09:05Z", "aliases": [ "CVE-2022-23536" ], "summary": "Cortex's Alertmanager can expose local files content via specially crafted config", "details": "### Impact\n\nA local file inclusion vulnerability exists in Cortex versions v1.13.0, v1.13.1 and v1.14.0, where a malicious actor could remotely read local files as a result of parsing maliciously crafted Alertmanager configurations when submitted to the [Alertmanager Set Configuration API](https://cortexmetrics.io/docs/api/#set-alertmanager-configuration). Only users of the Cortex Alertmanager service using `-experimental.alertmanager.enable-api` or `enable_api: true` are affected.\n\n### Specific Go Packages Affected\ngithub.com/cortexproject/cortex/pkg/alertmanager\n\n### Patches\nAffected Cortex users are advised to upgrade to versions 1.13.2 or 1.14.1.\n\n### Workarounds\nPatching is ultimately advised. Using out-of-bound validation, Cortex administrators may reject Alertmanager configurations containing the `api_key_file` setting in the `opsgenie_configs` section and `opsgenie_api_key_file` in the `global` section before sending to the [Set Alertmanager Configuration API](https://cortexmetrics.io/docs/api/#set-alertmanager-configuration) as a workaround.\n\n### References\n- Fixed Versions:\n - https://github.com/cortexproject/cortex/releases/tag/v1.14.1\n - https://github.com/cortexproject/cortex/releases/tag/v1.13.2\n- https://cortexmetrics.io/docs/api/#set-alertmanager-configuration\n\n### For more information\nIf you have any questions or comments about this advisory:\n\n* Open an issue in [cortex](https://github.com/cortexproject/cortex/issues/new/choose)\n* Email us at [cortex-team@googlegroups.com](mailto:cortex-team@googlegroups.com).\n", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" } ], "affected": [ { "package": { "ecosystem": "Go", "name": "github.com/cortexproject/cortex" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "1.14.0" }, { "fixed": "1.14.1" } ] } ], "versions": [ "1.14.0" ] }, { "package": { "ecosystem": "Go", "name": "github.com/cortexproject/cortex" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "1.13.0" }, { "fixed": "1.13.2" } ] } ] } ], "references": [ { "type": "WEB", "url": "https://github.com/cortexproject/cortex/security/advisories/GHSA-cq2g-pw6q-hf7j" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23536" }, { "type": "WEB", "url": "https://github.com/cortexproject/cortex/commit/03e023d8b012887b31cc268d0d011b01e1e65506" }, { "type": "WEB", "url": "https://cortexmetrics.io/docs/api/#set-alertmanager-configuration" }, { "type": "PACKAGE", "url": "https://github.com/cortexproject/cortex" }, { "type": "WEB", "url": "https://github.com/cortexproject/cortex/releases/tag/v1.13.2" }, { "type": "WEB", "url": "https://github.com/cortexproject/cortex/releases/tag/v1.14.1" }, { "type": "WEB", "url": "https://pkg.go.dev/vuln/GO-2022-1175" } ], "database_specific": { "cwe_ids": [ "CWE-184", "CWE-641", "CWE-73" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2022-12-19T21:09:05Z", "nvd_published_at": "2022-12-19T22:15:00Z" } }