CVE-2022-23536

EPSS 0.4%
Published 19.12.2022 22:15:10
Last modified 21.11.2024 06:48:45
Source security-advisories@github.com
Teams watchlist Login
Open Login

Cortex provides multi-tenant, long term storage for Prometheus. A local file inclusion vulnerability exists in Cortex versions 1.13.0, 1.13.1 and 1.14.0, where a malicious actor could remotely read local files as a result of parsing maliciously crafted Alertmanager configurations when submitted to the Alertmanager Set Configuration API. Only users of the Alertmanager service where `-experimental.alertmanager.enable-api` or `enable_api: true` is configured are affected. Affected Cortex users are advised to upgrade to patched versions 1.13.2 or 1.14.1. However as a workaround, Cortex administrators may reject Alertmanager configurations containing the `api_key_file` setting in the `opsgenie_configs` section before sending to the Set Alertmanager Configuration API.

Affected products Warnungen 0 Metrics 3 CWE 3 References 7

Data is provided by the National Vulnerability Database (NVD)

Linuxfoundation ≫ Cortex Version1.13.0

Linuxfoundation ≫ Cortex Version1.13.1

Linuxfoundation ≫ Cortex Version1.14.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.4%	0.599

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
security-advisories@github.com	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE-184 Incomplete List of Disallowed Inputs

The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete.

CWE-641 Improper Restriction of Names for Files and Other Resources

The product constructs the name of a file or other resource using input from an upstream component, but it does not restrict or incorrectly restricts the resulting name.

CWE-73 External Control of File Name or Path

The product allows user input to control or influence paths or file names that are used in filesystem operations.

https://cortexmetrics.io/docs/api/#set-alertmanager-configuration

Vendor Advisory

https://github.com/cortexproject/cortex/releases/tag/v1.13.2

Third Party Advisory

Release Notes

https://github.com/cortexproject/cortex/releases/tag/v1.14.1

Third Party Advisory

Release Notes

https://github.com/cortexproject/cortex/security/advisories/GHSA-cq2g-pw6q-hf7j

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2022-23536

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-23536

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-23536

EUVD