漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
Alertmanager can expose local files content via specially crafted config
Vulnerability Description
Cortex provides multi-tenant, long term storage for Prometheus. A local file inclusion vulnerability exists in Cortex versions 1.13.0, 1.13.1 and 1.14.0, where a malicious actor could remotely read local files as a result of parsing maliciously crafted Alertmanager configurations when submitted to the Alertmanager Set Configuration API. Only users of the Alertmanager service where `-experimental.alertmanager.enable-api` or `enable_api: true` is configured are affected. Affected Cortex users are advised to upgrade to patched versions 1.13.2 or 1.14.1. However as a workaround, Cortex administrators may reject Alertmanager configurations containing the `api_key_file` setting in the `opsgenie_configs` section before sending to the Set Alertmanager Configuration API.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Vulnerability Type
文件名或路径的外部可控制
Vulnerability Title
cortex 安全漏洞
Vulnerability Description
cortex是一个应用软件。提供了水平可扩展,高可用性,多租户的长期存储。 cortex 1.13.0、1.13.1和1.14.0版本存在安全漏洞。攻击者利用该漏洞通过解析恶意构建的Alertmanager配置来远程读取本地文件。
CVSS Information
N/A
Vulnerability Type
N/A