CVE-2021-31231

Опубликовано: 30 апр. 2021

Источник: nvd

CVSS3: 5.5

CVSS2: 2.1

EPSS Низкий

Описание

The Alertmanager in Grafana Enterprise Metrics before 1.2.1 and Metrics Enterprise 1.2.1 has a local file disclosure vulnerability when experimental.alertmanager.enable-api is used. The HTTP basic auth password_file can be used as an attack vector to send any file content via a webhook. The alertmanager templates can be used as an attack vector to send any file content because the alertmanager can load any text file specified in the templates list.

Ссылки

https://community.grafana.com/c/security-announcements
Broken Link
Vendor Advisory
https://grafana.com/docs/metrics-enterprise/
Product
Vendor Advisory
https://grafana.com/docs/metrics-enterprise/latest/downloads/#v113----april-27-2021
Release Notes
Vendor Advisory
https://grafana.com/docs/metrics-enterprise/latest/downloads/#v121----april-27-2021
Release Notes
Vendor Advisory
https://security.netapp.com/advisory/ntap-20210611-0001/
Third Party Advisory
https://community.grafana.com/c/security-announcements
Broken Link
Vendor Advisory
https://grafana.com/docs/metrics-enterprise/
Product
Vendor Advisory
https://grafana.com/docs/metrics-enterprise/latest/downloads/#v113----april-27-2021
Release Notes
Vendor Advisory
https://grafana.com/docs/metrics-enterprise/latest/downloads/#v121----april-27-2021
Release Notes
Vendor Advisory
https://security.netapp.com/advisory/ntap-20210611-0001/
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:grafana:enterprise_metrics:*:*:*:*:*:*:*:*

Версия до 1.2.1 (исключая)

cpe:2.3:a:grafana:enterprise_metrics:*:*:*:*:enterprise:*:*:*

Версия до 1.2.1 (исключая)

EPSS

Процентиль: 22%

0.0007

Низкий

5.5 Medium

CVSS3

2.1 Low

CVSS2

Дефекты

NVD-CWE-noinfo

Связанные уязвимости

GHSA-rm28-h995-22q5