=====================================================================

                                  CERT-Renater

                      Note d'Information No. 2022/VULN478

_____________________________________________________________________

DATE                : 20/12/2022

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running cortex (Go) versions prior to
                                         1.13.2, 1.14.1.

=====================================================================
https://github.com/cortexproject/cortex/security/advisories/GHSA-cq2g-pw6q-hf7j
_____________________________________________________________________

Alertmanager can expose local files content via specially crafted
config

Moderate
alanprot published GHSA-cq2g-pw6q-hf7j


Package
github.com/cortexproject/cortex (Go)

Affected versions
v1.13.0, v1.13.1, v1.14.0

Patched versions
v1.13.2, v1.14.1


Description

Impact

A local file inclusion vulnerability exists in Cortex versions
v1.13.0, v1.13.1 and v1.14.0, where a malicious actor could remotely
read local files as a result of parsing maliciously crafted
Alertmanager configurations when submitted to the Alertmanager Set
Configuration API. Only users of the Cortex Alertmanager service
using -experimental.alertmanager.enable-api or enable_api: true
are affected.


Patches

Affected Cortex users are advised to upgrade to v1.13.2 or v1.14.1.


Workarounds

Patching is ultimately advised. Using out-of-bound validation, Cortex
administrators may reject Alertmanager configurations containing the
api_key_file setting in the opsgenie_configs section and 
opsgenie_api_key_file
in the global section before sending to the Set Alertmanager
Configuration API as a workaround.


Acknowledgements

Austin Robertson with Amazon Web Services

For more information

If you have any questions or comments about this advisory:

     Open an issue in cortex
     Email us at cortex-team@googlegroups.com.


Severity
Moderate

6.5/ 10

CVSS base metrics

Attack vector
Network

Attack complexity
Low

Privileges required
Low

User interaction
None

Scope
Unchanged

Confidentiality
High

Integrity
None

Availability
None

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVE ID
CVE-2022-23536

Weaknesses
CWE-73 CWE-184 CWE-641


Credits

     @aus aus




=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================