Vulnerability Report: GO-2022-1175

CVE-2022-23536, GHSA-cq2g-pw6q-hf7j
Affects: github.com/cortexproject/cortex
Published: Dec 22, 2022
Modified: May 20, 2024

A malicious actor could remotely read local files by submitting to the Alertmanager Set Configuration API maliciously crafted inputs. Only users of the Alertmanager service where "-experimental.alertmanager.enable-api" or "enable_api: true" is configured are affected.

For detailed information about this vulnerability, visit https://github.com/cortexproject/cortex/security/advisories/GHSA-cq2g-pw6q-hf7j.

Affected Packages

Path

Go Versions

Symbols
github.com/cortexproject/cortex/pkg/alertmanager

from v1.13.0 before v1.13.2, from v1.14.0 before v1.14.1
2 unexported affected symbols
- validateAlertmanagerConfig
- validateGlobalConfig

Aliases

CVE-2022-23536
GHSA-cq2g-pw6q-hf7j

References

https://github.com/cortexproject/cortex/security/advisories/GHSA-cq2g-pw6q-hf7j
https://github.com/cortexproject/cortex/commit/03e023d8b012887b31cc268d0d011b01e1e65506
https://cortexmetrics.io/docs/api/#set-alertmanager-configuration
https://vuln.go.dev/ID/GO-2022-1175.json

Credits

Austin Robertson with Amazon Web Services

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL