Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/cortexproject/cortex: GHSA-cq2g-pw6q-hf7j #1174

Closed
GoVulnBot opened this issue Dec 19, 2022 · 1 comment
Closed

x/vulndb: potential Go vuln in github.com/cortexproject/cortex: GHSA-cq2g-pw6q-hf7j #1174

GoVulnBot opened this issue Dec 19, 2022 · 1 comment
Assignees
@timothy-king
Labels
duplicate

Comments

@GoVulnBot
Copy link

In GitHub Security Advisory GHSA-cq2g-pw6q-hf7j, there is a vulnerability in the following Go packages or modules:

Unit Fixed Vulnerable Ranges
github.com/cortexproject/cortex 1.14.1 = 1.14.0

Cross references:
No existing reports found with this module or alias.

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: TODO
    versions:
      - introduced: TODO (earliest fixed "1.14.1", vuln range "= 1.14.0")
    packages:
      - package: github.com/cortexproject/cortex
  - module: TODO
    versions:
      - introduced: TODO (earliest fixed "1.13.2", vuln range ">= 1.13.0, <= 1.13.1")
    packages:
      - package: github.com/cortexproject/cortex
description: |
    ### Impact

    A local file inclusion vulnerability exists in Cortex versions v1.13.0, v1.13.1 and v1.14.0, where a malicious actor could remotely read local files as a result of parsing maliciously crafted Alertmanager configurations when submitted to the [Alertmanager Set Configuration API](https://cortexmetrics.io/docs/api/#set-alertmanager-configuration). Only users of the Cortex Alertmanager service using `-experimental.alertmanager.enable-api` or `enable_api: true` are affected.

    ### Patches
    Affected Cortex users are advised to upgrade to v1.13.2 or v1.14.1.

    ### Workarounds
    Patching is ultimately advised. Using out-of-bound validation, Cortex administrators may reject Alertmanager configurations containing the `api_key_file` setting in the `opsgenie_configs` section and `opsgenie_api_key_file` in the `global` section before sending to the [Set Alertmanager Configuration API](https://cortexmetrics.io/docs/api/#set-alertmanager-configuration) as a workaround.

    ### References
    - Fixed Versions:
       - https://github.com/cortexproject/cortex/releases/tag/v1.14.1
       - https://github.com/cortexproject/cortex/releases/tag/v1.13.2
    - https://cortexmetrics.io/docs/api/#set-alertmanager-configuration

    ### For more information
    If you have any questions or comments about this advisory:

    * Open an issue in [cortex](https://github.com/cortexproject/cortex/issues/new/choose)
    * Email us at [cortex-team@googlegroups.com](mailto:cortex-team@googlegroups.com).
cves:
  - CVE-2022-23536
ghsas:
  - GHSA-cq2g-pw6q-hf7j
@timothy-king timothy-king self-assigned this Dec 20, 2022
@timothy-king
Copy link
Contributor

Duplicate of #1175

@timothy-king timothy-king marked this as a duplicate of #1175 Dec 20, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@timothy-king timothy-king

Labels
duplicate
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@timothy-king @GoVulnBot