Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionNVD
The Alertmanager in CNCF Cortex before 1.8.1 has a local file disclosure vulnerability when -experimental.alertmanager.enable-api is used. The HTTP basic auth password_file can be used as an attack vector to send any file content via a webhook. The alertmanager templates can be used as an attack vector to send any file content because the alertmanager can load any text file specified in the templates list.
AnalysisAI
The Alertmanager in CNCF Cortex before 1.8.1 has a local file disclosure vulnerability when -experimental.alertmanager.enable-api is used. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.
Technical ContextAI
The Alertmanager in CNCF Cortex before 1.8.1 has a local file disclosure vulnerability when -experimental.alertmanager.enable-api is used. The HTTP basic auth password_file can be used as an attack vector to send any file content via a webhook. The alertmanager templates can be used as an attack vector to send any file content because the alertmanager can load any text file specified in the templates list. Affected products include: Linuxfoundation Cortex. Version information: before 1.8.1.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
An issue in StrangeBee TheHive v.5.0.8, v.4.1.21 and Cortex v.3.1.6 allows a remote attacker to gain privileges via Acti
An organization administrator can add a super administrator in THEHIVE PROJECT Cortex before 2.1.3 due to the lack of ov
Cortex provides multi-tenant, long term storage for Prometheus. Rated medium severity (CVSS 6.5), this vulnerability is
An issue was discovered in Grafana Cortex through 1.9.0. Rated medium severity (CVSS 5.3), this vulnerability is remotel
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today