Loki
Monthly
Uncontrolled memory allocation in Grafana Loki lets remote unauthenticated users issue queries with excessively large limit values, forcing the service to allocate large amounts of memory and potentially exhausting host resources. The impact is denial of service (CVSS 7.5, A:H only) and varies by deployment topology - a single-binary or under-provisioned deployment is far more exposed than a horizontally scaled microservices setup. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; note the input 'Information Disclosure' tag conflicts with the CVSS impact (C:N/I:N/A:H), which indicates an availability-only issue.
The CVE-2021-36156 fix validates the namespace parameter for path traversal sequences after a single URL decode, by double encoding, an attacker can read files at the Ruler API endpoint /loki/api/v1/rules/{namespace} Thanks to Prasanth Sundararajan for reporting this vulnerability.
An issue was discovered in Grafana Loki through 2.2.1. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.
Uncontrolled memory allocation in Grafana Loki lets remote unauthenticated users issue queries with excessively large limit values, forcing the service to allocate large amounts of memory and potentially exhausting host resources. The impact is denial of service (CVSS 7.5, A:H only) and varies by deployment topology - a single-binary or under-provisioned deployment is far more exposed than a horizontally scaled microservices setup. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; note the input 'Information Disclosure' tag conflicts with the CVSS impact (C:N/I:N/A:H), which indicates an availability-only issue.
The CVE-2021-36156 fix validates the namespace parameter for path traversal sequences after a single URL decode, by double encoding, an attacker can read files at the Ruler API endpoint /loki/api/v1/rules/{namespace} Thanks to Prasanth Sundararajan for reporting this vulnerability.
An issue was discovered in Grafana Loki through 2.2.1. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.