Austin Robertson

**Name of the Vulnerable Software and Affected Versions** Cortex versions 1.13.0 through 1.13.1 Cortex version 1.14.0 **Description** A local file inclusion issue exists in Cortex, where a malicious actor could remotely read local files as a result of parsing maliciously crafted Alertmanager configurations when submitted to the "Alertmanager Set Configuration API". Only users of the Alertmanager service where `-experimental.alertmanager.enable-api` or `enable api: true` is configured are affected. **Recommendations** For Cortex versions 1.13.0 through 1.13.1, upgrade to version 1.13.2. For Cortex version 1.14.0, upgrade to version 1.14.1. As a temporary workaround, Cortex administrators may reject Alertmanager configurations containing the `api key file` setting in the `opsgenie configs` section before sending to the Alertmanager Set Configuration API. Additionally, reject configurations containing the `opsgenie api key file` in the `global` section as an extra precaution.