Christian Simon

Name of the Vulnerable Software and Affected Versions: Grafana Cortex versions through 1.9.0 Description: An issue was discovered where the header value `X-Scope-OrgID` is used to construct file paths for rules files. If this value is crafted to conduct directory traversal, such as `../../sensitive/path/in/deployment`, then Cortex will attempt to parse a rules file at that location and include some of the contents in the error message. Other Cortex API requests can also be sent a malicious `OrgID` header, potentially tricking the ingester into writing metrics to a different location, although the effect is more of a nuisance than information disclosure. Recommendations: For versions through 1.9.0, consider restricting the use of the `X-Scope-OrgID` header to prevent directory traversal attacks until a patch is available. Additionally, restrict access to sensitive paths and monitor API requests for malicious `OrgID` headers to minimize the risk of exploitation.