Rfratto

**Name of the Vulnerable Software and Affected Versions** Grafana Agent versions prior to 0.20.1 and 0.21.2 **Description** The issue concerns the exposure of inline secrets in plaintext over two endpoints: `/-/config` for metrics instance configs defined in the base YAML file and `/agent/api/v1/configs/:key` for metrics instance configs defined for the scraping service. These secrets are used for delivering metrics to a Prometheus Remote Write system, authenticating against a system for discovering Prometheus targets, and authenticating against a system for collecting metrics. The exposure occurs when HTTPS with client authentication is not configured, making the endpoints accessible to unauthenticated users. Non-inlined secrets, such as `* file` based secrets, are not impacted. **Recommendations** For versions prior to 0.20.1 and 0.21.2, use non-inline secrets where possible. Restrict API access to Grafana Agent by restricting the network interfaces it listens on through `http listen address` in the `server` block. Configure Grafana Agent to use HTTPS with client authentication. Use firewall rules to restrict external access to Grafana Agent's API. Upgrade to version 0.20.1 or any version past 0.21.2 to patch the issue.