CVE-2021-31231

Name of the Vulnerable Software and Affected Versions Grafana Enterprise Metrics versions prior to 1.2.1 Metrics Enterprise version 1.2.1

Description The issue allows for local file disclosure when the experimental.alertmanager.enable-api is used. The HTTP basic auth password file can be exploited to send any file content via a webhook. Additionally, the alertmanager templates can be used to send any file content because the alertmanager can load any text file specified in the templates list.

Recommendations For Grafana Enterprise Metrics versions prior to 1.2.1, update to version 1.2.1 or later to resolve the issue. For Metrics Enterprise version 1.2.1, consider disabling the experimental.alertmanager.enable-api until a patch is available. As a temporary workaround, restrict access to the alertmanager templates to minimize the risk of exploitation. Avoid using the password file in the HTTP basic auth configuration until the issue is resolved.