CVE-2021-31232

Name of the Vulnerable Software and Affected Versions CNCF Cortex versions prior to 1.8.1

Description The issue concerns a local file disclosure problem in the Alertmanager component when the -experimental.alertmanager.enable-api option is enabled. This allows an attacker to potentially send any file content via a webhook by exploiting the HTTP basic auth password file. Additionally, the alertmanager templates can be used as an attack vector to send any file content because the alertmanager can load any text file specified in the templates list. Improper input validation in CNCF Cortex is also a contributing factor.

Recommendations For versions prior to 1.8.1, update to version 1.8.1 or later to resolve the issue. As a temporary workaround, consider disabling the -experimental.alertmanager.enable-api option until a patch is available. Restrict access to the alertmanager templates to minimize the risk of exploitation. Avoid using the HTTP basic auth password file in the alertmanager configuration until the issue is resolved.