PT-2021-21144 · Grafana+1 · Grafana Loki+1

Simonswine

Published

2021-08-03

Updated

2026-04-16

CVE-2021-36156

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions: Grafana Loki versions through 2.2.1

Description: An issue was discovered where the header value X-Scope-OrgID is used to construct file paths for rules files. If this value is crafted to conduct directory traversal, such as ../../sensitive/path/in/deployment, then Grafana Loki will attempt to parse a rules file at that location and include some of the contents in the error message.

Recommendations: For versions through 2.2.1, as a temporary workaround, consider restricting the use of the X-Scope-OrgID header to prevent directory traversal attacks until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

ALT-PU-2021-2558

ALT-PU-2022-2584

CVE-2021-36156

GHSA-GRJ5-8X6Q-HC9Q

Affected Products

Alt Linux

Grafana Loki

PT-2021-21144 · Grafana+1 · Grafana Loki+1

CVE-2021-36156

Weakness Enumeration

Related Identifiers

Affected Products

References · 9