CVE-2021-36157

Name of the Vulnerable Software and Affected Versions: Grafana Cortex versions through 1.9.0

Description: An issue was discovered where the header value X-Scope-OrgID is used to construct file paths for rules files. If this value is crafted to conduct directory traversal, such as ../../sensitive/path/in/deployment, then Cortex will attempt to parse a rules file at that location and include some of the contents in the error message. Other Cortex API requests can also be sent a malicious OrgID header, potentially tricking the ingester into writing metrics to a different location, although the effect is more of a nuisance than information disclosure.

Recommendations: For versions through 1.9.0, consider restricting the use of the X-Scope-OrgID header to prevent directory traversal attacks until a patch is available. Additionally, restrict access to sensitive paths and monitor API requests for malicious OrgID headers to minimize the risk of exploitation.