CVE-2021-41090

Name of the Vulnerable Software and Affected Versions Grafana Agent versions prior to 0.20.1 and 0.21.2

Description The issue concerns the exposure of inline secrets in plaintext over two endpoints: /-/config for metrics instance configs defined in the base YAML file and /agent/api/v1/configs/:key for metrics instance configs defined for the scraping service. These secrets are used for delivering metrics to a Prometheus Remote Write system, authenticating against a system for discovering Prometheus targets, and authenticating against a system for collecting metrics. The exposure occurs when HTTPS with client authentication is not configured, making the endpoints accessible to unauthenticated users. Non-inlined secrets, such as * file based secrets, are not impacted.

Recommendations For versions prior to 0.20.1 and 0.21.2, use non-inline secrets where possible. Restrict API access to Grafana Agent by restricting the network interfaces it listens on through http listen address in the server block. Configure Grafana Agent to use HTTPS with client authentication. Use firewall rules to restrict external access to Grafana Agent's API. Upgrade to version 0.20.1 or any version past 0.21.2 to patch the issue.