CVE-2022-23536

Name of the Vulnerable Software and Affected Versions Cortex versions 1.13.0 through 1.13.1 Cortex version 1.14.0

Description A local file inclusion issue exists in Cortex, where a malicious actor could remotely read local files as a result of parsing maliciously crafted Alertmanager configurations when submitted to the "Alertmanager Set Configuration API". Only users of the Alertmanager service where -experimental.alertmanager.enable-api or enable api: true is configured are affected.

Recommendations For Cortex versions 1.13.0 through 1.13.1, upgrade to version 1.13.2. For Cortex version 1.14.0, upgrade to version 1.14.1. As a temporary workaround, Cortex administrators may reject Alertmanager configurations containing the api key file setting in the opsgenie configs section before sending to the Alertmanager Set Configuration API. Additionally, reject configurations containing the opsgenie api key file in the global section as an extra precaution.