Go modules package
github.com/cortexproject/cortex
pkg:golang/github.com/cortexproject/cortex
Vulnerabilities (4)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-41265 | Hig | 7.5 | <= 0.42.1 | — | Aug 1, 2024 | A TLS certificate verification issue discovered in cortex v0.42.1 allows attackers to obtain sensitive information via the makeOperatorRequest function. | |
| CVE-2022-23536 | — | >= 1.14.0, < 1.14.1 | 1.14.1 | Dec 19, 2022 | Cortex provides multi-tenant, long term storage for Prometheus. A local file inclusion vulnerability exists in Cortex versions 1.13.0, 1.13.1 and 1.14.0, where a malicious actor could remotely read local files as a result of parsing maliciously crafted Alertmanager configurations | ||
| CVE-2021-36157 | — | <= 1.9.0 | — | Aug 3, 2021 | An issue was discovered in Grafana Cortex through 1.9.0. The header value X-Scope-OrgID is used to construct file paths for rules files, and if crafted to conduct directory traversal such as ae ../../sensitive/path/in/deployment pathname, then Cortex will attempt to parse a rules | ||
| CVE-2021-31232 | — | < 1.8.1 | 1.8.1 | Apr 30, 2021 | The Alertmanager in CNCF Cortex before 1.8.1 has a local file disclosure vulnerability when -experimental.alertmanager.enable-api is used. The HTTP basic auth password_file can be used as an attack vector to send any file content via a webhook. The alertmanager templates can be u |
- affected <= 0.42.1
A TLS certificate verification issue discovered in cortex v0.42.1 allows attackers to obtain sensitive information via the makeOperatorRequest function.
- CVE-2022-23536Dec 19, 2022affected >= 1.14.0, < 1.14.1fixed 1.14.1
Cortex provides multi-tenant, long term storage for Prometheus. A local file inclusion vulnerability exists in Cortex versions 1.13.0, 1.13.1 and 1.14.0, where a malicious actor could remotely read local files as a result of parsing maliciously crafted Alertmanager configurations
- CVE-2021-36157Aug 3, 2021affected <= 1.9.0
An issue was discovered in Grafana Cortex through 1.9.0. The header value X-Scope-OrgID is used to construct file paths for rules files, and if crafted to conduct directory traversal such as ae ../../sensitive/path/in/deployment pathname, then Cortex will attempt to parse a rules
- CVE-2021-31232Apr 30, 2021affected < 1.8.1fixed 1.8.1
The Alertmanager in CNCF Cortex before 1.8.1 has a local file disclosure vulnerability when -experimental.alertmanager.enable-api is used. The HTTP basic auth password_file can be used as an attack vector to send any file content via a webhook. The alertmanager templates can be u