5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-36156

GHSA ID

GHSA-grj5-8x6q-hc9q

EPSS Score

0.59605%

CWE

CWE-22

Published

9/2/2021

Updated

2/1/2023

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-36156

CVE-2021-36156:
Path traversal in Grafana Loki

An issue was discovered in Grafana Loki through 2.2.1. The header value X-Scope-OrgID is used to construct file paths for rules files, and if crafted to conduct directory traversal such as ae ../../sensitive/path/in/deployment pathname, then Loki will attempt to parse a rules file at that location and include some of the contents in the error message.

(GitHub Advisory)

5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-36156

GHSA ID

GHSA-grj5-8x6q-hc9q

EPSS Score

0.59605%

CWE

CWE-22

Published

9/2/2021

Updated

2/1/2023

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/grafana/loki	go	< 2.3.0	2.3.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from using unsanitized X-Scope-OrgID values in file path construction. The ruler component's rule group synchronization logic (SyncRuleGroups) directly used tenant IDs to build filesystem paths. Since Loki's ruler inherits from Cortex's implementation, and the fix involved updating Cortex's tenant ID validation, the vulnerable function would be in the rule management logic that handles tenant-specific paths. The description explicitly mentions rules file path construction as the attack vector, aligning with the ruler component's responsibilities.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* w*s *is*ov*r** in *r***n* Loki t*rou** *.*.*. T** *****r v*lu* X-S*op*-Or*I* is us** to *onstru*t *il* p*t*s *or rul*s *il*s, *n* i* *r**t** to *on*u*t *ir**tory tr*v*rs*l su** *s ** ../../s*nsitiv*/p*t*/in/**ploym*nt p*t*n*m*, t**n Loki wil

Reasoning

T** vuln*r**ility st*ms *rom usin* uns*nitiz** X-S*op*-Or*I* v*lu*s in *il* p*t* *onstru*tion. T** rul*r *ompon*nt's rul* *roup syn**roniz*tion lo*i* (`Syn*Rul**roups`) *ir**tly us** t*n*nt I*s to *uil* *il*syst*m p*t*s. Sin** Loki's rul*r in**rits *

5.3

Basic Information

Concerned about an active attack path?

CVE-2021-36156: Path traversal in Grafana Loki

5.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2021-36156:
Path traversal in Grafana Loki

Vulnerability Intelligence
Miggo AI