Miggo Logo

CVE-2021-41090: Instance config inline secret exposure in Grafana

6.5

CVSS Score
3.1

Basic Information

EPSS Score
0.72017%
Published
12/8/2021
Updated
2/1/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/grafana/agentgo>= 0.14.0, < 0.21.20.21.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from configuration marshaling functions not scrubbing secrets when serializing data for exposed API endpoints. The key evidence is in the commit diff showing the scrub_secrets parameter being changed from false to true in multiple locations, particularly in API handlers and YAML serialization paths. The test patches explicitly validate() secret scrubbing behavior, confirming these functions' role in the exposure.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t Som* inlin* s**r*ts *r* *xpos** in pl*int*xt ov*r t** *r***n* ***nt *TTP s*rv*r: * Inlin* s**r*ts *or m*tri*s inst*n** *on*i*s in t** **s* Y*ML *il* *r* *xpos** *t `/-/*on*i*` * Inlin* s**r*ts *or int**r*tions *r* *xpos** *t `/-/*on*i*`

Reasoning

T** vuln*r**ility st*mm** *rom *on*i*ur*tion m*rs**lin* *un*tions not s*ru**in* s**r*ts w**n s*ri*lizin* **t* *or *xpos** *PI *n*points. T** k*y *vi**n** is in t** *ommit *i** s*owin* t** `s*ru*_s**r*ts` p*r*m*t*r **in* ***n*** *rom **ls* to tru* in