6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-23536

GHSA ID

GHSA-cq2g-pw6q-hf7j

EPSS Score

0.56828%

CWE

CWE-73

Published

12/19/2022

Updated

10/2/2023

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-23536

CVE-2022-23536: Cortex's Alertmanager can expose local files content via specially crafted config

Impact

A local file inclusion vulnerability exists in Cortex versions v1.13.0, v1.13.1 and v1.14.0, where a malicious actor could remotely read local files as a result of parsing maliciously crafted Alertmanager configurations when submitted to the Alertmanager Set Configuration API. Only users of the Cortex Alertmanager service using -experimental.alertmanager.enable-api or enable_api: true are affected.

Specific Go Packages Affected

github.com/cortexproject/cortex/pkg/alertmanager

Patches

Affected Cortex users are advised to upgrade to versions 1.13.2 or 1.14.1.

Workarounds

Patching is ultimately advised. Using out-of-bound validation, Cortex administrators may reject Alertmanager configurations containing the api_key_file setting in the opsgenie_configs section and opsgenie_api_key_file in the global section before sending to the Set Alertmanager Configuration API as a workaround.

References

Fixed Versions:
- https://github.com/cortexproject/cortex/releases/tag/v1.14.1
- https://github.com/cortexproject/cortex/releases/tag/v1.13.2
https://cortexmetrics.io/docs/api/#set-alertmanager-configuration

For more information

If you have any questions or comments about this advisory:

Open an issue in cortex
Email us at cortex-team@googlegroups.com.

(GitHub Advisory)

6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-23536

GHSA ID

GHSA-cq2g-pw6q-hf7j

EPSS Score

0.56828%

CWE

CWE-73

Published

12/19/2022

Updated

10/2/2023

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/cortexproject/cortex	go	= 1.14.0	1.14.1
github.com/cortexproject/cortex	go	>= 1.13.0, < 1.13.2	1.13.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from insufficient validation of OpsGenie configuration parameters in Alertmanager configs. The commit 03e023d adds validation for 'api_key_file' in OpsGenieConfig and 'opsgenie_api_key_file' in GlobalConfig, indicating these were previously unvalidated. The Go vulnerability report (GO-2022-1175) explicitly identifies validateAlertmanagerConfig and validateGlobalConfig as affected symbols. These functions were responsible for config validation but didn't check for dangerous file path parameters in OpsGenie configurations, enabling local file inclusion when processing malicious API requests.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t * lo**l *il* in*lusion vuln*r**ility *xists in *ort*x v*rsions v*.**.*, v*.**.* *n* v*.**.*, w**r* * m*li*ious **tor *oul* r*mot*ly r*** lo**l *il*s *s * r*sult o* p*rsin* m*li*iously *r**t** *l*rtm*n***r *on*i*ur*tions w**n su*mitt** to

Reasoning

T** vuln*r**ility st*ms *rom insu**i*i*nt v*li**tion o* Ops**ni* *on*i*ur*tion p*r*m*t*rs in *l*rtm*n***r *on*i*s. T** *ommit ******* ***s v*li**tion *or '*pi_k*y_*il*' in Ops**ni**on*i* *n* 'ops**ni*_*pi_k*y_*il*' in *lo**l*on*i*, in*i**tin* t**s* w

6.5

Basic Information

Concerned about an active attack path?

CVE-2022-23536: Cortex's Alertmanager can expose local files content via specially crafted config

Impact

Specific Go Packages Affected

Patches

Workarounds

References

For more information

6.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI