6.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-23536

CVE-2022-23536: Cortex's Alertmanager can expose local files content via specially crafted config

Impact

A local file inclusion vulnerability exists in Cortex versions v1.13.0, v1.13.1 and v1.14.0, where a malicious actor could remotely read local files as a result of parsing maliciously crafted Alertmanager configurations when submitted to the Alertmanager Set Configuration API. Only users of the Cortex Alertmanager service using -experimental.alertmanager.enable-api or enable_api: true are affected.

Specific Go Packages Affected

github.com/cortexproject/cortex/pkg/alertmanager

Patches

Affected Cortex users are advised to upgrade to versions 1.13.2 or 1.14.1.

Workarounds

Patching is ultimately advised. Using out-of-bound validation, Cortex administrators may reject Alertmanager configurations containing the api_key_file setting in the opsgenie_configs section and opsgenie_api_key_file in the global section before sending to the Set Alertmanager Configuration API as a workaround.

References

Fixed Versions:
- https://github.com/cortexproject/cortex/releases/tag/v1.14.1
- https://github.com/cortexproject/cortex/releases/tag/v1.13.2
https://cortexmetrics.io/docs/api/#set-alertmanager-configuration

For more information

If you have any questions or comments about this advisory:

Open an issue in cortex
Email us at cortex-team@googlegroups.com.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2022-23536

CVE-2022-23536:

6.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/cortexproject/cortex	go	= 1.14.0	1.14.1
github.com/cortexproject/cortex	go	>= 1.13.0, < 1.13.2	1.13.2

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from insufficient validation of OpsGenie configuration parameters in Alertmanager configs. The commit 03e023d adds validation for 'api_key_file' in OpsGenieConfig and 'opsgenie_api_key_file' in GlobalConfig, indicating these were previously unvalidated. The Go vulnerability report (GO-2022-1175) explicitly identifies validateAlertmanagerConfig and validateGlobalConfig as affected symbols. These functions were responsible for config validation but didn't check for dangerous file path parameters in OpsGenie configurations, enabling local file inclusion when processing malicious API requests.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

6.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2022-23536: Cortex's Alertmanager can expose local files content via specially crafted config

Impact

Specific Go Packages Affected

Patches

Workarounds

References

For more information

CVE-2022-23536:

6.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

6.5

6.5

CVE-2022-23536: Cortex's Alertmanager can expose local files content via specially crafted config

Impact

Specific Go Packages Affected

Patches

Workarounds

References

For more information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI