The Alertmanager in Grafana Enterprise Metrics before 1.2.1 and Metrics Enterprise 1.2.1 has a local file disclosure vulnerability when experimental.alertmanager.enable-api is used. The HTTP basic auth password_file can be used as an attack vector to send any file content via a webhook. The alertmanager templates can be used as an attack vector to send any file content because the alertmanager can load any text file specified in the templates list.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2021-04-30T12:34:28

Updated: 2024-08-03T22:55:53.696Z

Reserved: 2021-04-15T00:00:00

Link: CVE-2021-31231

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2021-04-30T13:15:07.547

Modified: 2024-11-21T06:05:20.887

Link: CVE-2021-31231

cve-icon Redhat

No data.