CVE-2021-31232: Improper Input Validation

April 30, 2021 (updated August 8, 2023)

The Alertmanager in CNCF Cortex has a local file disclosure vulnerability when -experimental.alertmanager.enable-api is used. The HTTP basic auth password_file can be used as an attack vector to send any file content via a webhook. The alertmanager templates can be used as an attack vector to send any file content because the alertmanager can load any text file specified in the templates list.

References

lists.cncf.io/g/cortex-users/message/50
nvd.nist.gov/vuln/detail/CVE-2021-31232

Code Behaviors & Features

Detect and mitigate CVE-2021-31232 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →