CVE-2021-31231

low-risk
Published 2021-04-30

The Alertmanager in Grafana Enterprise Metrics before 1.2.1 and Metrics Enterprise 1.2.1 has a local file disclosure vulnerability when experimental.alertmanager.enable-api is used. The HTTP basic auth password_file can be used as an attack vector to send any file content via a webhook. The alertmanager templates can be used as an attack vector to send any file content because the alertmanager can load any text file specified in the templates list.

Do I need to act?

-
0.07% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.5/10 Medium
LOCAL / LOW complexity

Affected Products (2)

Enterprise Metrics
Enterprise Metrics

Affected Vendors

Grafana

References (10)

Broken Link https://community.grafana.com/c/security-announcements
Product https://grafana.com/docs/metrics-enterprise/
Release Notes https://grafana.com/docs/metrics-enterprise/latest/downloads/#v113----april-27-2...
Release Notes https://grafana.com/docs/metrics-enterprise/latest/downloads/#v121----april-27-2...
Third Party Advisory https://security.netapp.com/advisory/ntap-20210611-0001/
Broken Link https://community.grafana.com/c/security-announcements
Product https://grafana.com/docs/metrics-enterprise/
Release Notes https://grafana.com/docs/metrics-enterprise/latest/downloads/#v113----april-27-2...
Release Notes https://grafana.com/docs/metrics-enterprise/latest/downloads/#v121----april-27-2...
Third Party Advisory https://security.netapp.com/advisory/ntap-20210611-0001/
25
/ 100
low-risk
Severity 18/34 · Moderate
Exploitability 0/34 · Minimal
Exposure 7/34 · Low