First published: Tue Aug 03 2021(Updated: )
An issue was discovered in Grafana Loki through 2.2.1. The header value X-Scope-OrgID is used to construct file paths for rules files, and if crafted to conduct directory traversal such as ae ../../sensitive/path/in/deployment pathname, then Loki will attempt to parse a rules file at that location and include some of the contents in the error message.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Grafana Loki | <=2.2.1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID of this issue in Grafana Loki is CVE-2021-36156.
The severity of CVE-2021-36156 is medium with a CVSS score of 5.3.
The affected software version of CVE-2021-36156 is Grafana Loki up to and including version 2.2.1.
An attacker can exploit CVE-2021-36156 by crafting a malicious X-Scope-OrgID header value to conduct directory traversal and attempt to parse rules files from sensitive locations.
To mitigate CVE-2021-36156, update to Grafana Loki version 2.3.0 or later.