CGA-75gr-qh26-9397

Published

Last updated

https://images.chainguard.dev/security/CGA-75gr-qh26-9397

Package

grafana-8

Repository

Chainguard

Latest Update

Fix not planned

Aliases

CVE-2021-36156
GHSA-grj5-8x6q-hc9q

Severity

Unknown

Summary

Path traversal in Grafana Loki

Description

An issue was discovered in Grafana Loki through 2.2.1. The header value X-Scope-OrgID is used to construct file paths for rules files, and if crafted to conduct directory traversal such as ae ../../sensitive/path/in/deployment pathname, then Loki will attempt to parse a rules file at that location and include some of the contents in the error message.

References

https://nvd.nist.gov/vuln/detail/CVE-2021-36156
https://github.com/advisories/GHSA-grj5-8x6q-hc9q
https://github.com/grafana/loki/pull/4020
https://github.com/grafana/loki/pull/4020#issue-694377133
https://github.com/grafana/loki
https://github.com/grafana/loki/releases/tag/v2.3.0

Updates

Advisories are based on vulnerability information provided by Grype from Anchore. Learn how Chainguard creates security advisories.

CGA-75gr-qh26-9397

Severity

Summary

Description

References

Updates

Products

Why Chainguard

Customers

Company

Resources