CVE-2021-31231 — MEDIUM (5.5)

Q: How severe is CVE-2021-31231?

CVE-2021-31231 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2021-31231?

Check the references section above for vendor advisories and patch information. Affected products include: Grafana Enterprise Metrics.

Vulnerability Description

The Alertmanager in Grafana Enterprise Metrics before 1.2.1 and Metrics Enterprise 1.2.1 has a local file disclosure vulnerability when experimental.alertmanager.enable-api is used. The HTTP basic auth password_file can be used as an attack vector to send any file content via a webhook. The alertmanager templates can be used as an attack vector to send any file content because the alertmanager can load any text file specified in the templates list.

CVSS Score

5.5

MEDIUM

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Grafana	Enterprise Metrics	< 1.2.1

References

https://community.grafana.com/c/security-announcementsBroken LinkVendor Advisory
https://grafana.com/docs/metrics-enterprise/ProductVendor Advisory
https://grafana.com/docs/metrics-enterprise/latest/downloads/#v113----april-27-2Release NotesVendor Advisory
https://grafana.com/docs/metrics-enterprise/latest/downloads/#v121----april-27-2Release NotesVendor Advisory
https://security.netapp.com/advisory/ntap-20210611-0001/Third Party Advisory
https://community.grafana.com/c/security-announcementsBroken LinkVendor Advisory
https://grafana.com/docs/metrics-enterprise/ProductVendor Advisory
https://grafana.com/docs/metrics-enterprise/latest/downloads/#v113----april-27-2Release NotesVendor Advisory
https://grafana.com/docs/metrics-enterprise/latest/downloads/#v121----april-27-2Release NotesVendor Advisory
https://security.netapp.com/advisory/ntap-20210611-0001/Third Party Advisory

FAQ

What is CVE-2021-31231?

CVE-2021-31231 is a vulnerability with a CVSS score of 5.5 (MEDIUM). The Alertmanager in Grafana Enterprise Metrics before 1.2.1 and Metrics Enterprise 1.2.1 has a local file disclosure vulnerability when experimental.alertmanager.enable-api is used. The HTTP basic aut...

How severe is CVE-2021-31231?

CVE-2021-31231 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-31231?

Check the references section above for vendor advisories and patch information. Affected products include: Grafana Enterprise Metrics.