CVE-2021-36156 — Vulnetix

CVE-2021-36156 PUBLISHED CVSS 5 MEDIUM

An issue was discovered in Grafana Loki through 2.2.1. The header value X-Scope-OrgID is used to construct file paths for rules files, and if crafted to conduct directory traversal such as ae ../../sensitive/path/in/deployment pathname, then Loki will attempt to parse a rules file at that location and include some of the contents in the error message.

EPSS 0.25% · 48.9th percentile

Risk Scores

CVSS v2.0

EPSS Score

0.25%

48.9th percentile

Affected Products

Vendor	Product	Versions
n/a	n/a	n/a
github.com	grafana/loki	0
grafana	loki	0

Timeline

Aug 3, 2021 CVE Published
Aug 4, 2021 EPSS Score
Sep 14, 2021 CVE Updated
Oct 2, 2021 EPSS Score
Nov 30, 2021 EPSS Score
Jan 6, 2022 EPSS Score
Feb 4, 2022 EPSS Score
Mar 27, 2022 EPSS Score
Apr 1, 2022 EPSS Score
May 25, 2022 EPSS Score
Jul 24, 2022 EPSS Score
Sep 21, 2022 EPSS Score

References

https://github.com/grafana/loki/pull/4020#issue-694377133 url
https://github.com/grafana/loki/releases/tag/v2.3.0 url
https://nvd.nist.gov/vuln/detail/CVE-2021-36156 advisory
https://github.com/grafana/loki/pull/4020 url
https://github.com/grafana/loki package

Open in Interactive Console →