CVE-2021-36156 - OpenCVE

An issue was discovered in Grafana Loki through 2.2.1. The header value X-Scope-OrgID is used to construct file paths for rules files, and if crafted to conduct directory traversal such as ae ../../sensitive/path/in/deployment pathname, then Loki will attempt to parse a rules file at that location and include some of the contents in the error message.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Grafana	Loki

Configuration 1 [-]

cpe:2.3:a:grafana:loki:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/advisories/GHSA-grj5-8x6q-hc9q
https://github.com/grafana/loki/pull/4020#issue-694377133
https://github.com/grafana/loki/releases/tag/v2.3.0
https://nvd.nist.gov/vuln/detail/CVE-2021-36156
https://www.cve.org/CVERecord?id=CVE-2021-36156

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2021-08-03T14:12:11

Updated: 2024-08-04T00:47:43.938Z

Reserved: 2021-07-05T00:00:00

Link: CVE-2021-36156

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-08-03T15:15:08.623

Modified: 2021-09-14T18:46:21.647

Link: CVE-2021-36156

Redhat

Severity : Moderate

Publid Date: 2021-08-03T00:00:00Z

Links: CVE-2021-36156 - Bugzilla

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Grafana Loki through 2.2.1. The header value X-Scope-OrgID is used to construct file paths for rules files, and if crafted to conduct directory traversal such as ae ../../sensitive/path/in/deployment pathname, then Loki will attempt to parse a rules file at that location and include some of the contents in the error message."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-09-07T19:35:11", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/grafana/loki/pull/4020#issue-694377133"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/grafana/loki/releases/tag/v2.3.0"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2021-36156", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An issue was discovered in Grafana Loki through 2.2.1. The header value X-Scope-OrgID is used to construct file paths for rules files, and if crafted to conduct directory traversal such as ae ../../sensitive/path/in/deployment pathname, then Loki will attempt to parse a rules file at that location and include some of the contents in the error message."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/grafana/loki/pull/4020#issue-694377133", "refsource": "MISC", "url": "https://github.com/grafana/loki/pull/4020#issue-694377133"}, {"name": "https://github.com/grafana/loki/releases/tag/v2.3.0", "refsource": "MISC", "url": "https://github.com/grafana/loki/releases/tag/v2.3.0"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T00:47:43.938Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/grafana/loki/pull/4020#issue-694377133"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/grafana/loki/releases/tag/v2.3.0"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2021-36156", "datePublished": "2021-08-03T14:12:11", "dateReserved": "2021-07-05T00:00:00", "dateUpdated": "2024-08-04T00:47:43.938Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:grafana:loki:*:*:*:*:*:*:*:*", "matchCriteriaId": "7ADC302F-5EE7-411F-93E0-A241D0E3BB95", "versionEndIncluding": "2.2.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in Grafana Loki through 2.2.1. The header value X-Scope-OrgID is used to construct file paths for rules files, and if crafted to conduct directory traversal such as ae ../../sensitive/path/in/deployment pathname, then Loki will attempt to parse a rules file at that location and include some of the contents in the error message."}, {"lang": "es", "value": "Se ha detectado un problema en Grafana Loki versiones hasta 2.2.1. El valor del encabezado X-Scope-OrgID es usado para dise\u00f1ar las rutas de los archivos de reglas, y si se dise\u00f1a para realizar un salto de directorio como ae ../../sensitive/path/in/deployment pathname, Loki intentar\u00e1 entonces analizar un archivo de reglas en esa ubicaci\u00f3n e incluir\u00e1 parte del contenido en el mensaje de error"}], "id": "CVE-2021-36156", "lastModified": "2021-09-14T18:46:21.647", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-08-03T15:15:08.623", "references": [{"source": "cve@mitre.org", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://github.com/grafana/loki/pull/4020#issue-694377133"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/grafana/loki/releases/tag/v2.3.0"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "loki: Path traversal in Grafana Loki", "id": "2183161", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2183161"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "status": "draft"}, "cwe": "CWE-22", "details": ["An issue was discovered in Grafana Loki through 2.2.1. The header value X-Scope-OrgID is used to construct file paths for rules files, and if crafted to conduct directory traversal such as ae ../../sensitive/path/in/deployment pathname, then Loki will attempt to parse a rules file at that location and include some of the contents in the error message.", "A flaw was found in Grafana Loki that could allow a remote attacker to traverse directories on the system, caused by improper input validation by the X-Scope-OrgID header value. An attacker could send a specially-crafted URL request containing \"dot dot\" sequences (/../) to view some of the contents in the error message."], "name": "CVE-2021-36156", "package_state": [{"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Not affected", "package_name": "openshift-logging/loki-rhel8-operator", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:service_mesh:2.1", "fix_state": "Will not fix", "package_name": "servicemesh-grafana", "product_name": "OpenShift Service Mesh 2.1"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/acm-grafana-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "package_name": "openshift4/ose-grafana", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2021-08-03T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-36156\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-36156\nhttps://github.com/advisories/GHSA-grj5-8x6q-hc9q"], "statement": "This is a pathname parsing issue in Grafana Loki, which we don't ship in Red Hat Enterprise Linux - 8 and 9. Hence, not-affected.", "threat_severity": "Moderate", "upstream_fix": "Grafana loki 2.3.0"}