Security Advisory

CVE-2021-36156

CVE vulnerability detail — eXtreme Datacenter Security Operations

Published 2021-08-03 14:12:11
Last updated 2024-08-04 00:47:43
Assigner mitre
State PUBLISHED

Description

An issue was discovered in Grafana Loki through 2.2.1. The header value X-Scope-OrgID is used to construct file paths for rules files, and if crafted to conduct directory traversal such as ae ../../sensitive/path/in/deployment pathname, then Loki will attempt to parse a rules file at that location and include some of the contents in the error message.