CVE-2021-36156 log

Severity Medium
Remote Yes
Type Directory traversal
An issue was discovered in Grafana Loki through 2.2.1. The header value X-Scope-OrgID is used to construct file paths for rules files, and if crafted to conduct directory traversal such as a ../../sensitive/path/in/deployment pathname, then Loki will attempt to parse a rules file at that location and include some of the contents in the error message.
Group Package Affected Fixed Severity Status Ticket
AVG-2250 loki 2.2.1-3 2.3.0-1 Medium Fixed
Date Advisory Group Package Severity Type
10 Aug 2021 ASA-202108-12 AVG-2250 loki Medium directory traversal