CVE-2021-36156 - log back

CVE-2021-36156 edited at 03 Aug 2021 16:24:59
Severity
- Unknown
+ Medium
Remote
- Unknown
+ Remote
Type
- Unknown
+ Directory traversal
Description
+ An issue was discovered in Grafana Loki through 2.2.1. The header value X-Scope-OrgID is used to construct file paths for rules files, and if crafted to conduct directory traversal such as a ../../sensitive/path/in/deployment pathname, then Loki will attempt to parse a rules file at that location and include some of the contents in the error message.
References
+ https://github.com/grafana/loki/pull/4020
+ https://github.com/grafana/loki/commit/2fd633cded9a97c8c6b29160549a157678d1fa2f
Notes
CVE-2021-36156 created at 03 Aug 2021 16:23:24