CVE-2022-23536: 
Homebrew vulnerability analysis and mitigation

A local file inclusion vulnerability exists in Cortex versions 1.13.0, 1.13.1 and 1.14.0, where a malicious actor could remotely read local files through maliciously crafted Alertmanager configurations submitted to the Alertmanager Set Configuration API. The vulnerability, identified as CVE-2022-23536, affects only users of the Alertmanager service where -experimental.alertmanager.enable-api or enable_api: true is configured (GitHub Advisory).

The vulnerability is classified with a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. The issue is related to multiple CWE categories including CWE-73 (External Control of File Name or Path), CWE-184 (Incomplete List of Disallowed Inputs), and CWE-641 (Improper Restriction of Names for Files and Other Resources). The vulnerability specifically involves the parsing of maliciously crafted Alertmanager configurations, particularly focusing on the api_key_file setting in the opsgenie_configs section (GitHub Advisory).

The vulnerability allows malicious actors to remotely read local files on the affected system, potentially exposing sensitive information. The attack requires low complexity and can be executed remotely, though it does require low-level privileges. While the confidentiality impact is high, there are no direct impacts on system integrity or availability (GitHub Advisory).

Affected users are advised to upgrade to the patched versions 1.13.2 or 1.14.1. As a temporary workaround, Cortex administrators can implement out-of-bound validation to reject Alertmanager configurations containing the api_key_file setting in the opsgenie_configs section and opsgenie_api_key_file in the global section before sending to the Set Alertmanager Configuration API (GitHub Release v1.13.2, GitHub Release v1.14.1).