CVE-2021-41090

Instance config inline secret exposure

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Grafana Agent is a telemetry collector for sending metrics, logs, and trace data to the opinionated Grafana observability stack. Prior to versions 0.20.1 and 0.21.2, inline secrets defined within a metrics instance config are exposed in plaintext over two endpoints: metrics instance configs defined in the base YAML file are exposed at `/-/config` and metrics instance configs defined for the scraping service are exposed at `/agent/api/v1/configs/:key`. Inline secrets will be exposed to anyone being able to reach these endpoints. If HTTPS with client authentication is not configured, these endpoints are accessible to unauthenticated users. Secrets found in these sections are used for delivering metrics to a Prometheus Remote Write system, authenticating against a system for discovering Prometheus targets, and authenticating against a system for collecting metrics. This does not apply for non-inlined secrets, such as `*_file` based secrets. This issue is patched in Grafana Agent versions 0.20.1 and 0.21.2. A few workarounds are available. Users who cannot upgrade should use non-inline secrets where possible. Users may also desire to restrict API access to Grafana Agent with some combination of restricting the network interfaces Grafana Agent listens on through `http_listen_address` in the `server` block, configuring Grafana Agent to use HTTPS with client authentication, and/or using firewall rules to restrict external access to Grafana Agent's API.

Grafana Agent es un recolector de telemetría para enviar métricas, registros y datos de rastreo a la pila de observabilidad de Grafana. Antes de las versiones 0.20.1 y 0.21.2, los secretos en línea definidos dentro de una configuración de instancia de métrica se exponen en texto plano en dos endpoints: las configuraciones de instancia de métrica definidas en el archivo YAML base se exponen en "/-/config" y las configuraciones de instancia de métrica definidas para el servicio de raspado se exponen en "/agent/api/v1/configs/:key". Los secretos en línea son expuestos a cualquiera que pueda alcanzar estos endpoints. Si no se configura HTTPS con autenticación de cliente, estos endpoints son accesibles a usuarios no autenticados. Los secretos que son encontrados en estas secciones son usados para entregar métricas a un sistema de escritura remota de Prometheus, autenticar contra un sistema para detectar objetivos de Prometheus y autenticar contra un sistema para recopilar métricas. Esto no es aplicado a los secretos no alineados, como los secretos basados en "*_file". Este problema se ha parcheado en Grafana Agent versiones 0.20.1 y 0.21.2. Se presentan algunas soluciones disponibles. Los usuarios que no puedan actualizares deberían usar secretos no basados en la línea siempre que sea posible. Los usuarios también pueden querer restringir el acceso a la API de Grafana Agent con alguna combinación de restricción de las interfaces de red que escucha Grafana Agent mediante "http_listen_address" en el bloque "server", configurando Grafana Agent para usar HTTPS con autenticación de cliente, y/o usando reglas de firewall para restringir el acceso externo a la API de Grafana Agent

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-09-15 CVE Reserved
2021-12-08 CVE Published
2024-08-04 CVE Updated
2024-08-23 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CWE-312: Cleartext Storage of Sensitive Information

CAPEC

References (6)

URL	Tag	Source
https://github.com/grafana/agent/releases/tag/v0.20.1	Release Notes
https://github.com/grafana/agent/releases/tag/v0.21.2	Release Notes
https://github.com/grafana/agent/security/advisories/GHSA-9c4x-5hgq-q3wh	Third Party Advisory
https://security.netapp.com/advisory/ntap-20211229-0004	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
https://github.com/grafana/agent/commit/af7fb01e31fe2d389e5f1c36b399ddc46b412b21	2022-03-31
https://github.com/grafana/agent/pull/1152	2022-03-31

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Grafana Search vendor "Grafana"		Agent Search vendor "Grafana" for product "Agent"				>= 0.14.0 < 0.20.1 Search vendor "Grafana" for product "Agent" and version " >= 0.14.0 < 0.20.1"		-		Affected
Grafana Search vendor "Grafana"		Agent Search vendor "Grafana" for product "Agent"				>= 0.21.0 < 0.21.2 Search vendor "Grafana" for product "Agent" and version " >= 0.21.0 < 0.21.2"		-		Affected