ArchLinux: 202112-12: grafana-agent: information disclosure | Linux...
Arch Linux Security Advisory ASA-202112-12
==========================================

Severity: High
Date    : 2021-12-11
CVE-ID  : CVE-2021-41090
Package : grafana-agent
Type    : information disclosure
Remote  : Yes
Link    : https://security.archlinux.org/AVG-2614

Summary
=======

The package grafana-agent before version 0.21.2-1 is vulnerable to
information disclosure.

Resolution
==========

Upgrade to 0.21.2-1.

# pacman -Syu "grafana-agent>=0.21.2-1"

The problem has been fixed upstream in version 0.21.2.

Workaround
==========

None.

Description
===========

A security issue has been found in Grafana Agent before version 0.21.2.
Some inline secrets are exposed in plaintext over the Grafana Agent
HTTP server:

- Inline secrets for metrics instance configs in the base YAML file are
exposed at /-/config
- Inline secrets for integrations are exposed at /-/config
- Inline secrets for Consul ACL tokens and ETCD basic auth when
configured for the scraping service at /-/config.
- Inline secrets for the Kafka receiver for OpenTelemetry-Collector
tracing at /-/config.
- Inline secrets for metrics instance configs loaded from the scraping
service are exposed at /agent/api/v1/configs/{name}.

Inline secrets will be exposed to anyone being able to reach these
endpoints.

Secrets found in these sections are used for:

- Delivering metrics to a Prometheus Remote Write system
- Authenticating against a system for discovering Prometheus targets
- Authenticating against a system for collecting metrics
(scrape_configs and integrations)
- Authenticating against a Consul or ETCD for storing configurations to
distribute in scraping service mode
- Authenticating against Kafka for receiving traces

Non-inlined secrets, such as *_file-based secrets, are not impacted by
this vulnerability.

Impact
======

A remote attacker could disclose inline secrets over the Grafana Agent
HTTP server.

References
==========

https://github.com/grafana/agent/security/advisories/GHSA-9c4x-5hgq-q3wh
https://security.archlinux.org/CVE-2021-41090

ArchLinux: 202112-12: grafana-agent: information disclosure

December 12, 2021

Summary

A security issue has been found in Grafana Agent before version 0.21.2. Some inline secrets are exposed in plaintext over the Grafana Agent HTTP server:
- Inline secrets for metrics instance configs in the base YAML file are exposed at /-/config - Inline secrets for integrations are exposed at /-/config - Inline secrets for Consul ACL tokens and ETCD basic auth when configured for the scraping service at /-/config. - Inline secrets for the Kafka receiver for OpenTelemetry-Collector tracing at /-/config. - Inline secrets for metrics instance configs loaded from the scraping service are exposed at /agent/api/v1/configs/{name}.
Inline secrets will be exposed to anyone being able to reach these endpoints.
Secrets found in these sections are used for:
- Delivering metrics to a Prometheus Remote Write system - Authenticating against a system for discovering Prometheus targets - Authenticating against a system for collecting metrics (scrape_configs and integrations) - Authenticating against a Consul or ETCD for storing configurations to distribute in scraping service mode - Authenticating against Kafka for receiving traces
Non-inlined secrets, such as *_file-based secrets, are not impacted by this vulnerability.

Resolution

Upgrade to 0.21.2-1.
# pacman -Syu "grafana-agent>=0.21.2-1"
The problem has been fixed upstream in version 0.21.2.

References

https://github.com/grafana/agent/security/advisories/GHSA-9c4x-5hgq-q3wh https://security.archlinux.org/CVE-2021-41090

Severity
CVE-ID : CVE-2021-41090
Package : grafana-agent
Type : information disclosure
Remote : Yes
Link : https://security.archlinux.org/AVG-2614

Impact

A remote attacker could disclose inline secrets over the Grafana Agent HTTP server.

Workaround

None.

Related News

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.