CVE-2021-36157 in Cortex
Summary
by MITRE • 08/03/2021
An issue was discovered in Grafana Cortex through 1.9.0. The header value X-Scope-OrgID is used to construct file paths for rules files, and if crafted to conduct directory traversal such as ae ../../sensitive/path/in/deployment pathname, then Cortex will attempt to parse a rules file at that location and include some of the contents in the error message. (Other Cortex API requests can also be sent a malicious OrgID header, e.g., tricking the ingester into writing metrics to a different location, but the effect is nuisance rather than information disclosure.)
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 11/28/2025
The vulnerability identified as CVE-2021-36157 affects Grafana Cortex versions through 1.9.0 and represents a directory traversal flaw that enables unauthorized access to sensitive system files. This issue specifically targets the X-Scope-OrgID header mechanism used by Cortex to manage organizational boundaries and rule file locations. The flaw arises from insufficient input validation and sanitization when processing this header value, allowing malicious actors to manipulate file path resolution through crafted header values that include directory traversal sequences such as ../../sensitive/path/in/deployment. The vulnerability operates at the application layer and demonstrates a classic path traversal vulnerability pattern that can lead to information disclosure and potential system compromise.
The technical implementation of this vulnerability stems from the improper handling of user-supplied input within the Cortex rule file processing pipeline. When the X-Scope-OrgID header contains malicious traversal sequences, the system constructs file paths without adequate sanitization, leading to unintended file access patterns. This flaw maps directly to CWE-22, which defines path traversal vulnerabilities as weaknesses that allow attackers to access files and directories outside the intended scope. The vulnerability is particularly concerning because it enables attackers to include contents from arbitrary file locations within error messages generated by Cortex, effectively creating an information disclosure channel that can reveal sensitive system information, configuration files, or deployment-specific data.
The operational impact of CVE-2021-36157 extends beyond simple information disclosure, as it can facilitate more sophisticated attacks within compromised environments. While the primary effect manifests in error message contents being populated with sensitive file data, the vulnerability also enables manipulation of other Cortex API requests through malicious OrgID headers. This capability can be leveraged to trick the ingester component into writing metrics to unintended locations, potentially leading to data corruption, unauthorized data access, or disruption of normal operational procedures. The vulnerability affects the integrity and confidentiality of the system's rule management and data ingestion components, creating opportunities for attackers to gain unauthorized insights into the deployment's structure and potentially escalate privileges through additional attack vectors.
Mitigation strategies for this vulnerability should focus on implementing robust input validation and sanitization measures for all user-supplied headers, particularly the X-Scope-OrgID field. Organizations should immediately upgrade to Grafana Cortex versions that have addressed this vulnerability, as the maintainers have released patches to prevent directory traversal attempts through header manipulation. Network segmentation and access controls should be implemented to limit exposure of Cortex endpoints to untrusted networks, while monitoring systems should be configured to detect anomalous header values and potential exploitation attempts. The implementation of proper path normalization and validation routines within the application codebase can prevent malicious traversal sequences from being processed, aligning with ATT&CK technique T1059.007 for command and scripting interpreter usage, which emphasizes the importance of input validation to prevent malicious code injection and path traversal attacks. Additionally, security teams should conduct comprehensive vulnerability assessments of their Cortex deployments to identify any other potential attack surfaces that may be similarly affected by improper input handling practices.