How severe is CVE-2022-23536?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 6.5 out of 10.

What type of vulnerability is CVE-2022-23536?

This is classified as CWE-73, which is a common weakness in software security.

CVE-2022-23536

MEDIUM Year: 2022

CVSS v3 Score

6.5

Medium

Weakness Type

CWE-73

View all →

Vulnerability Description

Cortex provides multi-tenant, long term storage for Prometheus. A local file inclusion vulnerability exists in Cortex versions 1.13.0, 1.13.1 and 1.14.0, where a malicious actor could remotely read local files as a result of parsing maliciously crafted Alertmanager configurations when submitted to the Alertmanager Set Configuration API. Only users of the Alertmanager service where `-experimental.alertmanager.enable-api` or `enable_api: true` is configured are affected. Affected Cortex users are advised to upgrade to patched versions 1.13.2 or 1.14.1. However as a workaround, Cortex administrators may reject Alertmanager configurations containing the `api_key_file` setting in the `opsgenie_configs` section before sending to the Set Alertmanager Configuration API.

CVE-2020-2003

MEDIUM

CVSS:6.5(Medium)

An external control of filename vulnerability in the command processing of PAN-OS allows an authenticated administrator to delete arbitrary system files affecting the integrity of the system or causin...

CWE-732020

CVE-2021-27250

MEDIUM

CVSS:6.5(Medium)

This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of D-Link DAP-2020 v1.01rc001 Wi-Fi access points. Authentication is not required to ex...

CWE-732021

CVE-2022-0593

MEDIUM

CVSS:6.5(Medium)

The Login with phone number WordPress plugin before 1.3.7 includes a file delete.php with no form of authentication or authorization checks placed in the plugin directory, allowing unauthenticated use...

CWE-732022

CVE-2022-20789

MEDIUM

CVSS:6.5(Medium)

A vulnerability in the software upgrade process of Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an...

CWE-732022

CVE-2022-2638

MEDIUM

CVSS:6.5(Medium)

The Export All URLs WordPress plugin before 4.4 does not validate the path of the file to be removed on the system which is supposed to be the CSV file. This could allow high privilege users to delete...

CWE-732022

CVE-2022-28710

MEDIUM

CVSS:6.5(Medium)

An information disclosure vulnerability exists in the chunkFile functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to arbitrary file read. An a...

CWE-732022

CVE-2022-23536

Vulnerability Description

Related Vulnerabilities

CVE-2020-2003

CVE-2021-27250

CVE-2022-0593

CVE-2022-20789

CVE-2022-2638

CVE-2022-28710