Skip to content

Commit

Permalink
Restrict path segments in TenantIDs (cortexproject#4375) (cortexproje…
Browse files Browse the repository at this point in the history 
…ct#4376)

This prevents paths generated from TenantIDs to become vulnerable to
path traversal attacks. CVE-2021-36157

Signed-off-by: Christian Simon <[email protected]>
Signed-off-by: Alvin Lin <[email protected]>
  • Loading branch information
@bboreham @alvinlin123
bboreham authored and alvinlin123 committed Jan 14, 2022
1 parent c50b730 commit d71577e
Showing 1 changed file with 5 additions and 0 deletions.
5 changes: 5 additions & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,11 @@
=======
>>>>>>> Update for 1.10.0-rc.0 release candidate
## 1.10.0-rc.1 / 2021-07-21

* [CHANGE] Prevent path traversal attack from users able to control the HTTP header `X-Scope-OrgID`. #4375 (CVE-2021-36157)
* Users only have control of the HTTP header when Cortex is not frontend by an auth proxy validating the tenant IDs

## 1.10.0-rc.0 / 2021-06-28

* [CHANGE] Enable strict JSON unmarshal for `pkg/util/validation.Limits` struct. The custom `UnmarshalJSON()` will now fail if the input has unknown fields. #4298
Expand Down

0 comments on commit d71577e

Please sign in to comment.