Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-9c4x-5hgq-q3wh

GitHub Security Advisory

Instance config inline secret exposure in Grafana

✓ GitHub Reviewed MODERATE Has CVE
View on GitHub

Advisory Details

### Impact
Some inline secrets are exposed in plaintext over the Grafana Agent HTTP server:

* Inline secrets for metrics instance configs in the base YAML file are exposed at `/-/config`
* Inline secrets for integrations are exposed at `/-/config`
* Inline secrets for Consul ACL tokens and ETCD basic auth when configured for the scraping service at `/-/config`.
* Inline secrets for the Kafka receiver for OpenTelemetry-Collector tracing at `/-/config`.
* Inline secrets for metrics instance configs loaded from the scraping service are exposed at `/agent/api/v1/configs/{name}`.

Inline secrets will be exposed to anyone being able to reach these endpoints.

Secrets found in these sections are used for:

* Delivering metrics to a Prometheus Remote Write system
* Authenticating against a system for discovering Prometheus targets
* Authenticating against a system for collecting metrics (scrape_configs and integrations)
* Authenticating against a Consul or ETCD for storing configurations to distribute in scraping service mode
* Authenticating against Kafka for receiving traces

Non-inlined secrets, such as `*_file`-based secrets, are not impacted by this vulnerability.

### Patches

Download [v0.20.1](https://github.com/grafana/agent/releases/tag/v0.20.1) or any version past [v0.21.2](https://github.com/grafana/agent/releases/tag/v0.21.2) to patch Grafana Agent. These patches obfuscate the listed impacted secrets from the vulnerable endpoints.

The patches also disable the endpoints by default. Pass the command-line flag `--config.enable-read-api` to opt-in and re-enable the endpoints.

### Workarounds
If for some reason you cannot upgrade, use non-inline secrets where possible. Not all configuration options may have a non-inline equivalent.

You also may desire to restrict API access to Grafana Agent, with some combination of:

* Restrict network interfaces Grafana Agent listens on through `http_listen_address` in the `server` block. `127.0.0.1` is the most restrictive, `0.0.0.0` is the default.
* Configure Grafana Agent to use HTTPS with client authentication.
* Use firewall rules to restrict external access to Grafana Agent's API.

Affected Packages

Go github.com/grafana/agent
Affected versions: 0.14.0 (fixed in 0.21.2)

Related CVEs

CVE-2021-41090

Key Information

GHSA ID
GHSA-9c4x-5hgq-q3wh
Published
December 8, 2021 7:52 PM
Last Modified
December 14, 2021 3:32 PM
CVSS Score
5.0 /10
Primary Ecosystem
Go
Primary Package
github.com/grafana/agent
GitHub Reviewed
✓ Yes

Dataset

Last updated: July 6, 2025 6:30 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.