From nobody Sun Dec 12 00:46:08 2021 X-Original-To: dev-commits-ports-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 841F318EBFFC; Sun, 12 Dec 2021 00:46:09 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4JBQtT1qH9z3rP2; Sun, 12 Dec 2021 00:46:09 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 1A2AB17E2B; Sun, 12 Dec 2021 00:46:09 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 1BC0k87x066653; Sun, 12 Dec 2021 00:46:08 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 1BC0k8bX066652; Sun, 12 Dec 2021 00:46:08 GMT (envelope-from git) Date: Sun, 12 Dec 2021 00:46:08 GMT Message-Id: <202112120046.1BC0k8bX066652@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: Xin LI Subject: git: 615d6690d65c - main - security/vuxml: Document multiple vulnerabilities of grafana8 List-Id: Commits to the main branch of the FreeBSD ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-ports-main@freebsd.org X-BeenThere: dev-commits-ports-main@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: delphij X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 615d6690d65cd096a7a602276f7ebef7615342eb Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1639269969; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=r20T27i21vneWDiuPcW0iloyHkNMGJxhnl8fRiz0MOw=; b=naRhkx7RHnsyKUw08UcqXfj4F4DkBO1yGl4A46Ugv5e+vH3iAaL4T1Z+/CCDn7+XPESxk2 HhgJNiLbhie/6IbIMKU/d/rpZKD7k0QBl2P9uqCQzHeh2VOvosR3XdOxi0MWxfSeZz1mwH Dv3LeJF2CQ39IpU8d96p3sMD2IWCQ8uLDHpeKNGXq0oeQb1Rj7Kd7vPEhWFd4fSsV82ORn 8hP4xo9SNVMOILUNdOkyyufpfAUrr7u/ybB+qsj0gX/FzMR59pUK3jvJRxglcOi15IdwRH U5pUAxo3wsTK+P+Enyp8LCzbDo1J5CtPG/uKbelf1K/0la6Q31I1QpHuW5Ubog== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1639269969; a=rsa-sha256; cv=none; b=UN3nSvllh4ffQCm2/OmMhODhw/Z0f3szWCOPT7ar12adEwm+HwbF2YkO3Y/TXkGuaDlsMZ lcLV3/RK0PgvzSVTf0si1aqt4cY0GNgApx699m47+vvfX/scvTPWnk8GF+XJv2i7SFVjOE a0X6Scsfecf9A105tKVrt/f/Dlj5kGbyEosYL8pGfvwF4eidOKpRxFxrsfUTFgw6AovhNO 9v4+ouXtfBWAR97cvas8gBMxCQHDJ0o3oznJieMysvjhifUIywkfL6+dzqn2z+Duk38Ymg PhcY1fy/ByKW4g7Ay0mzgXRNmBGcPnby7X0VFlyGjm79k8qctcICyBUxA4jfrA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by delphij: URL: https://cgit.FreeBSD.org/ports/commit/?id=615d6690d65cd096a7a602276f7ebef7615342eb commit 615d6690d65cd096a7a602276f7ebef7615342eb Author: Boris Korzun AuthorDate: 2021-12-12 00:41:30 +0000 Commit: Xin LI CommitDate: 2021-12-12 00:46:03 +0000 security/vuxml: Document multiple vulnerabilities of grafana8 PR: ports/259638 --- security/vuxml/vuln-2021.xml | 144 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 144 insertions(+) diff --git a/security/vuxml/vuln-2021.xml b/security/vuxml/vuln-2021.xml index 0bcf3c010dca..974ff512b823 100644 --- a/security/vuxml/vuln-2021.xml +++ b/security/vuxml/vuln-2021.xml @@ -1,3 +1,147 @@ + + Grafana -- Path Traversal + + + grafana8 + grafana + 8.0.08.0.7 + 8.1.08.1.8 + 8.2.08.2.7 + 8.3.08.3.1 + + + + +

Grafana Labs reports:

+
+

Grafana is vulnerable to directory traversal, allowing access to local files. We have confirmed this for versions v8.0.0-beta1 to v8.3.0. Thanks to our defense-in-depth approach, at no time has Grafana Cloud been vulnerable.

+

The vulnerable URL path is: <grafana_host_url>/public/plugins/<“plugin-id”> where <“plugin-id”> is the plugin ID for any installed plugin.

+

Every Grafana instance comes with pre-installed plugins like the Prometheus plugin or MySQL plugin so the following URLs are vulnerable for every instance:

+
    +
  • <grafana_host_url>/public/plugins/alertlist/
    • +
  • <grafana_host_url>/public/plugins/annolist/
    • +
  • <grafana_host_url>/public/plugins/barchart/
    • +
  • <grafana_host_url>/public/plugins/bargauge/
    • +
  • <grafana_host_url>/public/plugins/candlestick/
    • +
  • <grafana_host_url>/public/plugins/cloudwatch/
    • +
  • <grafana_host_url>/public/plugins/dashlist/
    • +
  • <grafana_host_url>/public/plugins/elasticsearch/
    • +
  • <grafana_host_url>/public/plugins/gauge/
    • +
  • <grafana_host_url>/public/plugins/geomap/
    • +
  • <grafana_host_url>/public/plugins/gettingstarted/
    • +
  • <grafana_host_url>/public/plugins/grafana-azure-monitor-datasource/
    • +
  • <grafana_host_url>/public/plugins/graph/
    • +
  • <grafana_host_url>/public/plugins/heatmap/
    • +
  • <grafana_host_url>/public/plugins/histogram/
    • +
  • <grafana_host_url>/public/plugins/influxdb/
    • +
  • <grafana_host_url>/public/plugins/jaeger/
    • +
  • <grafana_host_url>/public/plugins/logs/
    • +
  • <grafana_host_url>/public/plugins/loki/
    • +
  • <grafana_host_url>/public/plugins/mssql/
    • +
  • <grafana_host_url>/public/plugins/mysql/
    • +
  • <grafana_host_url>/public/plugins/news/
    • +
  • <grafana_host_url>/public/plugins/nodeGraph/
    • +
  • <grafana_host_url>/public/plugins/opentsdb
    • +
  • <grafana_host_url>/public/plugins/piechart/
    • +
  • <grafana_host_url>/public/plugins/pluginlist/
    • +
  • <grafana_host_url>/public/plugins/postgres/
    • +
  • <grafana_host_url>/public/plugins/prometheus/
    • +
  • <grafana_host_url>/public/plugins/stackdriver/
    • +
  • <grafana_host_url>/public/plugins/stat/
    • +
  • <grafana_host_url>/public/plugins/state-timeline/
    • +
  • <grafana_host_url>/public/plugins/status-history/
    • +
  • <grafana_host_url>/public/plugins/table/
    • +
  • <grafana_host_url>/public/plugins/table-old/
    • +
  • <grafana_host_url>/public/plugins/tempo/
    • +
  • <grafana_host_url>/public/plugins/testdata/
    • +
  • <grafana_host_url>/public/plugins/text/
    • +
  • <grafana_host_url>/public/plugins/timeseries/
    • +
  • <grafana_host_url>/public/plugins/welcome/
    • +
  • <grafana_host_url>/public/plugins/zipkin/
    • +
+
+ + + + CVE-2021-43798 + https://grafana.com/blog/2021/12/07/grafana-8.3.1-8.2.7-8.1.8-and-8.0.7-released-with-high-severity-security-fix/ + + + 2021-12-03 + 2021-12-11 + + + + + Grafana -- Incorrect Access Control + + + grafana8 + grafana + 8.0.08.2.4 + + + + +

Grafana Labs reports:

+
+

When the fine-grained access control beta feature is enabled and there is more than one organization in the Grafana instance, Grafana 8.0 introduced a mechanism which allowed users with the Organization Admin role to list, add, remove, and update users’ roles in other organizations in which they are not an admin.

+
+ + + + CVE-2021-41244 + https://grafana.com/blog/2021/11/15/grafana-8.2.4-released-with-security-fixes/ + + + 2021-11-02 + 2021-12-11 + + + + + Grafana -- XSS + + + grafana8 + grafana + 8.0.08.2.3 + + + + +

Grafana Labs reports:

+
+

If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, arbitrary JavaScript content may be executed within the context of the victim’s browser.

+

The user visiting the malicious link must be unauthenticated, and the link must be for a page that contains the login button in the menu bar.

+

There are two ways an unauthenticated user can open a page in Grafana that contains the login button:

+
    +
  • Anonymous authentication is enabled. This means all pages in Grafana would be open for the attack.
    • +
  • The link is to an unauthenticated page. The following pages are vulnerable: +
      +
    • /dashboard-solo/snapshot/*
      • +
    • /dashboard/snapshot/*
      • +
    • /invite/:code
      • +
    +
    • +
+

The url has to be crafted to exploit AngularJS rendering and contain the interpolation binding for AngularJS expressions. AngularJS uses double curly braces for interpolation binding: {{ }}

+

An example of an expression would be: {{constructor.constructor(‘alert(1)’)()}}. This can be included in the link URL like this:

+

https://play.grafana.org/dashboard/snapshot/%7B%7Bconstructor.constructor('alert(1)')()%7D%7D?orgId=1

+

When the user follows the link and the page renders, the login button will contain the original link with a query parameter to force a redirect to the login page. The URL is not validated, and the AngularJS rendering engine will execute the JavaScript expression contained in the URL.

+
+ + + + CVE-2021-41174 + https://grafana.com/blog/2021/11/03/grafana-8.2.3-released-with-medium-severity-security-fix-cve-2021-41174-grafana-xss/ + + + 2021-10-21 + 2021-12-11 + + + p7zip -- usage of uninitialized memory