git: 4c5b10193058 - main - security/vuxml: Document Grafana vulnerabilities

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Nuno Teixeira <eduardo_at_FreeBSD.org>
Date: Thu, 01 Sep 2022 12:01:13 UTC
The branch main has been updated by eduardo:

URL: https://cgit.FreeBSD.org/ports/commit/?id=4c5b101930584d59822335a4a7cf82ae17096c5a

commit 4c5b101930584d59822335a4a7cf82ae17096c5a
Author:     Nuno Teixeira <eduardo@FreeBSD.org>
AuthorDate: 2022-09-01 09:20:35 +0000
Commit:     Nuno Teixeira <eduardo@FreeBSD.org>
CommitDate: 2022-09-01 12:00:54 +0000

    security/vuxml: Document Grafana vulnerabilities
    
     - vuxml: CVE-2022-31176 - Unauthorized file disclosure
    
    PR:             266128
---
 security/vuxml/vuln-2022.xml | 45 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 45 insertions(+)

diff --git a/security/vuxml/vuln-2022.xml b/security/vuxml/vuln-2022.xml
index 0248ee9e5271..9a9a8cea1593 100644
--- a/security/vuxml/vuln-2022.xml
+++ b/security/vuxml/vuln-2022.xml
@@ -1,3 +1,48 @@
+  <vuln vid="827b95ff-290e-11ed-a2e7-6c3be5272acd">
+    <topic>Grafana -- Unauthorized file disclosure</topic>
+    <affects>
+      <package>
+	<name>grafana</name>
+	<range><ge>5.2.0</ge><lt>8.3.11</lt></range>
+	<range><ge>8.4.0</ge><lt>8.4.11</lt></range>
+	<range><ge>8.5.0</ge><lt>8.5.11</lt></range>
+	<range><ge>9.0.0</ge><lt>9.0.8</lt></range>
+	<range><ge>9.1.0</ge><lt>9.1.2</lt></range>
+      </package>
+      <package>
+	<name>grafana7</name>
+	<range><ge>7.0</ge></range>
+      </package>
+      <package>
+	<name>grafana8</name>
+	<range><ge>8.3.0</ge><lt>8.3.11</lt></range>
+	<range><ge>8.4.0</ge><lt>8.4.11</lt></range>
+	<range><ge>8.5.0</ge><lt>8.5.11</lt></range>
+      </package>
+      <package>
+	<name>grafana9</name>
+	<range><ge>9.0.0</ge><lt>9.0.8</lt></range>
+	<range><ge>9.1.0</ge><lt>9.1.2</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>Grafana Labs reports:</p>
+	<blockquote cite="https://grafana.com/blog/2022/08/30/security-release-new-versions-of-grafana-and-grafana-image-renderer-with-a-high-severity-security-fix-for-cve-2022-31176/">
+	  <p>On July 21, an internal security review identified an unauthorized file disclosure vulnerability in the <a href="https://grafana.com/grafana/plugins/grafana-image-renderer/">Grafana Image Renderer plugin</a> when HTTP remote rendering is used. The Chromium browser embedded in the Grafana Image Renderer allows for “printing” of unauthorized files in a PNG file. This makes it possible for a malicious user to retrieve unauthorized files under some network conditions or via a fake data source (this applies if the user has admin permissions in Grafana).</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2022-31176</cvename>
+      <url>https://github.com/grafana/grafana-image-renderer/security/advisories/GHSA-2cfh-233g-m4c5</url>
+    </references>
+    <dates>
+      <discovery>2022-07-21</discovery>
+      <entry>2022-09-01</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="e4d93d07-297a-11ed-95f8-901b0e9408dc">
     <topic>Matrix clients -- several vulnerabilities</topic>
     <affects>