Attachment #196709 for bug #231022

View | Details | Raw Unified | Return to bug 231022
Collapse All | Expand All




  * Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
  <vuln vid="ca60a0ce-ac57-11e8-9cb6-10c37b4ac2ea">
    <topic>grafana2 -- LDAP and OAuth login vulnerability</topic>
    <affects>
      <package>
	<name>grafana2</name>
	<range><ge>2.0.0</ge></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
	<p>Grafana Labs reports:</p>
	<blockquote cite="https://community.grafana.com/t/grafana-5-2-3-and-4-6-4-security-update/10050">
	  <p>On the 20th of August at 1800 CEST we were contacted about a
	    potential security issue with the “remember me” cookie Grafana
	    sets upon login. The issue targeted users without a local Grafana
	    password (LDAP &amp; OAuth users) and enabled a potential attacker
	    to generate a valid cookie knowing only a username.</p>
	  <p>All installations which use the Grafana LDAP or OAuth
	    authentication features must be upgraded as soon as possible. If
	    you cannot upgrade, you should switch authentication mechanisms
	    or put additional protections in front of Grafana such as a
	    reverse proxy.</p>
	</blockquote>
      </body>
    </description>
    <references>
      <url>https://community.grafana.com/t/grafana-5-2-3-and-4-6-4-security-update/10050</url>
      <cvename>CVE-2018-558213</cvename>
    </references>
    <dates>
      <discovery>2018-08-20</discovery>
      <entry>2018-08-30</entry>
    </dates>
  </vuln>

  <vuln vid="0904e81f-a89d-11e8-afbb-bc5ff4f77b71">
    <topic>node.js -- multiple vulnerabilities</topic>
    <affects>

Return to bug 231022

Lines 58-63 Link Here

(-)security/vuxml/vuln.xml (+35 lines)
58	* Do not forget port variants (linux-f10-libxml2, libxml2, etc.)	58	* Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
59	-->	59	-->
60	<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">	60	<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
		61	<vuln vid="ca60a0ce-ac57-11e8-9cb6-10c37b4ac2ea">
		62	<topic>grafana2 -- LDAP and OAuth login vulnerability</topic>
		63	<affects>
		64	<package>
		65	<name>grafana2</name>
		66	<range><ge>2.0.0</ge></range>
		67	</package>
		68	</affects>
		69	<description>
		70	<body xmlns="http://www.w3.org/1999/xhtml">
		71	<p>Grafana Labs reports:</p>
		72	<blockquote cite="https://community.grafana.com/t/grafana-5-2-3-and-4-6-4-security-update/10050">
		73	<p>On the 20th of August at 1800 CEST we were contacted about a
		74	potential security issue with the “remember me” cookie Grafana
		75	sets upon login. The issue targeted users without a local Grafana
		76	password (LDAP & OAuth users) and enabled a potential attacker
		77	to generate a valid cookie knowing only a username.</p>
		78	<p>All installations which use the Grafana LDAP or OAuth
		79	authentication features must be upgraded as soon as possible. If
		80	you cannot upgrade, you should switch authentication mechanisms
		81	or put additional protections in front of Grafana such as a
		82	reverse proxy.</p>
		83	</blockquote>
		84	</body>
		85	</description>
		86	<references>
		87	<url>https://community.grafana.com/t/grafana-5-2-3-and-4-6-4-security-update/10050</url>
		88	<cvename>CVE-2018-558213</cvename>
		89	</references>
		90	<dates>
		91	<discovery>2018-08-20</discovery>
		92	<entry>2018-08-30</entry>
		93	</dates>
		94	</vuln>
		95
61	<vuln vid="0904e81f-a89d-11e8-afbb-bc5ff4f77b71">	96	<vuln vid="0904e81f-a89d-11e8-afbb-bc5ff4f77b71">
62	<topic>node.js -- multiple vulnerabilities</topic>	97	<topic>node.js -- multiple vulnerabilities</topic>
63	<affects>	98	<affects>