Attachment #229571 for bug #259638

View | Details | Raw Unified | Return to bug 259638 | Differences between
Collapse All | Expand All




  <vuln vid="99bff2bd-4852-11ec-a828-6c3be5272acd">
    <topic>Grafana -- Incorrect Access Control</topic>
    <affects>
      <package>
	<name>grafana8</name>
	<name>grafana</name>
	<range><ge>8.0.0</ge><lt>8.2.4</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
	<p>Grafana Labs reports:</p>
	<blockquote cite="https://grafana.com/blog/2021/11/15/grafana-8.2.4-released-with-security-fixes/">
	  <p>On Nov. 2, during an internal security audit, we discovered that when the fine-grained access control beta feature is enabled and there is more than one organization in the Grafana instance, Grafana 8.0 introduced a mechanism which allowed users with the Organization Admin role to list, add, remove, and update users’ roles in other organizations in which they are not an admin.</p>
	</blockquote>
      </body>
    </description>
    <references>
      <cvename>CVE-2021-41244</cvename>
      <url>https://grafana.com/blog/2021/11/15/grafana-8.2.4-released-with-security-fixes/</url>
    </references>
    <dates>
      <discovery>2021-11-02</discovery>
      <entry>2021-11-18</entry>
    </dates>
  </vuln>

  <vuln vid="4b478274-47a0-11ec-bd24-6c3be5272acd">
    <topic>Grafana -- XSS</topic>
    <affects>
      <package>
	<name>grafana8</name>
	<name>grafana</name>
	<range><ge>8.0.0</ge><lt>8.2.3</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
	<p>Grafana Labs reports:</p>
	<blockquote cite="https://grafana.com/blog/2021/11/03/grafana-8.2.3-released-with-medium-severity-security-fix-cve-2021-41174-grafana-xss/">
	  <p>If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, arbitrary JavaScript content may be executed within the context of the victim’s browser.</p>
	  <p>The user visiting the malicious link must be unauthenticated, and the link must be for a page that contains the login button in the menu bar.</p>
	  <p>There are two ways an unauthenticated user can open a page in Grafana that contains the login button:</p>
	  <ul>
	    <li>Anonymous authentication is enabled. This means all pages in Grafana would be open for the attack.</li>
	    <li>The link is to an unauthenticated page. The following pages are vulnerable:
	      <ul>
		<li><code>/dashboard-solo/snapshot/*</code></li>
		<li><code>/dashboard/snapshot/*</code></li>
		<li><code>/invite/:code</code></li>
	      </ul>
	    </li>
	  </ul>
	  <p>The url has to be crafted to exploit AngularJS rendering and contain the interpolation binding for AngularJS expressions. AngularJS uses double curly braces for interpolation binding: <code>{{ }}</code></p>
	  <p>An example of an expression would be: <code>{{constructor.constructor(‘alert(1)’)()}}</code>. This can be included in the link URL like this:</p>
	  <p><a href="https://play.grafana.org/dashboard/snapshot/%7B%7Bconstructor.constructor('alert(1)')()%7D%7D?orgId=1">https://play.grafana.org/dashboard/snapshot/%7B%7Bconstructor.constructor('alert(1)')()%7D%7D?orgId=1</a></p>
	  <p>When the user follows the link and the page renders, the login button will contain the original link with a query parameter to force a redirect to the login page. The URL is not validated, and the AngularJS rendering engine will execute the JavaScript expression contained in the URL.</p>
	</blockquote>
      </body>
    </description>
    <references>
      <cvename>CVE-2021-41174</cvename>
      <url>https://grafana.com/blog/2021/11/03/grafana-8.2.3-released-with-medium-severity-security-fix-cve-2021-41174-grafana-xss/</url>
    </references>
    <dates>
      <discovery>2021-10-21</discovery>
      <entry>2021-11-17</entry>
    </dates>
  </vuln>

  <vuln vid="b8c0cbca-472d-11ec-83dc-3065ec8fd3ec">
    <topic>chromium -- multiple vulnerabilities</topic>
    <affects>

Return to bug 259638

Lines 1-3 Link Here

(-)b/security/vuxml/vuln-2021.xml (+70 lines)
		1	<vuln vid="99bff2bd-4852-11ec-a828-6c3be5272acd">
		2	<topic>Grafana -- Incorrect Access Control</topic>
		3	<affects>
		4	<package>
		5	<name>grafana8</name>
		6	<name>grafana</name>
		7	<range><ge>8.0.0</ge><lt>8.2.4</lt></range>
		8	</package>
		9	</affects>
		10	<description>
		11	<body xmlns="http://www.w3.org/1999/xhtml">
		12	<p>Grafana Labs reports:</p>
		13	<blockquote cite="https://grafana.com/blog/2021/11/15/grafana-8.2.4-released-with-security-fixes/">
		14	<p>On Nov. 2, during an internal security audit, we discovered that when the fine-grained access control beta feature is enabled and there is more than one organization in the Grafana instance, Grafana 8.0 introduced a mechanism which allowed users with the Organization Admin role to list, add, remove, and update users’ roles in other organizations in which they are not an admin.</p>
		15	</blockquote>
		16	</body>
		17	</description>
		18	<references>
		19	<cvename>CVE-2021-41244</cvename>
		20	<url>https://grafana.com/blog/2021/11/15/grafana-8.2.4-released-with-security-fixes/</url>
		21	</references>
		22	<dates>
		23	<discovery>2021-11-02</discovery>
		24	<entry>2021-11-18</entry>
		25	</dates>
		26	</vuln>
		27
		28	<vuln vid="4b478274-47a0-11ec-bd24-6c3be5272acd">
		29	<topic>Grafana -- XSS</topic>
		30	<affects>
		31	<package>
		32	<name>grafana8</name>
		33	<name>grafana</name>
		34	<range><ge>8.0.0</ge><lt>8.2.3</lt></range>
		35	</package>
		36	</affects>
		37	<description>
		38	<body xmlns="http://www.w3.org/1999/xhtml">
		39	<p>Grafana Labs reports:</p>
		40	<blockquote cite="https://grafana.com/blog/2021/11/03/grafana-8.2.3-released-with-medium-severity-security-fix-cve-2021-41174-grafana-xss/">
		41	<p>If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, arbitrary JavaScript content may be executed within the context of the victim’s browser.</p>
		42	<p>The user visiting the malicious link must be unauthenticated, and the link must be for a page that contains the login button in the menu bar.</p>
		43	<p>There are two ways an unauthenticated user can open a page in Grafana that contains the login button:</p>
		44	<ul>
		45	<li>Anonymous authentication is enabled. This means all pages in Grafana would be open for the attack.</li>
		46	<li>The link is to an unauthenticated page. The following pages are vulnerable:
		47	<ul>
		48	<li><code>/dashboard-solo/snapshot/*</code></li>
		49	<li><code>/dashboard/snapshot/*</code></li>
		50	<li><code>/invite/:code</code></li>
		51	</ul>
		52	</li>
		53	</ul>
		54	<p>The url has to be crafted to exploit AngularJS rendering and contain the interpolation binding for AngularJS expressions. AngularJS uses double curly braces for interpolation binding: <code>{{ }}</code></p>
		55	<p>An example of an expression would be: <code>{{constructor.constructor(‘alert(1)’)()}}</code>. This can be included in the link URL like this:</p>
		56	<p><a href="https://play.grafana.org/dashboard/snapshot/%7B%7Bconstructor.constructor('alert(1)')()%7D%7D?orgId=1">https://play.grafana.org/dashboard/snapshot/%7B%7Bconstructor.constructor('alert(1)')()%7D%7D?orgId=1</a></p>
		57	<p>When the user follows the link and the page renders, the login button will contain the original link with a query parameter to force a redirect to the login page. The URL is not validated, and the AngularJS rendering engine will execute the JavaScript expression contained in the URL.</p>
		58	</blockquote>
		59	</body>
		60	</description>
		61	<references>
		62	<cvename>CVE-2021-41174</cvename>
		63	<url>https://grafana.com/blog/2021/11/03/grafana-8.2.3-released-with-medium-severity-security-fix-cve-2021-41174-grafana-xss/</url>
		64	</references>
65	<dates>
66	<discovery>2021-10-21</discovery>
67	<entry>2021-11-17</entry>
68	</dates>
69	</vuln>
70
1	<vuln vid="b8c0cbca-472d-11ec-83dc-3065ec8fd3ec">	71	<vuln vid="b8c0cbca-472d-11ec-83dc-3065ec8fd3ec">
2	<topic>chromium -- multiple vulnerabilities</topic>	72	<topic>chromium -- multiple vulnerabilities</topic>
3	<affects>	73	<affects>