|
Lines 1-3
Link Here
|
|
|
1 |
<vuln vid="c2a7de31-5b42-11ec-8398-6c3be5272acd"> |
| 2 |
<topic>Grafana -- Directory Traversal</topic> |
| 3 |
<affects> |
| 4 |
<package> |
| 5 |
<name>grafana</name> |
| 6 |
<name>grafana8</name> |
| 7 |
<range><ge>8.0.0</ge><lt>8.3.2</lt></range> |
| 8 |
</package> |
| 9 |
</affects> |
| 10 |
<description> |
| 11 |
<body xmlns="http://www.w3.org/1999/xhtml"> |
| 12 |
<p>GitHub Security Labs reports:</p> |
| 13 |
<blockquote cite="https://github.com/grafana/grafana/security/advisories/GHSA-7533-c8qv-jm9m"> |
| 14 |
<p>A vulnerability through which authenticated users could read out fully lowercase or fully uppercase <code>.md</code> files through directory traversal. Doing our own follow-up investigation we found a related vulnerability through which authenticated users could read out arbitrary <code>.csv</code> files through directory traversal. Thanks to our defense-in-depth approach, at no time has <a href="https://grafana.com/cloud">Grafana Cloud</a> been vulnerable.</p> |
| 15 |
<p><strong>The vulnerable URL path is:</strong> <code>/api/ds/query</code></p> |
| 16 |
</blockquote> |
| 17 |
</body> |
| 18 |
</description> |
| 19 |
<references> |
| 20 |
<cvename>CVE-2021-43815</cvename> |
| 21 |
<url>https://grafana.com/blog/2021/12/10/grafana-8.3.2-and-7.5.12-released-with-moderate-severity-security-fix/</url> |
| 22 |
</references> |
| 23 |
<dates> |
| 24 |
<discovery>2021-12-09</discovery> |
| 25 |
<entry>2021-12-12</entry> |
| 26 |
</dates> |
| 27 |
</vuln> |
| 28 |
|
| 29 |
<vuln vid="a994ff7d-5b3f-11ec-8398-6c3be5272acd"> |
| 30 |
<topic>Grafana -- Directory Traversal</topic> |
| 31 |
<affects> |
| 32 |
<package> |
| 33 |
<name>grafana</name> |
| 34 |
<range><ge>5.0.0</ge><lt>7.5.12</lt></range> |
| 35 |
<range><ge>8.0.0</ge><lt>8.3.2</lt></range> |
| 36 |
</package> |
| 37 |
<package> |
| 38 |
<name>grafana6</name> |
| 39 |
<range><ge>6.0.0</ge></range> |
| 40 |
</package> |
| 41 |
<package> |
| 42 |
<name>grafana7</name> |
| 43 |
<range><ge>7.0.0</ge><lt>7.5.12</lt></range> |
| 44 |
</package> |
| 45 |
<package> |
| 46 |
<name>grafana8</name> |
| 47 |
<range><ge>8.0.0</ge><lt>8.3.2</lt></range> |
| 48 |
</package> |
| 49 |
</affects> |
| 50 |
<description> |
| 51 |
<body xmlns="http://www.w3.org/1999/xhtml"> |
| 52 |
<p>GitHub Security Labs reports:</p> |
| 53 |
<blockquote cite="https://github.com/grafana/grafana/security/advisories/GHSA-c3q8-26ph-9g2q"> |
| 54 |
<p>A vulnerability through which authenticated users could read out fully lowercase or fully uppercase <code>.md</code> files through directory traversal. Doing our own follow-up investigation we found a related vulnerability through which authenticated users could read out arbitrary <code>.csv</code> files through directory traversal. Thanks to our defense-in-depth approach, at no time has <a href="https://grafana.com/cloud">Grafana Cloud</a> been vulnerable.</p> |
| 55 |
<p><strong>The vulnerable URL path is:</strong> <code>/api/plugins/.*/markdown/.*</code> for <code>.md</code> files</p> |
| 56 |
</blockquote> |
| 57 |
</body> |
| 58 |
</description> |
| 59 |
<references> |
| 60 |
<cvename>CVE-2021-43813</cvename> |
| 61 |
<url>https://grafana.com/blog/2021/12/10/grafana-8.3.2-and-7.5.12-released-with-moderate-severity-security-fix/</url> |
| 62 |
</references> |
| 63 |
<dates> |
| 64 |
<discovery>2021-12-09</discovery> |
| 65 |
<entry>2021-12-12</entry> |
| 66 |
</dates> |
| 67 |
</vuln> |
| 68 |
|
| 1 |
<vuln vid="e33880ed-5802-11ec-8398-6c3be5272acd"> |
69 |
<vuln vid="e33880ed-5802-11ec-8398-6c3be5272acd"> |
| 2 |
<topic>Grafana -- Path Traversal</topic> |
70 |
<topic>Grafana -- Path Traversal</topic> |
| 3 |
<affects> |
71 |
<affects> |