Attachment #231764 for bug #261892

View | Details | Raw Unified | Return to bug 261892 | Differences between
Collapse All | Expand All




  <vuln vid="d71d154a-8b83-11ec-b369-6c3be5272acd">
    <topic>Grafana -- Teams API IDOR</topic>
    <affects>
      <package>
	<name>grafana</name>
	<range><ge>5.0.0</ge><lt>7.5.15</lt></range>
	<range><ge>8.0.0</ge><lt>8.3.5</lt></range>
      </package>
      <package>
	<name>grafana6</name>
	<range><ge>6.0.0</ge></range>
      </package>
      <package>
	<name>grafana7</name>
	<range><ge>7.0.0</ge><lt>7.5.15</lt></range>
      </package>
      <package>
	<name>grafana8</name>
	<range><ge>8.0.0</ge><lt>8.3.5</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
	<p>Grafana Labs reports:</p>
	<blockquote cite="https://grafana.com/blog/2022/02/08/grafana-7.5.15-and-8.3.5-released-with-moderate-severity-security-fixes/">
	  <p>On Jan. 18, an external security researcher, Kürşad ALSAN from <a href="https://www.nspect.io/">NSPECT.IO</a> (<a href="https://twitter.com/nspectio">@nspectio</a> on Twitter), contacted Grafana to disclose an IDOR (Insecure Direct Object Reference) vulnerability on Grafana Teams APIs. This vulnerability only impacts the following API endpoints:</p>
	  <ul>
	    <li><strong>/teams/:teamId</strong> - an authenticated attacker can view unintended data by querying for the specific team ID.</li>
	    <li><strong>/teams/:search</strong> - an authenticated attacker can search for teams and see the total number of available teams, including for those teams that the user does not have access to.</li>
	    <li><strong>/teams/:teamId/members</strong> - when editors_can_admin flag is enabled, an authenticated attacker can see unintended data by querying for the specific team ID.</li>
	  </ul>
	  <p>We believe that this vulnerability is rated at CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N).</p>
	</blockquote>
      </body>
    </description>
    <references>
      <cvename>CVE-2022-21713</cvename>
      <url>https://grafana.com/blog/2022/02/08/grafana-7.5.15-and-8.3.5-released-with-moderate-severity-security-fixes/</url>
    </references>
    <dates>
      <discovery>2022-01-18</discovery>
      <entry>2022-02-12</entry>
    </dates>
  </vuln>

  <vuln vid="d4284c2e-8b83-11ec-b369-6c3be5272acd">
    <topic>Grafana -- CSRF</topic>
    <affects>
      <package>
	<name>grafana</name>
	<range><ge>3.0.0</ge><lt>7.5.15</lt></range>
	<range><ge>8.0.0</ge><lt>8.3.5</lt></range>
      </package>
      <package>
	<name>grafana6</name>
	<range><ge>6.0.0</ge></range>
      </package>
      <package>
	<name>grafana7</name>
	<range><ge>7.0.0</ge><lt>7.5.15</lt></range>
      </package>
      <package>
	<name>grafana8</name>
	<range><ge>8.0.0</ge><lt>8.3.5</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
	<p>Grafana Labs reports:</p>
	<blockquote cite="https://grafana.com/blog/2022/02/08/grafana-7.5.15-and-8.3.5-released-with-moderate-severity-security-fixes/">
	  <p>On Jan. 18, security researchers <a href="https://twitter.com/jub0bs">@jub0bs</a> and <a href="https://twitter.com/theabrahack">@abrahack</a> contacted Grafana to <a href="https://jub0bs.com/posts/2022-02-08-cve-2022-21703-writeup/">disclose a CSRF vulnerability</a> which allows anonymous attackers to elevate their privileges by mounting cross-origin attacks against authenticated high-privilege Grafana users (for example, Editors or Admins). An attacker can exploit this vulnerability for privilege escalation by tricking an authenticated user into inviting the attacker as a new user with high privileges. We believe that this vulnerability is rated at CVSS 6.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N).</p>
	</blockquote>
      </body>
    </description>
    <references>
      <cvename>CVE-2022-21703</cvename>
      <url>https://grafana.com/blog/2022/02/08/grafana-7.5.15-and-8.3.5-released-with-moderate-severity-security-fixes/</url>
    </references>
    <dates>
      <discovery>2022-01-18</discovery>
      <entry>2022-02-12</entry>
    </dates>
  </vuln>

  <vuln vid="cecbc674-8b83-11ec-b369-6c3be5272acd">
    <topic>Grafana -- XSS</topic>
    <affects>
      <package>
	<name>grafana</name>
	<range><ge>2.0.0</ge><lt>7.5.15</lt></range>
	<range><ge>8.0.0</ge><lt>8.3.5</lt></range>
      </package>
      <package>
	<name>grafana6</name>
	<range><ge>6.0.0</ge></range>
      </package>
      <package>
	<name>grafana7</name>
	<range><ge>7.0.0</ge><lt>7.5.15</lt></range>
      </package>
      <package>
	<name>grafana8</name>
	<range><ge>8.0.0</ge><lt>8.3.5</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
	<p>Grafana Labs reports:</p>
	<blockquote cite="https://grafana.com/blog/2022/02/08/grafana-7.5.15-and-8.3.5-released-with-moderate-severity-security-fixes/">
	  <p>On Jan. 16, an external security researcher, Jasu Viding contacted Grafana to disclose an XSS vulnerability in the way that Grafana handles data sources. Should an existing data source connected to Grafana be compromised, it could be used to inappropriately gain access to other data sources connected to the same Grafana org. We believe that this vulnerability is rated at CVSS 6.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N).</p>
	</blockquote>
      </body>
    </description>
    <references>
      <cvename>CVE-2022-21702</cvename>
      <url>https://grafana.com/blog/2022/02/08/grafana-7.5.15-and-8.3.5-released-with-moderate-severity-security-fixes/</url>
    </references>
    <dates>
      <discovery>2022-01-16</discovery>
      <entry>2022-02-12</entry>
    </dates>
  </vuln>

  <vuln vid="0b0ad196-1ee8-4a98-89b1-4d5d82af49a9">
    <topic>jenkins -- DoS vulnerability in bundled XStream library</topic>
    <affects>

Return to bug 261892

Lines 1-3 Link Here

(-)b/security/vuxml/vuln-2022.xml (+123 lines)
		1	<vuln vid="d71d154a-8b83-11ec-b369-6c3be5272acd">
		2	<topic>Grafana -- Teams API IDOR</topic>
		3	<affects>
		4	<package>
		5	<name>grafana</name>
		6	<range><ge>5.0.0</ge><lt>7.5.15</lt></range>
		7	<range><ge>8.0.0</ge><lt>8.3.5</lt></range>
		8	</package>
		9	<package>
		10	<name>grafana6</name>
		11	<range><ge>6.0.0</ge></range>
		12	</package>
		13	<package>
		14	<name>grafana7</name>
		15	<range><ge>7.0.0</ge><lt>7.5.15</lt></range>
		16	</package>
		17	<package>
		18	<name>grafana8</name>
		19	<range><ge>8.0.0</ge><lt>8.3.5</lt></range>
		20	</package>
		21	</affects>
		22	<description>
		23	<body xmlns="http://www.w3.org/1999/xhtml">
		24	<p>Grafana Labs reports:</p>
		25	<blockquote cite="https://grafana.com/blog/2022/02/08/grafana-7.5.15-and-8.3.5-released-with-moderate-severity-security-fixes/">
		26	<p>On Jan. 18, an external security researcher, Kürşad ALSAN from <a href="https://www.nspect.io/">NSPECT.IO</a> (<a href="https://twitter.com/nspectio">@nspectio</a> on Twitter), contacted Grafana to disclose an IDOR (Insecure Direct Object Reference) vulnerability on Grafana Teams APIs. This vulnerability only impacts the following API endpoints:</p>
		27	<ul>
		28	<li><strong>/teams/:teamId</strong> - an authenticated attacker can view unintended data by querying for the specific team ID.</li>
		29	<li><strong>/teams/:search</strong> - an authenticated attacker can search for teams and see the total number of available teams, including for those teams that the user does not have access to.</li>
		30	<li><strong>/teams/:teamId/members</strong> - when editors_can_admin flag is enabled, an authenticated attacker can see unintended data by querying for the specific team ID.</li>
		31	</ul>
		32	<p>We believe that this vulnerability is rated at CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N).</p>
		33	</blockquote>
		34	</body>
		35	</description>
		36	<references>
		37	<cvename>CVE-2022-21713</cvename>
		38	<url>https://grafana.com/blog/2022/02/08/grafana-7.5.15-and-8.3.5-released-with-moderate-severity-security-fixes/</url>
		39	</references>
		40	<dates>
		41	<discovery>2022-01-18</discovery>
		42	<entry>2022-02-12</entry>
		43	</dates>
		44	</vuln>
		45
		46	<vuln vid="d4284c2e-8b83-11ec-b369-6c3be5272acd">
		47	<topic>Grafana -- CSRF</topic>
		48	<affects>
		49	<package>
		50	<name>grafana</name>
		51	<range><ge>3.0.0</ge><lt>7.5.15</lt></range>
		52	<range><ge>8.0.0</ge><lt>8.3.5</lt></range>
		53	</package>
		54	<package>
		55	<name>grafana6</name>
		56	<range><ge>6.0.0</ge></range>
		57	</package>
		58	<package>
		59	<name>grafana7</name>
		60	<range><ge>7.0.0</ge><lt>7.5.15</lt></range>
		61	</package>
		62	<package>
		63	<name>grafana8</name>
		64	<range><ge>8.0.0</ge><lt>8.3.5</lt></range>
65	</package>
66	</affects>
67	<description>
68	<body xmlns="http://www.w3.org/1999/xhtml">
69	<p>Grafana Labs reports:</p>
70	<blockquote cite="https://grafana.com/blog/2022/02/08/grafana-7.5.15-and-8.3.5-released-with-moderate-severity-security-fixes/">
71	<p>On Jan. 18, security researchers <a href="https://twitter.com/jub0bs">@jub0bs</a> and <a href="https://twitter.com/theabrahack">@abrahack</a> contacted Grafana to <a href="https://jub0bs.com/posts/2022-02-08-cve-2022-21703-writeup/">disclose a CSRF vulnerability</a> which allows anonymous attackers to elevate their privileges by mounting cross-origin attacks against authenticated high-privilege Grafana users (for example, Editors or Admins). An attacker can exploit this vulnerability for privilege escalation by tricking an authenticated user into inviting the attacker as a new user with high privileges. We believe that this vulnerability is rated at CVSS 6.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N).</p>
72	</blockquote>
73	</body>
74	</description>
75	<references>
76	<cvename>CVE-2022-21703</cvename>
77	<url>https://grafana.com/blog/2022/02/08/grafana-7.5.15-and-8.3.5-released-with-moderate-severity-security-fixes/</url>
78	</references>
79	<dates>
80	<discovery>2022-01-18</discovery>
81	<entry>2022-02-12</entry>
82	</dates>
83	</vuln>
84
85	<vuln vid="cecbc674-8b83-11ec-b369-6c3be5272acd">
86	<topic>Grafana -- XSS</topic>
87	<affects>
88	<package>
89	<name>grafana</name>
90	<range><ge>2.0.0</ge><lt>7.5.15</lt></range>
91	<range><ge>8.0.0</ge><lt>8.3.5</lt></range>
92	</package>
93	<package>
94	<name>grafana6</name>
95	<range><ge>6.0.0</ge></range>
96	</package>
97	<package>
98	<name>grafana7</name>
99	<range><ge>7.0.0</ge><lt>7.5.15</lt></range>
100	</package>
101	<package>
102	<name>grafana8</name>
103	<range><ge>8.0.0</ge><lt>8.3.5</lt></range>
104	</package>
105	</affects>
106	<description>
107	<body xmlns="http://www.w3.org/1999/xhtml">
108	<p>Grafana Labs reports:</p>
109	<blockquote cite="https://grafana.com/blog/2022/02/08/grafana-7.5.15-and-8.3.5-released-with-moderate-severity-security-fixes/">
110	<p>On Jan. 16, an external security researcher, Jasu Viding contacted Grafana to disclose an XSS vulnerability in the way that Grafana handles data sources. Should an existing data source connected to Grafana be compromised, it could be used to inappropriately gain access to other data sources connected to the same Grafana org. We believe that this vulnerability is rated at CVSS 6.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N).</p>
111	</blockquote>
112	</body>
113	</description>
114	<references>
115	<cvename>CVE-2022-21702</cvename>
116	<url>https://grafana.com/blog/2022/02/08/grafana-7.5.15-and-8.3.5-released-with-moderate-severity-security-fixes/</url>
117	</references>
118	<dates>
119	<discovery>2022-01-16</discovery>
120	<entry>2022-02-12</entry>
121	</dates>
122	</vuln>
123
1	<vuln vid="0b0ad196-1ee8-4a98-89b1-4d5d82af49a9">	124	<vuln vid="0b0ad196-1ee8-4a98-89b1-4d5d82af49a9">
2	<topic>jenkins -- DoS vulnerability in bundled XStream library</topic>	125	<topic>jenkins -- DoS vulnerability in bundled XStream library</topic>
3	<affects>	126	<affects>