Attachment #236260 for bug #266128

View | Details | Raw Unified | Return to bug 266128 | Differences between
Collapse All | Expand All




  <vuln vid="827b95ff-290e-11ed-a2e7-6c3be5272acd">
    <topic>Grafana -- Unauthorized file disclosure</topic>
    <affects>
      <package>
	<name>grafana</name>
	<range><ge>5.2.0</ge><lt>8.3.11</lt></range>
	<range><ge>8.4.0</ge><lt>8.4.11</lt></range>
	<range><ge>8.5.0</ge><lt>8.5.11</lt></range>
	<range><ge>9.0.0</ge><lt>9.0.8</lt></range>
	<range><ge>9.1.0</ge><lt>9.1.2</lt></range>
      </package>
      <package>
	<name>grafana7</name>
	<range><ge>7.0</ge></range>
      </package>
      <package>
	<name>grafana8</name>
	<range><ge>8.3.0</ge><lt>8.3.11</lt></range>
	<range><ge>8.4.0</ge><lt>8.4.11</lt></range>
	<range><ge>8.5.0</ge><lt>8.5.11</lt></range>
      </package>
      <package>
	<name>grafana9</name>
	<range><ge>9.0.0</ge><lt>9.0.8</lt></range>
	<range><ge>9.1.0</ge><lt>9.1.2</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
	<p>Grafana Labs reports:</p>
	<blockquote cite="https://grafana.com/blog/2022/08/30/security-release-new-versions-of-grafana-and-grafana-image-renderer-with-a-high-severity-security-fix-for-cve-2022-31176/">
	  <p>On July 21, an internal security review identified an unauthorized file disclosure vulnerability in the <a href="https://grafana.com/grafana/plugins/grafana-image-renderer/">Grafana Image Renderer plugin</a> when HTTP remote rendering is used. The Chromium browser embedded in the Grafana Image Renderer allows for “printing” of unauthorized files in a PNG file. This makes it possible for a malicious user to retrieve unauthorized files under some network conditions or via a fake data source (this applies if the user has admin permissions in Grafana).</p>
	</blockquote>
      </body>
    </description>
    <references>
      <cvename>CVE-2022-31176</cvename>
      <url>https://github.com/grafana/grafana-image-renderer/security/advisories/GHSA-2cfh-233g-m4c5</url>
    </references>
    <dates>
      <discovery>2022-07-21</discovery>
      <entry>2022-08-31</entry>
    </dates>
  </vuln>

  <vuln vid="3110b29e-c82d-4287-9f6c-db82bb883b1e">
    <topic>zeek -- potential DoS vulnerabilities</topic>
    <affects>

Return to bug 266128

Lines 1-3 Link Here

(-)b/security/vuxml/vuln-2022.xml (+45 lines)
		1	<vuln vid="827b95ff-290e-11ed-a2e7-6c3be5272acd">
		2	<topic>Grafana -- Unauthorized file disclosure</topic>
		3	<affects>
		4	<package>
		5	<name>grafana</name>
		6	<range><ge>5.2.0</ge><lt>8.3.11</lt></range>
		7	<range><ge>8.4.0</ge><lt>8.4.11</lt></range>
		8	<range><ge>8.5.0</ge><lt>8.5.11</lt></range>
		9	<range><ge>9.0.0</ge><lt>9.0.8</lt></range>
		10	<range><ge>9.1.0</ge><lt>9.1.2</lt></range>
		11	</package>
		12	<package>
		13	<name>grafana7</name>
		14	<range><ge>7.0</ge></range>
		15	</package>
		16	<package>
		17	<name>grafana8</name>
		18	<range><ge>8.3.0</ge><lt>8.3.11</lt></range>
		19	<range><ge>8.4.0</ge><lt>8.4.11</lt></range>
		20	<range><ge>8.5.0</ge><lt>8.5.11</lt></range>
		21	</package>
		22	<package>
		23	<name>grafana9</name>
		24	<range><ge>9.0.0</ge><lt>9.0.8</lt></range>
		25	<range><ge>9.1.0</ge><lt>9.1.2</lt></range>
		26	</package>
		27	</affects>
		28	<description>
		29	<body xmlns="http://www.w3.org/1999/xhtml">
		30	<p>Grafana Labs reports:</p>
		31	<blockquote cite="https://grafana.com/blog/2022/08/30/security-release-new-versions-of-grafana-and-grafana-image-renderer-with-a-high-severity-security-fix-for-cve-2022-31176/">
		32	<p>On July 21, an internal security review identified an unauthorized file disclosure vulnerability in the <a href="https://grafana.com/grafana/plugins/grafana-image-renderer/">Grafana Image Renderer plugin</a> when HTTP remote rendering is used. The Chromium browser embedded in the Grafana Image Renderer allows for “printing” of unauthorized files in a PNG file. This makes it possible for a malicious user to retrieve unauthorized files under some network conditions or via a fake data source (this applies if the user has admin permissions in Grafana).</p>
		33	</blockquote>
		34	</body>
		35	</description>
		36	<references>
		37	<cvename>CVE-2022-31176</cvename>
		38	<url>https://github.com/grafana/grafana-image-renderer/security/advisories/GHSA-2cfh-233g-m4c5</url>
		39	</references>
		40	<dates>
		41	<discovery>2022-07-21</discovery>
		42	<entry>2022-08-31</entry>
		43	</dates>
		44	</vuln>
		45
1	<vuln vid="3110b29e-c82d-4287-9f6c-db82bb883b1e">	46	<vuln vid="3110b29e-c82d-4287-9f6c-db82bb883b1e">
2	<topic>zeek -- potential DoS vulnerabilities</topic>	47	<topic>zeek -- potential DoS vulnerabilities</topic>
3	<affects>	48	<affects>