FreeBSD Bugzilla – Attachment 228479 Details for
Bug 258962
www/grafana8: Update to 8.1.6 (Fixes critical vulnerability)
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
vuxml.diff
vuxml.diff (text/plain), 2.24 KB, created by
Boris Korzun
on 2021-10-06 13:04:58 UTC
(
hide
)
Description:
vuxml.diff
Filename:
MIME Type:
Creator:
Boris Korzun
Created:
2021-10-06 13:04:58 UTC
Size:
2.24 KB
patch
obsolete
>diff --git a/security/vuxml/vuln-2021.xml b/security/vuxml/vuln-2021.xml >index d084ea05ebce..3ee16754c5e9 100644 >--- a/security/vuxml/vuln-2021.xml >+++ b/security/vuxml/vuln-2021.xml >@@ -1,3 +1,47 @@ >+ <vuln vid="757ee63b-269a-11ec-a616-6c3be5272acd"> >+ <topic>Grafana -- Snapshot authentication bypass</topic> >+ <affects> >+ <package> >+ <name>grafana8</name> >+ <name>grafana7</name> >+ <name>grafana6</name> >+ <name>grafana</name> >+ <range><ge>8.0.0</ge><lt>8.1.6</lt></range> >+ <range><ge>2.0.1</ge><lt>7.5.11</lt></range> >+ </package> >+ </affects> >+ <description> >+ <body xmlns="http://www.w3.org/1999/xhtml"> >+ <p>Grafana Labs reports:</p> >+ <blockquote cite="https://grafana.com/blog/2021/10/05/grafana-7.5.11-and-8.1.6-released-with-critical-security-fix/"> >+ <p>Unauthenticated and authenticated users are able to view the snapshot with the lowest database key by accessing the literal paths:</p> >+ <ul> >+ <li><code>/dashboard/snapshot/:key</code>, or</li> >+ <li><code>/api/snapshots/:key</code></li> >+ </ul> >+ <p>If the snapshot "public_mode" configuration setting is set to true (vs default of false), unauthenticated users are able to delete the snapshot with the lowest database key by accessing the literal path:</p> >+ <ul> >+ <li><code>/api/snapshots-delete/:deleteKey</code></li> >+ </ul> >+ <p>Regardless of the snapshot "public_mode" setting, authenticated users are able to delete the snapshot with the lowest database key by accessing the literal paths:</p> >+ <ul> >+ <li><code>/api/snapshots/:key</code>, or</li> >+ <li><code>/api/snapshots-delete/:deleteKey</code></li> >+ </ul> >+ <p>The combination of deletion and viewing enables a complete walk through all snapshot data while resulting in complete snapshot data loss.</p> >+ </blockquote> >+ </body> >+ </description> >+ <references> >+ <cvename>CVE-2021-39226</cvename> >+ <url>https://grafana.com/blog/2021/10/05/grafana-7.5.11-and-8.1.6-released-with-critical-security-fix/</url> >+ </references> >+ <dates> >+ <discovery>2021-09-15</discovery> >+ <entry>2021-10-06</entry> >+ </dates> >+ </vuln> >+ > <vuln vid="25b78bdd-25b8-11ec-a341-d4c9ef517024"> > <topic>Apache httpd -- Multiple vulnerabilities</topic> > <affects>
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=228479">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Flags:
drtr0jan
:
maintainer-approval?
Actions:
View
|
Diff
Attachments on
bug 258962
:
228478
| 228479 |
228488