FreeBSD Bugzilla – Attachment 229571 Details for
Bug 259638
www/grafana8: Update to 8.2.7 (Fixes high vulnerabilities)
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
vuxml.diff
vuxml-grafana8.diff (text/plain), 4.06 KB, created by
Boris Korzun
on 2021-11-18 11:44:58 UTC
(
hide
)
Description:
vuxml.diff
Filename:
MIME Type:
Creator:
Boris Korzun
Created:
2021-11-18 11:44:58 UTC
Size:
4.06 KB
patch
obsolete
>diff --git a/security/vuxml/vuln-2021.xml b/security/vuxml/vuln-2021.xml >index ae2e7d778fb9..83448500b89e 100644 >--- a/security/vuxml/vuln-2021.xml >+++ b/security/vuxml/vuln-2021.xml >@@ -1,3 +1,73 @@ >+ <vuln vid="99bff2bd-4852-11ec-a828-6c3be5272acd"> >+ <topic>Grafana -- Incorrect Access Control</topic> >+ <affects> >+ <package> >+ <name>grafana8</name> >+ <name>grafana</name> >+ <range><ge>8.0.0</ge><lt>8.2.4</lt></range> >+ </package> >+ </affects> >+ <description> >+ <body xmlns="http://www.w3.org/1999/xhtml"> >+ <p>Grafana Labs reports:</p> >+ <blockquote cite="https://grafana.com/blog/2021/11/15/grafana-8.2.4-released-with-security-fixes/"> >+ <p>On Nov. 2, during an internal security audit, we discovered that when the fine-grained access control beta feature is enabled and there is more than one organization in the Grafana instance, Grafana 8.0 introduced a mechanism which allowed users with the Organization Admin role to list, add, remove, and update usersâ roles in other organizations in which they are not an admin.</p> >+ </blockquote> >+ </body> >+ </description> >+ <references> >+ <cvename>CVE-2021-41244</cvename> >+ <url>https://grafana.com/blog/2021/11/15/grafana-8.2.4-released-with-security-fixes/</url> >+ </references> >+ <dates> >+ <discovery>2021-11-02</discovery> >+ <entry>2021-11-18</entry> >+ </dates> >+ </vuln> >+ >+ <vuln vid="4b478274-47a0-11ec-bd24-6c3be5272acd"> >+ <topic>Grafana -- XSS</topic> >+ <affects> >+ <package> >+ <name>grafana8</name> >+ <name>grafana</name> >+ <range><ge>8.0.0</ge><lt>8.2.3</lt></range> >+ </package> >+ </affects> >+ <description> >+ <body xmlns="http://www.w3.org/1999/xhtml"> >+ <p>Grafana Labs reports:</p> >+ <blockquote cite="https://grafana.com/blog/2021/11/03/grafana-8.2.3-released-with-medium-severity-security-fix-cve-2021-41174-grafana-xss/"> >+ <p>If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, arbitrary JavaScript content may be executed within the context of the victimâs browser.</p> >+ <p>The user visiting the malicious link must be unauthenticated, and the link must be for a page that contains the login button in the menu bar.</p> >+ <p>There are two ways an unauthenticated user can open a page in Grafana that contains the login button:</p> >+ <ul> >+ <li>Anonymous authentication is enabled. This means all pages in Grafana would be open for the attack.</li> >+ <li>The link is to an unauthenticated page. The following pages are vulnerable: >+ <ul> >+ <li><code>/dashboard-solo/snapshot/*</code></li> >+ <li><code>/dashboard/snapshot/*</code></li> >+ <li><code>/invite/:code</code></li> >+ </ul> >+ </li> >+ </ul> >+ <p>The url has to be crafted to exploit AngularJS rendering and contain the interpolation binding for AngularJS expressions. AngularJS uses double curly braces for interpolation binding: <code>{{ }}</code></p> >+ <p>An example of an expression would be: <code>{{constructor.constructor(âalert(1)â)()}}</code>. This can be included in the link URL like this:</p> >+ <p><a href="https://play.grafana.org/dashboard/snapshot/%7B%7Bconstructor.constructor('alert(1)')()%7D%7D?orgId=1">https://play.grafana.org/dashboard/snapshot/%7B%7Bconstructor.constructor('alert(1)')()%7D%7D?orgId=1</a></p> >+ <p>When the user follows the link and the page renders, the login button will contain the original link with a query parameter to force a redirect to the login page. The URL is not validated, and the AngularJS rendering engine will execute the JavaScript expression contained in the URL.</p> >+ </blockquote> >+ </body> >+ </description> >+ <references> >+ <cvename>CVE-2021-41174</cvename> >+ <url>https://grafana.com/blog/2021/11/03/grafana-8.2.3-released-with-medium-severity-security-fix-cve-2021-41174-grafana-xss/</url> >+ </references> >+ <dates> >+ <discovery>2021-10-21</discovery> >+ <entry>2021-11-17</entry> >+ </dates> >+ </vuln> >+ > <vuln vid="b8c0cbca-472d-11ec-83dc-3065ec8fd3ec"> > <topic>chromium -- multiple vulnerabilities</topic> > <affects>
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=229571">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 259638
:
229261
|
229549
|
229570
|
229571
|
229575
|
229850
|
229973
|
229974