FreeBSD Bugzilla – Attachment 235380 Details for
Bug 265330
www/grafana{8,9}: Update to 8.5.9 and 9.0.3 (Fixes security vulnerability)
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
vuxml.diff
vuxml-grafana.diff (text/plain), 3.22 KB, created by
Boris Korzun
on 2022-07-20 08:18:25 UTC
(
hide
)
Description:
vuxml.diff
Filename:
MIME Type:
Creator:
Boris Korzun
Created:
2022-07-20 08:18:25 UTC
Size:
3.22 KB
patch
obsolete
>diff --git a/security/vuxml/vuln-2022.xml b/security/vuxml/vuln-2022.xml >index 0a3fa85690aa..4e26009579b4 100644 >--- a/security/vuxml/vuln-2022.xml >+++ b/security/vuxml/vuln-2022.xml >@@ -1,3 +1,85 @@ >+ <vuln vid="0c367e98-0415-11ed-a53b-6c3be5272acd"> >+ <topic>Grafana -- Stored XSS</topic> >+ <affects> >+ <package> >+ <name>grafana</name> >+ <range><ge>8.3.0</ge><lt>8.3.10</lt></range> >+ <range><ge>8.4.0</ge><lt>8.4.10</lt></range> >+ <range><ge>8.5.0</ge><lt>8.5.9</lt></range> >+ <range><ge>9.0.0</ge><lt>9.0.3</lt></range> >+ </package> >+ <package> >+ <name>grafana8</name> >+ <range><ge>8.3.0</ge><lt>8.3.10</lt></range> >+ <range><ge>8.4.0</ge><lt>8.4.10</lt></range> >+ <range><ge>8.5.0</ge><lt>8.5.9</lt></range> >+ </package> >+ <package> >+ <name>grafana9</name> >+ <range><lt>9.0.3</lt></range> >+ </package> >+ </affects> >+ <description> >+ <body xmlns="http://www.w3.org/1999/xhtml"> >+ <p>Grafana Labs reports:</p> >+ <blockquote cite="https://grafana.com/blog/2022/07/14/grafana-v9-0-3-8-5-9-8-4-10-and-8-3-10-released-with-high-severity-security-fix/"> >+ <p>An attacker can exploit this vulnerability to escalate privilege from editor to admin by tricking an authenticated admin to click on a link. (Note: Grafana Alerting is activated by default in Grafana 9.0.)</p> >+ </blockquote> >+ </body> >+ </description> >+ <references> >+ <cvename>CVE-2022-31097</cvename> >+ <url>https://github.com/grafana/grafana/security/advisories/GHSA-vw7q-p2qg-4m5f</url> >+ </references> >+ <dates> >+ <discovery>2022-06-19</discovery> >+ <entry>2022-07-15</entry> >+ </dates> >+ </vuln> >+ >+ <vuln vid="0859e6d5-0415-11ed-a53b-6c3be5272acd"> >+ <topic>Grafana -- OAuth Account Takeover</topic> >+ <affects> >+ <package> >+ <name>grafana</name> >+ <range><ge>5.3.0</ge><lt>8.3.10</lt></range> >+ <range><ge>8.4.0</ge><lt>8.4.10</lt></range> >+ <range><ge>8.5.0</ge><lt>8.5.9</lt></range> >+ <range><ge>9.0.0</ge><lt>9.0.3</lt></range> >+ </package> >+ <package> >+ <name>grafana7</name> >+ <range><ge>7.0</ge></range> >+ </package> >+ <package> >+ <name>grafana8</name> >+ <range><ge>8.3.0</ge><lt>8.3.10</lt></range> >+ <range><ge>8.4.0</ge><lt>8.4.10</lt></range> >+ <range><ge>8.5.0</ge><lt>8.5.9</lt></range> >+ </package> >+ <package> >+ <name>grafana9</name> >+ <range><lt>9.0.3</lt></range> >+ </package> >+ </affects> >+ <description> >+ <body xmlns="http://www.w3.org/1999/xhtml"> >+ <p>Grafana Labs reports:</p> >+ <blockquote cite="https://grafana.com/blog/2022/07/14/grafana-v9-0-3-8-5-9-8-4-10-and-8-3-10-released-with-high-severity-security-fix/"> >+ <p>It is possible for a malicious user who has authorization to log into a Grafana instance via a configured OAuth IdP to take over an existing Grafana account under some conditions.</p> >+ </blockquote> >+ </body> >+ </description> >+ <references> >+ <cvename>CVE-2022-31107</cvename> >+ <url>https://github.com/grafana/grafana/security/advisories/GHSA-mx47-6497-3fv2</url> >+ </references> >+ <dates> >+ <discovery>2022-06-27</discovery> >+ <entry>2022-07-15</entry> >+ </dates> >+ </vuln> >+ > <vuln vid="a4f2416c-02a0-11ed-b817-10c37b4ac2ea"> > <topic>go -- multiple vulnerabilities</topic> > <affects>
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=235380">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Flags:
fluffy
:
maintainer-approval+
Actions:
View
|
Diff
Attachments on
bug 265330
:
235377
|
235378
| 235380 |
235405