Attachment 242672 Details for Bug 271893 – vuxml.patch

[patch] vuxml.patch

grafana-vuxml.diff (text/plain), 3.39 KB, created by Boris Korzun on 2023-06-07 21:06:33 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Boris Korzun

Created: 2023-06-07 21:06:33 UTC

Size: 3.39 KB

patch

obsolete

>diff --git a/security/vuxml/vuln/2023.xml b/security/vuxml/vuln/2023.xml
>index 0218f35a2aff..9d5714a07bd1 100644
>--- a/security/vuxml/vuln/2023.xml
>+++ b/security/vuxml/vuln/2023.xml
>@@ -1,3 +1,87 @@
>+ <vuln vid="6c1de144-056f-11ee-8e16-6c3be5272acd">
>+ <topic>Grafana -- Broken access control: viewer can send test alerts</topic>
>+ <affects>
>+ <package>
>+	<name>grafana</name>
>+	<range><ge>8.0.0</ge><lt>8.5.26</lt></range>
>+	<range><ge>9.0.0</ge><lt>9.2.19</lt></range>
>+	<range><ge>9.3.0</ge><lt>9.3.15</lt></range>
>+	<range><ge>9.4.0</ge><lt>9.4.12</lt></range>
>+	<range><ge>9.5.0</ge><lt>9.5.3</lt></range>
>+ </package>
>+ <package>
>+	<name>grafana8</name>
>+	<range><ge>8.0.0</ge><lt>8.5.26</lt></range>
>+ </package>
>+ <package>
>+	<name>grafana9</name>
>+	<range><lt>9.2.19</lt></range>
>+	<range><ge>9.3.0</ge><lt>9.3.15</lt></range>
>+	<range><ge>9.4.0</ge><lt>9.4.12</lt></range>
>+	<range><ge>9.5.0</ge><lt>9.5.3</lt></range>
>+ </package>
>+ </affects>
>+ <description>
>+ <body xmlns="http://www.w3.org/1999/xhtml">
>+	Grafana Labs reports:
>+	<blockquote cite="https://grafana.com/blog/2023/06/06/grafana-security-release-new-grafana-versions-with-security-fixes-for-cve-2023-2183-and-cve-2023-2801/">
>+	 Grafana can allow an attacker in the Viewer role
>+	 to send alerts by API Alert - Test. This option,
>+	 however, is not available in the user panel UI for the Viewer role.
>+	 
>+	 The CVSS score for this vulnerability is 4.1 Medium
>+	 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N).
>+	</blockquote>
>+ </body>
>+ </description>
>+ <references>
>+ <cvename>CVE-2023-2183</cvename>
>+ <url>https://grafana.com/security/security-advisories/cve-2023-2183/</url>
>+ </references>
>+ <dates>
>+ <discovery>2023-06-06</discovery>
>+ <entry>2023-06-07</entry>
>+ </dates>
>+ </vuln>
>+
>+ <vuln vid="652064ef-056f-11ee-8e16-6c3be5272acd">
>+ <topic>Grafana -- Grafana DS proxy race condition</topic>
>+ <affects>
>+ <package>
>+	<name>grafana</name>
>+	<range><ge>9.4.0</ge><lt>9.4.12</lt></range>
>+	<range><ge>9.5.0</ge><lt>9.5.3</lt></range>
>+ </package>
>+ <package>
>+	<name>grafana9</name>
>+	<range><ge>9.4.0</ge><lt>9.4.12</lt></range>
>+	<range><ge>9.5.0</ge><lt>9.5.3</lt></range>
>+ </package>
>+ </affects>
>+ <description>
>+ <body xmlns="http://www.w3.org/1999/xhtml">
>+	Grafana Labs reports:
>+	<blockquote cite="https://grafana.com/blog/2023/06/06/grafana-security-release-new-grafana-versions-with-security-fixes-for-cve-2023-2183-and-cve-2023-2801/">
>+	 We have discovered a vulnerability with Grafanaâs data source query
>+	 endpoints that could end up crashing a Grafana instance.
>+	 If you have public dashboards (PD) enabled, we
>+	 are scoring this as a CVSS 7.5 High.
>+	 If you have disabled PD, this vulnerability is still a risk,
>+	 but triggering the issue requires data source read privileges
>+	 and access to the Grafana API through a developer script.
>+	</blockquote>
>+ </body>
>+ </description>
>+ <references>
>+ <cvename>CVE-2023-2801</cvename>
>+ <url>CVE-2023-2801</url>
>+ </references>
>+ <dates>
>+ <discovery>2023-06-06</discovery>
>+ <entry>2023-06-07</entry>
>+ </dates>
>+ </vuln>
>+
> <vuln vid="12741b1f-04f9-11ee-8290-a8a1599412c6">
> <topic>chromium -- multiple vulnerabilities</topic>
> <affects>

Flags:

drtr0jan: maintainer-approval? (ports-secteam)

Actions: View | Diff

Attachments on bug 271893: 242670 | 242671 | 242672