diff --git a/security/vuxml/vuln-2021.xml b/security/vuxml/vuln-2021.xml index 43b87c9ef03c..0df0e367b0f9 100644 --- a/security/vuxml/vuln-2021.xml +++ b/security/vuxml/vuln-2021.xml @@ -1,3 +1,148 @@ + + Grafana -- Path Traversal + + + grafana8 + grafana + + 8.0.08.0.7 + 8.1.08.1.8 + 8.2.08.2.7 + 8.3.08.3.1 + + + + +

Grafana Labs reports:

+
+

Grafana is vulnerable to directory traversal, allowing access to local files. We have confirmed this for versions v8.0.0-beta1 to v8.3.0. Thanks to our defense-in-depth approach, at no time has Grafana Cloud been vulnerable.

+

The vulnerable URL path is: <grafana_host_url>/public/plugins/<“plugin-id”> where <“plugin-id”> is the plugin ID for any installed plugin.

+

Every Grafana instance comes with pre-installed plugins like the Prometheus plugin or MySQL plugin so the following URLs are vulnerable for every instance:

+
    +
  • <grafana_host_url>/public/plugins/alertlist/
    • +
  • <grafana_host_url>/public/plugins/annolist/
    • +
  • <grafana_host_url>/public/plugins/barchart/
    • +
  • <grafana_host_url>/public/plugins/bargauge/
    • +
  • <grafana_host_url>/public/plugins/candlestick/
    • +
  • <grafana_host_url>/public/plugins/cloudwatch/
    • +
  • <grafana_host_url>/public/plugins/dashlist/
    • +
  • <grafana_host_url>/public/plugins/elasticsearch/
    • +
  • <grafana_host_url>/public/plugins/gauge/
    • +
  • <grafana_host_url>/public/plugins/geomap/
    • +
  • <grafana_host_url>/public/plugins/gettingstarted/
    • +
  • <grafana_host_url>/public/plugins/grafana-azure-monitor-datasource/
    • +
  • <grafana_host_url>/public/plugins/graph/
    • +
  • <grafana_host_url>/public/plugins/heatmap/
    • +
  • <grafana_host_url>/public/plugins/histogram/
    • +
  • <grafana_host_url>/public/plugins/influxdb/
    • +
  • <grafana_host_url>/public/plugins/jaeger/
    • +
  • <grafana_host_url>/public/plugins/logs/
    • +
  • <grafana_host_url>/public/plugins/loki/
    • +
  • <grafana_host_url>/public/plugins/mssql/
    • +
  • <grafana_host_url>/public/plugins/mysql/
    • +
  • <grafana_host_url>/public/plugins/news/
    • +
  • <grafana_host_url>/public/plugins/nodeGraph/
    • +
  • <grafana_host_url>/public/plugins/opentsdb
    • +
  • <grafana_host_url>/public/plugins/piechart/
    • +
  • <grafana_host_url>/public/plugins/pluginlist/
    • +
  • <grafana_host_url>/public/plugins/postgres/
    • +
  • <grafana_host_url>/public/plugins/prometheus/
    • +
  • <grafana_host_url>/public/plugins/stackdriver/
    • +
  • <grafana_host_url>/public/plugins/stat/
    • +
  • <grafana_host_url>/public/plugins/state-timeline/
    • +
  • <grafana_host_url>/public/plugins/status-history/
    • +
  • <grafana_host_url>/public/plugins/table/
    • +
  • <grafana_host_url>/public/plugins/table-old/
    • +
  • <grafana_host_url>/public/plugins/tempo/
    • +
  • <grafana_host_url>/public/plugins/testdata/
    • +
  • <grafana_host_url>/public/plugins/text/
    • +
  • <grafana_host_url>/public/plugins/timeseries/
    • +
  • <grafana_host_url>/public/plugins/welcome/
    • +
  • <grafana_host_url>/public/plugins/zipkin/
    • +
+
+ + + + CVE-2021-43798 + https://grafana.com/blog/2021/12/07/grafana-8.3.1-8.2.7-8.1.8-and-8.0.7-released-with-high-severity-security-fix/ + + + 2021-12-03 + 2021-12-07 + + + + + Grafana -- Incorrect Access Control + + + grafana8 + grafana + 8.0.08.2.4 + + + + +

Grafana Labs reports:

+
+

When the fine-grained access control beta feature is enabled and there is more than one organization in the Grafana instance, Grafana 8.0 introduced a mechanism which allowed users with the Organization Admin role to list, add, remove, and update users’ roles in other organizations in which they are not an admin.

+
+ + + + CVE-2021-41244 + https://grafana.com/blog/2021/11/15/grafana-8.2.4-released-with-security-fixes/ + + + 2021-11-02 + 2021-11-18 + + + + + Grafana -- XSS + + + grafana8 + grafana + 8.0.08.2.3 + + + + +

Grafana Labs reports:

+
+

If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, arbitrary JavaScript content may be executed within the context of the victim’s browser.

+

The user visiting the malicious link must be unauthenticated, and the link must be for a page that contains the login button in the menu bar.

+

There are two ways an unauthenticated user can open a page in Grafana that contains the login button:

+
    +
  • Anonymous authentication is enabled. This means all pages in Grafana would be open for the attack.
    • +
  • The link is to an unauthenticated page. The following pages are vulnerable: +
      +
    • /dashboard-solo/snapshot/*
      • +
    • /dashboard/snapshot/*
      • +
    • /invite/:code
      • +
    +
    • +
+

The url has to be crafted to exploit AngularJS rendering and contain the interpolation binding for AngularJS expressions. AngularJS uses double curly braces for interpolation binding: {{ }}

+

An example of an expression would be: {{constructor.constructor(‘alert(1)’)()}}. This can be included in the link URL like this:

+

https://play.grafana.org/dashboard/snapshot/%7B%7Bconstructor.constructor('alert(1)')()%7D%7D?orgId=1

+

When the user follows the link and the page renders, the login button will contain the original link with a query parameter to force a redirect to the login page. The URL is not validated, and the AngularJS rendering engine will execute the JavaScript expression contained in the URL.

+
+ + + + CVE-2021-41174 + https://grafana.com/blog/2021/11/03/grafana-8.2.3-released-with-medium-severity-security-fix-cve-2021-41174-grafana-xss/ + + + 2021-10-21 + 2021-11-17 + + + chromium -- multiple vulnerabilities