View | Details | Raw Unified | Return to bug 259638 | Differences between
and this patch

Collapse All | Expand All

(-)b/security/vuxml/vuln-2021.xml (+145 lines)
Lines 1-3 Link Here
1
  <vuln vid="e33880ed-5802-11ec-8398-6c3be5272acd">
2
    <topic>Grafana -- Path Traversal</topic>
3
    <affects>
4
      <package>
5
	<name>grafana8</name>
6
	<name>grafana</name>
7
	<range><lt></lt></range>
8
	<range><ge>8.0.0</ge><lt>8.0.7</lt></range>
9
	<range><ge>8.1.0</ge><lt>8.1.8</lt></range>
10
	<range><ge>8.2.0</ge><lt>8.2.7</lt></range>
11
	<range><ge>8.3.0</ge><lt>8.3.1</lt></range>
12
      </package>
13
    </affects>
14
    <description>
15
      <body xmlns="http://www.w3.org/1999/xhtml">
16
	<p>Grafana Labs reports:</p>
17
	<blockquote cite="https://grafana.com/blog/2021/12/07/grafana-8.3.1-8.2.7-8.1.8-and-8.0.7-released-with-high-severity-security-fix/">
18
	  <p>Grafana is vulnerable to directory traversal, allowing access to local files. We have confirmed this for versions v8.0.0-beta1 to v8.3.0. Thanks to our defense-in-depth approach, at no time has <a href="https://grafana.com/cloud/?pg=blog">Grafana Cloud</a> been vulnerable.</p>
19
	  <p><strong>The vulnerable URL path is:</strong> &lt;grafana_host_url&gt;<em>/public/plugins/&lt;“plugin-id”&gt;</em> where <em>&lt;“plugin-id”&gt;</em> is the plugin ID for any installed plugin.</p>
20
	  <p>Every Grafana instance comes with pre-installed plugins like the Prometheus plugin or MySQL plugin so the following URLs are vulnerable for every instance:</p>
21
	  <ul>
22
	    <li>&lt;grafana_host_url&gt;/public/plugins/alertlist/</li>
23
	    <li>&lt;grafana_host_url&gt;/public/plugins/annolist/</li>
24
	    <li>&lt;grafana_host_url&gt;/public/plugins/barchart/</li>
25
	    <li>&lt;grafana_host_url&gt;/public/plugins/bargauge/</li>
26
	    <li>&lt;grafana_host_url&gt;/public/plugins/candlestick/</li>
27
	    <li>&lt;grafana_host_url&gt;/public/plugins/cloudwatch/</li>
28
	    <li>&lt;grafana_host_url&gt;/public/plugins/dashlist/</li>
29
	    <li>&lt;grafana_host_url&gt;/public/plugins/elasticsearch/</li>
30
	    <li>&lt;grafana_host_url&gt;/public/plugins/gauge/</li>
31
	    <li>&lt;grafana_host_url&gt;/public/plugins/geomap/</li>
32
	    <li>&lt;grafana_host_url&gt;/public/plugins/gettingstarted/</li>
33
	    <li>&lt;grafana_host_url&gt;/public/plugins/grafana-azure-monitor-datasource/</li>
34
	    <li>&lt;grafana_host_url&gt;/public/plugins/graph/</li>
35
	    <li>&lt;grafana_host_url&gt;/public/plugins/heatmap/</li>
36
	    <li>&lt;grafana_host_url&gt;/public/plugins/histogram/</li>
37
	    <li>&lt;grafana_host_url&gt;/public/plugins/influxdb/</li>
38
	    <li>&lt;grafana_host_url&gt;/public/plugins/jaeger/</li>
39
	    <li>&lt;grafana_host_url&gt;/public/plugins/logs/</li>
40
	    <li>&lt;grafana_host_url&gt;/public/plugins/loki/</li>
41
	    <li>&lt;grafana_host_url&gt;/public/plugins/mssql/</li>
42
	    <li>&lt;grafana_host_url&gt;/public/plugins/mysql/</li>
43
	    <li>&lt;grafana_host_url&gt;/public/plugins/news/</li>
44
	    <li>&lt;grafana_host_url&gt;/public/plugins/nodeGraph/</li>
45
	    <li>&lt;grafana_host_url&gt;/public/plugins/opentsdb</li>
46
	    <li>&lt;grafana_host_url&gt;/public/plugins/piechart/</li>
47
	    <li>&lt;grafana_host_url&gt;/public/plugins/pluginlist/</li>
48
	    <li>&lt;grafana_host_url&gt;/public/plugins/postgres/</li>
49
	    <li>&lt;grafana_host_url&gt;/public/plugins/prometheus/</li>
50
	    <li>&lt;grafana_host_url&gt;/public/plugins/stackdriver/</li>
51
	    <li>&lt;grafana_host_url&gt;/public/plugins/stat/</li>
52
	    <li>&lt;grafana_host_url&gt;/public/plugins/state-timeline/</li>
53
	    <li>&lt;grafana_host_url&gt;/public/plugins/status-history/</li>
54
	    <li>&lt;grafana_host_url&gt;/public/plugins/table/</li>
55
	    <li>&lt;grafana_host_url&gt;/public/plugins/table-old/</li>
56
	    <li>&lt;grafana_host_url&gt;/public/plugins/tempo/</li>
57
	    <li>&lt;grafana_host_url&gt;/public/plugins/testdata/</li>
58
	    <li>&lt;grafana_host_url&gt;/public/plugins/text/</li>
59
	    <li>&lt;grafana_host_url&gt;/public/plugins/timeseries/</li>
60
	    <li>&lt;grafana_host_url&gt;/public/plugins/welcome/</li>
61
	    <li>&lt;grafana_host_url&gt;/public/plugins/zipkin/</li>
62
	  </ul>
63
	</blockquote>
64
      </body>
65
    </description>
66
    <references>
67
      <cvename>CVE-2021-43798</cvename>
68
      <url>https://grafana.com/blog/2021/12/07/grafana-8.3.1-8.2.7-8.1.8-and-8.0.7-released-with-high-severity-security-fix/</url>
69
    </references>
70
    <dates>
71
      <discovery>2021-12-03</discovery>
72
      <entry>2021-12-07</entry>
73
    </dates>
74
  </vuln>
75
76
  <vuln vid="99bff2bd-4852-11ec-a828-6c3be5272acd">
77
    <topic>Grafana -- Incorrect Access Control</topic>
78
    <affects>
79
      <package>
80
	<name>grafana8</name>
81
	<name>grafana</name>
82
	<range><ge>8.0.0</ge><lt>8.2.4</lt></range>
83
      </package>
84
    </affects>
85
    <description>
86
      <body xmlns="http://www.w3.org/1999/xhtml">
87
	<p>Grafana Labs reports:</p>
88
	<blockquote cite="https://grafana.com/blog/2021/11/15/grafana-8.2.4-released-with-security-fixes/">
89
	  <p>When the fine-grained access control beta feature is enabled and there is more than one organization in the Grafana instance, Grafana 8.0 introduced a mechanism which allowed users with the Organization Admin role to list, add, remove, and update users’ roles in other organizations in which they are not an admin.</p>
90
	</blockquote>
91
      </body>
92
    </description>
93
    <references>
94
      <cvename>CVE-2021-41244</cvename>
95
      <url>https://grafana.com/blog/2021/11/15/grafana-8.2.4-released-with-security-fixes/</url>
96
    </references>
97
    <dates>
98
      <discovery>2021-11-02</discovery>
99
      <entry>2021-11-18</entry>
100
    </dates>
101
  </vuln>
102
103
  <vuln vid="4b478274-47a0-11ec-bd24-6c3be5272acd">
104
    <topic>Grafana -- XSS</topic>
105
    <affects>
106
      <package>
107
	<name>grafana8</name>
108
	<name>grafana</name>
109
	<range><ge>8.0.0</ge><lt>8.2.3</lt></range>
110
      </package>
111
    </affects>
112
    <description>
113
      <body xmlns="http://www.w3.org/1999/xhtml">
114
	<p>Grafana Labs reports:</p>
115
	<blockquote cite="https://grafana.com/blog/2021/11/03/grafana-8.2.3-released-with-medium-severity-security-fix-cve-2021-41174-grafana-xss/">
116
	  <p>If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, arbitrary JavaScript content may be executed within the context of the victim’s browser.</p>
117
	  <p>The user visiting the malicious link must be unauthenticated, and the link must be for a page that contains the login button in the menu bar.</p>
118
	  <p>There are two ways an unauthenticated user can open a page in Grafana that contains the login button:</p>
119
	  <ul>
120
	    <li>Anonymous authentication is enabled. This means all pages in Grafana would be open for the attack.</li>
121
	    <li>The link is to an unauthenticated page. The following pages are vulnerable:
122
	      <ul>
123
		<li><code>/dashboard-solo/snapshot/*</code></li>
124
		<li><code>/dashboard/snapshot/*</code></li>
125
		<li><code>/invite/:code</code></li>
126
	      </ul>
127
	    </li>
128
	  </ul>
129
	  <p>The url has to be crafted to exploit AngularJS rendering and contain the interpolation binding for AngularJS expressions. AngularJS uses double curly braces for interpolation binding: <code>{{ }}</code></p>
130
	  <p>An example of an expression would be: <code>{{constructor.constructor(‘alert(1)’)()}}</code>. This can be included in the link URL like this:</p>
131
	  <p><a href="https://play.grafana.org/dashboard/snapshot/%7B%7Bconstructor.constructor('alert(1)')()%7D%7D?orgId=1">https://play.grafana.org/dashboard/snapshot/%7B%7Bconstructor.constructor('alert(1)')()%7D%7D?orgId=1</a></p>
132
	  <p>When the user follows the link and the page renders, the login button will contain the original link with a query parameter to force a redirect to the login page. The URL is not validated, and the AngularJS rendering engine will execute the JavaScript expression contained in the URL.</p>
133
	</blockquote>
134
      </body>
135
    </description>
136
    <references>
137
      <cvename>CVE-2021-41174</cvename>
138
      <url>https://grafana.com/blog/2021/11/03/grafana-8.2.3-released-with-medium-severity-security-fix-cve-2021-41174-grafana-xss/</url>
139
    </references>
140
    <dates>
141
      <discovery>2021-10-21</discovery>
142
      <entry>2021-11-17</entry>
143
    </dates>
144
  </vuln>
145
1
  <vuln vid="18ac074c-579f-11ec-aac7-3065ec8fd3ec">
146
  <vuln vid="18ac074c-579f-11ec-aac7-3065ec8fd3ec">
2
    <topic>chromium -- multiple vulnerabilities</topic>
147
    <topic>chromium -- multiple vulnerabilities</topic>
3
    <affects>
148
    <affects>

Return to bug 259638