[FREEBSD:0B85B1CD-E468-11ED-834B-6C3BE5272ACD] Grafana -- Critical vulnerability in golang

Severity Critical

Affected Packages 3

CVEs 1

Grafana Labs reports:

  An issue in how go handles backticks (`) with Javascript can lead to
  an injection of arbitrary code into go templates. While Grafana Labs software
  contains potentially vulnerable versions of go, we have not identified any
  exploitable use cases at this time.
  The CVSS score for this vulnerability is 0.0 (adjusted), 9.8 (base).

Package	Affected Version
pkg:freebsd/grafana9	< 9.2.17
pkg:freebsd/grafana8	< 8.5.24
pkg:freebsd/grafana	< 8.5.24

ID

FREEBSD:0B85B1CD-E468-11ED-834B-6C3BE5272ACD

Severity

critical

Severity from

CVE-2023-24538

URL

http://vuxml.freebsd.org/freebsd/0b85b1cd-e468-11ed-834b-6c3be5272acd.html

Published

2023-04-19T00:00:00
(17 months ago)

Modified

2023-04-26T00:00:00
(17 months ago)

Rights

FreeBSD VuXML Security Team

Other Advisories

Source	# ID	Name	URL
FreeBSD VuXML			https://grafana.com/blog/2023/04/26/precautionary-patches-for-grafana-released-following-critical-go-vulnerability-cve-2023-24538/

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform	Arch	Patch / Fix
Affected	pkg:freebsd/grafana9		grafana9	< 9.2.17
Affected	pkg:freebsd/grafana8		grafana8	< 8.5.24
Affected	pkg:freebsd/grafana		grafana	< 8.5.24

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date