[FREEBSD:A994FF7D-5B3F-11EC-8398-6C3BE5272ACD] Grafana -- Directory Traversal
Severity
Medium
Affected Packages
4
CVEs
1
GitHub Security Labs reports:
A vulnerability through which authenticated users could read out fully lowercase or fully uppercase .md files through directory traversal. Doing our own follow-up investigation we found a related vulnerability through which authenticated users could read out arbitrary .csv files through directory traversal. Thanks to our defense-in-depth approach, at no time has Grafana Cloud been vulnerable.
The vulnerable URL path is: /api/plugins/.*/markdown/.* for .md files
Package | Affected Version |
---|---|
pkg:freebsd/grafana8 | < 8.3.2 |
pkg:freebsd/grafana7 | < 7.5.12 |
pkg:freebsd/grafana6 | |
pkg:freebsd/grafana | < 7.5.12 |
- ID
- FREEBSD:A994FF7D-5B3F-11EC-8398-6C3BE5272ACD
- Severity
- medium
- Severity from
- CVE-2021-43813
- URL
- http://vuxml.freebsd.org/freebsd/a994ff7d-5b3f-11ec-8398-6c3be5272acd.html
- Published
-
2021-12-09T00:00:00
(2 years ago) - Modified
-
2021-12-12T00:00:00
(2 years ago) - Rights
- FreeBSD VuXML Security Team
- Other Advisories
-
- ALPINE:CVE-2021-43813
- ALSA-2022:1781
- ASA-202112-11
- ELSA-2022-1781
- FEDORA-2022-6e6b59a682
- FEDORA-2022-c6ae206be7
- openSUSE-SU-2022:0140-1
- RHSA-2022:1781
- RLSA-2022:1781
- SUSE-SU-2022:0138-1
- SUSE-SU-2022:0139-1
- SUSE-SU-2022:0310-1
- SUSE-SU-2022:0311-1
- SUSE-SU-2022:0751-1
- SUSE-SU-2022:1396-1
- SUSE-SU-2022:1729-1
- SUSE-SU-2022:2134-1
- SUSE-SU-2022:3425-1
- SUSE-SU-2022:4428-1
- SUSE-SU-2022:4437-1
- SUSE-SU-2022:4439-1
- SUSE-SU-2024:0191-1
- SUSE-SU-2024:0196-1
Source | # ID | Name | URL |
---|---|---|---|
FreeBSD VuXML | https://grafana.com/blog/2021/12/10/grafana-8.3.2-and-7.5.12-released-with-moderate-severity-security-fix/ |
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
---|---|---|---|---|---|---|---|---|---|---|---|
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |