[FREEBSD:A994FF7D-5B3F-11EC-8398-6C3BE5272ACD] Grafana -- Directory Traversal

Severity Medium

Affected Packages 4

CVEs 1

GitHub Security Labs reports:

  A vulnerability through which authenticated users could read out fully lowercase or fully uppercase .md files through directory traversal. Doing our own follow-up investigation we found a related vulnerability through which authenticated users could read out arbitrary .csv files through directory traversal. Thanks to our defense-in-depth approach, at no time has Grafana Cloud been vulnerable.
  The vulnerable URL path is: /api/plugins/.*/markdown/.* for .md files

Package	Affected Version
pkg:freebsd/grafana8	< 8.3.2
pkg:freebsd/grafana7	< 7.5.12
pkg:freebsd/grafana6
pkg:freebsd/grafana	< 7.5.12

ID

FREEBSD:A994FF7D-5B3F-11EC-8398-6C3BE5272ACD

Severity

medium

Severity from

CVE-2021-43813

URL

http://vuxml.freebsd.org/freebsd/a994ff7d-5b3f-11ec-8398-6c3be5272acd.html

Published

2021-12-09T00:00:00
(2 years ago)

Modified

2021-12-12T00:00:00
(2 years ago)

Rights

FreeBSD VuXML Security Team

Other Advisories

Source	# ID	Name	URL
FreeBSD VuXML			https://grafana.com/blog/2021/12/10/grafana-8.3.2-and-7.5.12-released-with-moderate-severity-security-fix/

Type	Package URL	Name / Product	Version
Affected	pkg:freebsd/grafana8	grafana8	< 8.3.2
Affected	pkg:freebsd/grafana7	grafana7	< 7.5.12
Affected	pkg:freebsd/grafana6	grafana6
Affected	pkg:freebsd/grafana	grafana	< 7.5.12

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date