[FREEBSD:E6281D88-A7A7-11ED-8D6A-6C3BE5272ACD] Grafana -- Spoofing originalUrl of snapshots
Severity
Low
Affected Packages
3
CVEs
1
Grafana Labs reports:
A third-party penetration test of Grafana found a vulnerability
in the snapshot functionality. The value of the originalUrl parameter
is automatically generated. The purpose of the presented originalUrl parameter
is to provide a user who views the snapshot with the possibility to click
on the Local Snapshot button in the Grafana web UI
and be presented with the dashboard that the snapshot captured. The value
of the originalUrl parameter can be arbitrarily chosen by a malicious user that
creates the snapshot. (Note: This can be done by editing the query thanks
to a web proxy like Burp.)
We have assessed this vulnerability as having a CVSS score of 6.7 MEDIUM
(CVSS:6.7/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L).
Package | Affected Version |
---|---|
pkg:freebsd/grafana9 | < 9.2.10 |
pkg:freebsd/grafana8 | < 8.5.16 |
pkg:freebsd/grafana | < 8.5.16 |
- ID
- FREEBSD:E6281D88-A7A7-11ED-8D6A-6C3BE5272ACD
- Severity
- low
- Severity from
- CVE-2022-39324
- URL
- http://vuxml.freebsd.org/freebsd/e6281d88-a7a7-11ed-8d6a-6c3be5272acd.html
- Published
-
2023-01-25T00:00:00
(20 months ago) - Modified
-
2023-02-09T00:00:00
(19 months ago) - Rights
- FreeBSD VuXML Security Team
- Other Advisories
Source | # ID | Name | URL |
---|---|---|---|
FreeBSD VuXML | https://github.com/grafana/grafana/security/advisories/GHSA-4724-7jwc-3fpw |
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
---|---|---|---|---|---|---|---|---|---|---|---|
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |