FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-03-29 07:54:42 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
a994ff7d-5b3f-11ec-8398-6c3be5272acdGrafana -- Directory Traversal

GitHub Security Labs reports:

A vulnerability through which authenticated users could read out fully lowercase or fully uppercase .md files through directory traversal. Doing our own follow-up investigation we found a related vulnerability through which authenticated users could read out arbitrary .csv files through directory traversal. Thanks to our defense-in-depth approach, at no time has Grafana Cloud been vulnerable.

The vulnerable URL path is: /api/plugins/.*/markdown/.* for .md files


Discovery 2021-12-09
Entry 2021-12-12
grafana
ge 5.0.0 lt 7.5.12

ge 8.0.0 lt 8.3.2

grafana6
ge 6.0.0

grafana7
ge 7.0.0 lt 7.5.12

grafana8
ge 8.0.0 lt 8.3.2

CVE-2021-43813
https://grafana.com/blog/2021/12/10/grafana-8.3.2-and-7.5.12-released-with-moderate-severity-security-fix/
827b95ff-290e-11ed-a2e7-6c3be5272acdGrafana -- Unauthorized file disclosure

Grafana Labs reports:

On July 21, an internal security review identified an unauthorized file disclosure vulnerability in the Grafana Image Renderer plugin when HTTP remote rendering is used. The Chromium browser embedded in the Grafana Image Renderer allows for “printing” of unauthorized files in a PNG file. This makes it possible for a malicious user to retrieve unauthorized files under some network conditions or via a fake data source (this applies if the user has admin permissions in Grafana).


Discovery 2022-07-21
Entry 2022-09-01
grafana
ge 5.2.0 lt 8.3.11

ge 8.4.0 lt 8.4.11

ge 8.5.0 lt 8.5.11

ge 9.0.0 lt 9.0.8

ge 9.1.0 lt 9.1.2

grafana7
ge 7.0

grafana8
ge 8.3.0 lt 8.3.11

ge 8.4.0 lt 8.4.11

ge 8.5.0 lt 8.5.11

grafana9
ge 9.0.0 lt 9.0.8

ge 9.1.0 lt 9.1.2

CVE-2022-31176
https://github.com/grafana/grafana-image-renderer/security/advisories/GHSA-2cfh-233g-m4c5
6f6c9420-6297-11ed-9ca2-6c3be5272acdGrafana -- Data source and plugin proxy endpoints leaking authentication tokens to some destination plugins

Grafana Labs reports:

On June 26 a security researcher contacted Grafana Labs to disclose a vulnerability with the GitLab data source plugin that could leak the API key to GitLab. After further analysis the vulnerability impacts data source and plugin proxy endpoints with authentication tokens but under some conditions.

We believe that this vulnerability is rated at CVSS 4.9 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N)


Discovery 2022-06-26
Entry 2022-11-12
grafana
ge 7.0.0 lt 8.5.14

ge 9.0.0 lt 9.1.8

grafana7
ge 7.0.0

grafana8
ge 8.0.0 lt 8.5.14

grafana9
ge 9.0.0 lt 9.1.8

CVE-2022-31130
https://github.com/grafana/grafana/security/advisories/GHSA-jv32-5578-pxjc
d4284c2e-8b83-11ec-b369-6c3be5272acdGrafana -- CSRF

Grafana Labs reports:

On Jan. 18, security researchers @jub0bs and @abrahack contacted Grafana to disclose a CSRF vulnerability which allows anonymous attackers to elevate their privileges by mounting cross-origin attacks against authenticated high-privilege Grafana users (for example, Editors or Admins). An attacker can exploit this vulnerability for privilege escalation by tricking an authenticated user into inviting the attacker as a new user with high privileges. We believe that this vulnerability is rated at CVSS 6.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N).


Discovery 2022-01-18
Entry 2022-02-12
grafana6
ge 6.0.0

grafana7
< 7.5.15

grafana8
< 8.3.5

CVE-2022-21703
https://grafana.com/blog/2022/02/08/grafana-7.5.15-and-8.3.5-released-with-moderate-severity-security-fixes/
cecbc674-8b83-11ec-b369-6c3be5272acdGrafana -- XSS

Grafana Labs reports:

On Jan. 16, an external security researcher, Jasu Viding contacted Grafana to disclose an XSS vulnerability in the way that Grafana handles data sources. Should an existing data source connected to Grafana be compromised, it could be used to inappropriately gain access to other data sources connected to the same Grafana org. We believe that this vulnerability is rated at CVSS 6.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N).


Discovery 2022-01-16
Entry 2022-02-12
grafana6
ge 6.0.0

grafana7
< 7.5.15

grafana8
< 8.3.5

CVE-2022-21702
https://grafana.com/blog/2022/02/08/grafana-7.5.15-and-8.3.5-released-with-moderate-severity-security-fixes/
d71d154a-8b83-11ec-b369-6c3be5272acdGrafana -- Teams API IDOR

Grafana Labs reports:

On Jan. 18, an external security researcher, Kürşad ALSAN from NSPECT.IO (@nspectio on Twitter), contacted Grafana to disclose an IDOR (Insecure Direct Object Reference) vulnerability on Grafana Teams APIs. This vulnerability only impacts the following API endpoints:

  • /teams/:teamId - an authenticated attacker can view unintended data by querying for the specific team ID.
  • /teams/:search - an authenticated attacker can search for teams and see the total number of available teams, including for those teams that the user does not have access to.
  • /teams/:teamId/members - when editors_can_admin flag is enabled, an authenticated attacker can see unintended data by querying for the specific team ID.

We believe that this vulnerability is rated at CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N).


Discovery 2022-01-18
Entry 2022-02-12
grafana6
ge 6.0.0

grafana7
< 7.5.15

grafana8
< 8.3.5

CVE-2022-21713
https://grafana.com/blog/2022/02/08/grafana-7.5.15-and-8.3.5-released-with-moderate-severity-security-fixes/
6877e164-6296-11ed-9ca2-6c3be5272acdGrafana -- Data source and plugin proxy endpoints leaking authentication tokens to some destination plugins

Grafana Labs reports:

On September 7th as a result of an internal security audit we have discovered that Grafana could leak the authentication cookie of users to plugins. After further analysis the vulnerability impacts data source and plugin proxy endpoints under certain conditions.

We believe that this vulnerability is rated at CVSS 6.8 (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H)


Discovery 2022-09-07
Entry 2022-11-12
grafana
ge 5.0.0 lt 8.5.14

ge 9.0.0 lt 9.1.8

grafana7
ge 7.0.0

grafana8
ge 8.0.0 lt 8.5.14

grafana9
ge 9.0.0 lt 9.1.8

CVE-2022-39201
https://github.com/grafana/grafana/security/advisories/GHSA-x744-mm8v-vpgr
0859e6d5-0415-11ed-a53b-6c3be5272acdGrafana -- OAuth Account Takeover

Grafana Labs reports:

It is possible for a malicious user who has authorization to log into a Grafana instance via a configured OAuth IdP to take over an existing Grafana account under some conditions.


Discovery 2022-06-27
Entry 2022-07-15
grafana
ge 5.3.0 lt 8.3.10

ge 8.4.0 lt 8.4.10

ge 8.5.0 lt 8.5.9

ge 9.0.0 lt 9.0.3

grafana7
ge 7.0

grafana8
ge 8.3.0 lt 8.3.10

ge 8.4.0 lt 8.4.10

ge 8.5.0 lt 8.5.9

grafana9
< 9.0.3

CVE-2022-31107
https://github.com/grafana/grafana/security/advisories/GHSA-mx47-6497-3fv2
95e6e6ca-3986-11ed-8e0c-6c3be5272acdGrafana -- Privilege escalation

Grafana Labs reports:

On August 9 an internal security review identified a vulnerability in the Grafana which allows an escalation from Admin privileges to Server Admin when Auth proxy authentication is used.

Auth proxy allows to authenticate a user by only providing the username (or email) in a X-WEBAUTH-USER HTTP header: the trust assumption is that a front proxy will take care of authentication and that Grafana server is publicly reachable only with this front proxy.

Datasource proxy breaks this assumption:

  • it is possible to configure a fake datasource pointing to a localhost Grafana install with a X-WEBAUTH-USER HTTP header containing admin username.
  • This fake datasource can be called publicly via this proxying feature.

The CVSS score for this vulnerability is 6.6 Moderate (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).


Discovery 2022-08-09
Entry 2022-09-21
grafana
ge 2.1.0 lt 8.5.13

ge 9.0.0 lt 9.0.9

ge 9.1.0 lt 9.1.6

grafana7
ge 7.0

grafana8
ge 8.0.0 lt 8.5.13

grafana9
ge 9.0.0 lt 9.0.9

ge 9.1.0 lt 9.1.6

CVE-2022-35957
https://github.com/grafana/grafana/security/advisories/GHSA-ff5c-938w-8c9q
4e60d660-6298-11ed-9ca2-6c3be5272acdGrafana -- Plugin signature bypass

Grafana Labs reports:

On July 4th as a result of an internal security audit we have discovered a bypass in the plugin signature verification by exploiting a versioning flaw.

We believe that this vulnerability is rated at CVSS 6.1 (CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:L).


Discovery 2022-07-04
Entry 2022-11-12
grafana
ge 7.0.0 lt 8.5.14

ge 9.0.0 lt 9.1.8

grafana7
ge 7.0.0

grafana8
ge 8.0.0 lt 8.5.14

grafana9
ge 9.0.0 lt 9.1.8

CVE-2022-31123
https://github.com/grafana/grafana/security/advisories/GHSA-rhxj-gh46-jvw8
757ee63b-269a-11ec-a616-6c3be5272acdGrafana -- Snapshot authentication bypass

Grafana Labs reports:

Unauthenticated and authenticated users are able to view the snapshot with the lowest database key by accessing the literal paths:

  • /dashboard/snapshot/:key, or
  • /api/snapshots/:key

If the snapshot "public_mode" configuration setting is set to true (vs default of false), unauthenticated users are able to delete the snapshot with the lowest database key by accessing the literal path:

  • /api/snapshots-delete/:deleteKey

Regardless of the snapshot "public_mode" setting, authenticated users are able to delete the snapshot with the lowest database key by accessing the literal paths:

  • /api/snapshots/:key, or
  • /api/snapshots-delete/:deleteKey

The combination of deletion and viewing enables a complete walk through all snapshot data while resulting in complete snapshot data loss.


Discovery 2021-09-15
Entry 2021-10-06
grafana8
grafana7
grafana6
grafana
ge 8.0.0 lt 8.1.6

ge 2.0.1 lt 7.5.11

CVE-2021-39226
https://grafana.com/blog/2021/10/05/grafana-7.5.11-and-8.1.6-released-with-critical-security-fix/