FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

Grafana -- Directory Traversal

Affected packages
5.0.0 <= grafana < 7.5.12
8.0.0 <= grafana < 8.3.2
6.0.0 <= grafana6
7.0.0 <= grafana7 < 7.5.12
8.0.0 <= grafana8 < 8.3.2

Details

VuXML ID a994ff7d-5b3f-11ec-8398-6c3be5272acd
Discovery 2021-12-09
Entry 2021-12-12

GitHub Security Labs reports:

A vulnerability through which authenticated users could read out fully lowercase or fully uppercase .md files through directory traversal. Doing our own follow-up investigation we found a related vulnerability through which authenticated users could read out arbitrary .csv files through directory traversal. Thanks to our defense-in-depth approach, at no time has Grafana Cloud been vulnerable.

The vulnerable URL path is: /api/plugins/.*/markdown/.* for .md files

[source]

References

CVE Name CVE-2021-43813
URL https://grafana.com/blog/2021/12/10/grafana-8.3.2-and-7.5.12-released-with-moderate-severity-security-fix/

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.