FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

Grafana -- Critical vulnerability in golang

Affected packages
grafana < 8.5.24
9.0.0 <= grafana < 9.2.17
9.3.0 <= grafana < 9.3.13
9.4.0 <= grafana < 9.4.9
grafana8 < 8.5.24
grafana9 < 9.2.17
9.3.0 <= grafana9 < 9.3.13
9.4.0 <= grafana9 < 9.4.9

Details

VuXML ID 0b85b1cd-e468-11ed-834b-6c3be5272acd
Discovery 2023-04-19
Entry 2023-04-26

Grafana Labs reports:

An issue in how go handles backticks (`) with Javascript can lead to an injection of arbitrary code into go templates. While Grafana Labs software contains potentially vulnerable versions of go, we have not identified any exploitable use cases at this time.

The CVSS score for this vulnerability is 0.0 (adjusted), 9.8 (base).

[source]

References

CVE Name CVE-2023-24538
URL https://grafana.com/blog/2023/04/26/precautionary-patches-for-grafana-released-following-critical-go-vulnerability-cve-2023-24538/

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.