FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

Grafana -- Unauthorized file disclosure

Affected packages
5.2.0 <= grafana < 8.3.11
8.4.0 <= grafana < 8.4.11
8.5.0 <= grafana < 8.5.11
9.0.0 <= grafana < 9.0.8
9.1.0 <= grafana < 9.1.2
7.0 <= grafana7
8.3.0 <= grafana8 < 8.3.11
8.4.0 <= grafana8 < 8.4.11
8.5.0 <= grafana8 < 8.5.11
9.0.0 <= grafana9 < 9.0.8
9.1.0 <= grafana9 < 9.1.2

Details

VuXML ID 827b95ff-290e-11ed-a2e7-6c3be5272acd
Discovery 2022-07-21
Entry 2022-09-01

Grafana Labs reports:

On July 21, an internal security review identified an unauthorized file disclosure vulnerability in the Grafana Image Renderer plugin when HTTP remote rendering is used. The Chromium browser embedded in the Grafana Image Renderer allows for “printing” of unauthorized files in a PNG file. This makes it possible for a malicious user to retrieve unauthorized files under some network conditions or via a fake data source (this applies if the user has admin permissions in Grafana).

[source]

References

CVE Name CVE-2022-31176
URL https://github.com/grafana/grafana-image-renderer/security/advisories/GHSA-2cfh-233g-m4c5

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.