FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

Grafana -- Directory Traversal

Affected packages
8.0.0 <= grafana < 8.3.2
8.0.0 <= grafana8 < 8.3.2

Details

VuXML ID c2a7de31-5b42-11ec-8398-6c3be5272acd
Discovery 2021-12-09
Entry 2021-12-12

GitHub Security Labs reports:

A vulnerability through which authenticated users could read out fully lowercase or fully uppercase .md files through directory traversal. Doing our own follow-up investigation we found a related vulnerability through which authenticated users could read out arbitrary .csv files through directory traversal. Thanks to our defense-in-depth approach, at no time has Grafana Cloud been vulnerable.

The vulnerable URL path is: /api/ds/query

References

CVE Name CVE-2021-43815
URL https://grafana.com/blog/2021/12/10/grafana-8.3.2-and-7.5.12-released-with-moderate-severity-security-fix/