From nobody Sat Feb 26 15:00:39 2022
X-Original-To: dev-commits-ports-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 26CB319DFDD0;
	Sat, 26 Feb 2022 15:00:40 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4K5VFN0dkKz3Dxt;
	Sat, 26 Feb 2022 15:00:40 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1645887640;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=zTXvbSbr+iEfY5T0BBSKYxuAuohHljMDKHhZ3QSOoFQ=;
	b=MivMhLNwKwXa+32Bp+3NMIGnfZdZKdU2eYfnUqiHN8ZZBbbP5ZeyPajghNImlN6FjJ6qIr
	AZr3nBgZ5SwVaH+tgwD3YVNGswaXaCOzI5khyOvrmIyZiyIQNbeK2oEL3tmzHB2lC0YpIA
	1t+fkFh7pXMomr5wV37P6Fyy2SjOmSkyFTJF7x4EPRpUYzEoN7eS69Xi4HBLzFuKX+ivTV
	7+SMH8XJTAXtcTK49sWN/ltT/Jlz1Y1hpvB1HRAedxC7GCnoghj+/LdsXdU/UCNVICxp/i
	aQHrywwudUvQy+A3GpxKPrNXXHpEpVIu7V3TUdUBlEF6LUwbnvfoiVB3en4Iqw==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id EAB4C15D81;
	Sat, 26 Feb 2022 15:00:39 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 21QF0dhV065368;
	Sat, 26 Feb 2022 15:00:39 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 21QF0dWO065367;
	Sat, 26 Feb 2022 15:00:39 GMT
	(envelope-from git)
Date: Sat, 26 Feb 2022 15:00:39 GMT
Message-Id: <202202261500.21QF0dWO065367@gitrepo.freebsd.org>
To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org,
        dev-commits-ports-main@FreeBSD.org
From: Thomas Zander <riggs@FreeBSD.org>
Subject: git: 580776c6bd96 - main - security/vuxml: Document grafana vulnerabilities
List-Id: Commit messages for all branches of the ports repository <dev-commits-ports-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-all
List-Help: <mailto:dev-commits-ports-all+help@freebsd.org>
List-Post: <mailto:dev-commits-ports-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-ports-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-ports-all+unsubscribe@freebsd.org>
Sender: owner-dev-commits-ports-all@freebsd.org
X-BeenThere: dev-commits-ports-all@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: riggs
X-Git-Repository: ports
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: 580776c6bd96e2b9de3e34a8c8c8b395b70aed69
Auto-Submitted: auto-generated
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1645887640;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=zTXvbSbr+iEfY5T0BBSKYxuAuohHljMDKHhZ3QSOoFQ=;
	b=bhizfEte5cz6vOL2I2fgk0TC5BOLpodw41nSPCNgeFkdGm+wx7U3KaTULMMmwUrHird2lI
	MfQRFQMPV1eg4b+gVB/1EFesoAXOysTXpigbcQq8ILQIXs+tycsqJBoyfbeSYxiFI+fGRZ
	R8D1KR7LOFbj7tSVpSihLpHZZF/BJhRNm7/9HJcNwLY+u6hMqU6dsB8NKnapWF4nyn8CG/
	nihOZ3EdTR+LepFWvIOi3YWYdCRLrymkTbahHBFyL7Ct0png6EUSBO+Y7Lp9MJmKfGp1U0
	OXvvdNGPMyoYl5MKWyEUiqNCjd0yX73WmtWZvBIUFoOkAOBdeOwpfMS5sd4EcA==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1645887640; a=rsa-sha256; cv=none;
	b=C6kgJ2wSCfd1ogr9zpJoi537swnWLAPHgdV47NQzof+b3KUCqZrdko3UWgs4fUs343NbcA
	uZ80Q6tdxYBA6i7zoEbmGRYMqRYLRg95Cb6MbdbndBTzZVUDcXUqBcoZmzLKyjx7TYswsn
	fTzo7g46Vfo5Hji9kvMTXt+m+oOIhcjltJWW1M725KDGUsUmGZPtFa2go3u6Vv3wdvdZaX
	RkHtpI7+Lx1WV9/MF9oyiqXJxDd+DaV9rwkOz6Z5Qq0qPXyCCFXHfX87Ua0GuwpWBRIbuQ
	J79OWLAb0ippeqzlyPE0RSSs28VP6V2fMovq6D3j8ai5zQvBq+zqbcx0SbBDdQ==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
X-ThisMailContainsUnwantedMimeParts: N

The branch main has been updated by riggs:

URL: https://cgit.FreeBSD.org/ports/commit/?id=580776c6bd96e2b9de3e34a8c8c8b395b70aed69

commit 580776c6bd96e2b9de3e34a8c8c8b395b70aed69
Author:     Thomas Zander <riggs@FreeBSD.org>
AuthorDate: 2022-02-26 14:58:47 +0000
Commit:     Thomas Zander <riggs@FreeBSD.org>
CommitDate: 2022-02-26 14:58:47 +0000

    security/vuxml: Document grafana vulnerabilities
    
    PR:             261892
    Reported by:    Boris Korzun <drtr0jan@yandex.ru>
    Security:       CVE-2022-21702
                    CVE-2022-21703
                    CVE-2022-21713
---
 security/vuxml/vuln-2022.xml | 108 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 108 insertions(+)

diff --git a/security/vuxml/vuln-2022.xml b/security/vuxml/vuln-2022.xml
index 335f5c6429a9..ee851c6b3bc8 100644
--- a/security/vuxml/vuln-2022.xml
+++ b/security/vuxml/vuln-2022.xml
@@ -1,3 +1,111 @@
+  <vuln vid="d71d154a-8b83-11ec-b369-6c3be5272acd">
+    <topic>Grafana -- Teams API IDOR</topic>
+    <affects>
+      <package>
+	<name>grafana6</name>
+	<range><ge>6.0.0</ge></range>
+      </package>
+      <package>
+	<name>grafana7</name>
+	<range><lt>7.5.15</lt></range>
+      </package>
+      <package>
+	<name>grafana8</name>
+	<range><lt>8.3.5</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>Grafana Labs reports:</p>
+	<blockquote cite="https://grafana.com/blog/2022/02/08/grafana-7.5.15-and-8.3.5-released-with-moderate-severity-security-fixes/">
+	  <p>On Jan. 18, an external security researcher, Kürşad ALSAN from <a href="https://www.nspect.io/">NSPECT.IO</a> (<a href="https://twitter.com/nspectio">@nspectio</a> on Twitter), contacted Grafana to disclose an IDOR (Insecure Direct Object Reference) vulnerability on Grafana Teams APIs. This vulnerability only impacts the following API endpoints:</p>
+	  <ul>
+	    <li><strong>/teams/:teamId</strong> - an authenticated attacker can view unintended data by querying for the specific team ID.</li>
+	    <li><strong>/teams/:search</strong> - an authenticated attacker can search for teams and see the total number of available teams, including for those teams that the user does not have access to.</li>
+	    <li><strong>/teams/:teamId/members</strong> - when editors_can_admin flag is enabled, an authenticated attacker can see unintended data by querying for the specific team ID.</li>
+	  </ul>
+	  <p>We believe that this vulnerability is rated at CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N).</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2022-21713</cvename>
+      <url>https://grafana.com/blog/2022/02/08/grafana-7.5.15-and-8.3.5-released-with-moderate-severity-security-fixes/</url>
+    </references>
+    <dates>
+      <discovery>2022-01-18</discovery>
+      <entry>2022-02-12</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="d4284c2e-8b83-11ec-b369-6c3be5272acd">
+    <topic>Grafana -- CSRF</topic>
+    <affects>
+      <package>
+	<name>grafana6</name>
+	<range><ge>6.0.0</ge></range>
+      </package>
+      <package>
+	<name>grafana7</name>
+	<range><lt>7.5.15</lt></range>
+      </package>
+      <package>
+	<name>grafana8</name>
+	<range><lt>8.3.5</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>Grafana Labs reports:</p>
+	<blockquote cite="https://grafana.com/blog/2022/02/08/grafana-7.5.15-and-8.3.5-released-with-moderate-severity-security-fixes/">
+	  <p>On Jan. 18, security researchers <a href="https://twitter.com/jub0bs">@jub0bs</a> and <a href="https://twitter.com/theabrahack">@abrahack</a> contacted Grafana to <a href="https://jub0bs.com/posts/2022-02-08-cve-2022-21703-writeup/">disclose a CSRF vulnerability</a> which allows anonymous attackers to elevate their privileges by mounting cross-origin attacks against authenticated high-privilege Grafana users (for example, Editors or Admins). An attacker can exploit this vulnerability for privilege escalation by tricking an authenticated user into inviting the attacker as a new user with high privileges. We believe that this vulnerability is rated at CVSS 6.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N).</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2022-21703</cvename>
+      <url>https://grafana.com/blog/2022/02/08/grafana-7.5.15-and-8.3.5-released-with-moderate-severity-security-fixes/</url>
+    </references>
+    <dates>
+      <discovery>2022-01-18</discovery>
+      <entry>2022-02-12</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="cecbc674-8b83-11ec-b369-6c3be5272acd">
+    <topic>Grafana -- XSS</topic>
+    <affects>
+      <package>
+	<name>grafana6</name>
+	<range><ge>6.0.0</ge></range>
+      </package>
+      <package>
+	<name>grafana7</name>
+	<range><lt>7.5.15</lt></range>
+      </package>
+      <package>
+	<name>grafana8</name>
+	<range><lt>8.3.5</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>Grafana Labs reports:</p>
+	<blockquote cite="https://grafana.com/blog/2022/02/08/grafana-7.5.15-and-8.3.5-released-with-moderate-severity-security-fixes/">
+	  <p>On Jan. 16, an external security researcher, Jasu Viding contacted Grafana to disclose an XSS vulnerability in the way that Grafana handles data sources. Should an existing data source connected to Grafana be compromised, it could be used to inappropriately gain access to other data sources connected to the same Grafana org. We believe that this vulnerability is rated at CVSS 6.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N).</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2022-21702</cvename>
+      <url>https://grafana.com/blog/2022/02/08/grafana-7.5.15-and-8.3.5-released-with-moderate-severity-security-fixes/</url>
+    </references>
+    <dates>
+      <discovery>2022-01-16</discovery>
+      <entry>2022-02-12</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="7695b0af-958f-11ec-9aa3-4ccc6adda413">
     <topic>cryptopp -- ElGamal implementation allows plaintext recovery</topic>
     <affects>