Date: Thu, 9 Feb 2023 10:21:10 GMT From: =?utf-8?Q?Fernando=20Apestegu=C3=ADa?= <fernape@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: bf2630cfd6a2 - main - security/vuxml: Record grafana{8,9} vulnerabilities Message-ID: <202302091021.319ALAk6003097@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by fernape: URL: https://cgit.FreeBSD.org/ports/commit/?id=bf2630cfd6a2ea9c113d56b4eef03b6b6284a86e commit bf2630cfd6a2ea9c113d56b4eef03b6b6284a86e Author: Boris Korzun <drtr0jan@yandex.ru> AuthorDate: 2023-02-08 15:36:53 +0000 Commit: Fernando ApesteguĂa <fernape@FreeBSD.org> CommitDate: 2023-02-09 10:16:46 +0000 security/vuxml: Record grafana{8,9} vulnerabilities CVE-2022-39324 and CVE-2022-23552 --- security/vuxml/vuln/2023.xml | 88 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 88 insertions(+) diff --git a/security/vuxml/vuln/2023.xml b/security/vuxml/vuln/2023.xml index 1d15f7bdb99e..5f3b57277e38 100644 --- a/security/vuxml/vuln/2023.xml +++ b/security/vuxml/vuln/2023.xml @@ -1,3 +1,91 @@ + <vuln vid="ecffb881-a7a7-11ed-8d6a-6c3be5272acd"> + <topic>Grafana -- Stored XSS in ResourcePicker component</topic> + <affects> + <package> + <name>grafana</name> + <range><ge>8.1.0</ge><lt>8.5.16</lt></range> + <range><ge>9.0.0</ge><lt>9.2.10</lt></range> + <range><ge>9.3.0</ge><lt>9.3.4</lt></range> + </package> + <package> + <name>grafana8</name> + <range><ge>8.1.0</ge><lt>8.5.16</lt></range> + </package> + <package> + <name>grafana9</name> + <range><ge>9.0.0</ge><lt>9.2.10</lt></range> + <range><ge>9.3.0</ge><lt>9.3.4</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Grafana Labs reports:</p> + <blockquote cite="https://grafana.com/blog/2023/01/25/grafana-security-releases-new-versions-with-fixes-for-cve-2022-23552-cve-2022-41912-and-cve-2022-39324/"> + <p>On 2022-12-16 during an internal audit of Grafana, a member of the security + team found a stored XSS vulnerability affecting the core plugin GeoMap.</p> + <p>The stored XSS vulnerability was possible due to SVG-files weren't properly + sanitized and allowed arbitrary JavaScript to be executed in the context + of the currently authorized user of the Grafana instance.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2022-23552</cvename> + <url>https://github.com/grafana/grafana/security/advisories/GHSA-8xmm-x63g-f6xv</url> + </references> + <dates> + <discovery>2022-12-16</discovery> + <entry>2023-02-09</entry> + </dates> + </vuln> + + <vuln vid="e6281d88-a7a7-11ed-8d6a-6c3be5272acd"> + <topic>Grafana -- Spoofing originalUrl of snapshots</topic> + <affects> + <package> + <name>grafana</name> + <range><ge>8.0.0</ge><lt>8.5.16</lt></range> + <range><ge>9.0.0</ge><lt>9.2.10</lt></range> + <range><ge>9.3.0</ge><lt>9.3.4</lt></range> + </package> + <package> + <name>grafana8</name> + <range><ge>8.0.0</ge><lt>8.5.16</lt></range> + </package> + <package> + <name>grafana9</name> + <range><ge>9.0.0</ge><lt>9.2.10</lt></range> + <range><ge>9.3.0</ge><lt>9.3.4</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Grafana Labs reports:</p> + <blockquote cite="https://grafana.com/blog/2023/01/25/grafana-security-releases-new-versions-with-fixes-for-cve-2022-23552-cve-2022-41912-and-cve-2022-39324/"> + <p>A third-party penetration test of Grafana found a vulnerability + in the snapshot functionality. The value of the originalUrl parameter + is automatically generated. The purpose of the presented originalUrl parameter + is to provide a user who views the snapshot with the possibility to click + on the <strong>Local Snapshot</strong> button in the Grafana web UI + and be presented with the dashboard that the snapshot captured. The value + of the originalUrl parameter can be arbitrarily chosen by a malicious user that + creates the snapshot. (Note: This can be done by editing the query thanks + to a web proxy like Burp.)</p> + <p>We have assessed this vulnerability as having a CVSS score of 6.7 MEDIUM + (CVSS:6.7/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L).</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2022-39324</cvename> + <url>https://github.com/grafana/grafana/security/advisories/GHSA-4724-7jwc-3fpw</url> + </references> + <dates> + <discovery>2023-01-25</discovery> + <entry>2023-02-09</entry> + </dates> + </vuln> + <vuln vid="1dd84344-a7da-11ed-86e9-d4c9ef517024"> <topic>LibreSSL -- Arbitrary memory read</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202302091021.319ALAk6003097>