From nobody Tue Mar 26 17:28:13 2024 X-Original-To: dev-commits-ports-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4V3xbL1Cn8z5FxqR; Tue, 26 Mar 2024 17:28:14 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4V3xbL0hbkz50QR; Tue, 26 Mar 2024 17:28:14 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1711474094; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=NXdPlw8LTH2KKUsXh+q/qsGfNlUrAlCaOThbbWe/UQ8=; b=LAXHgJFtew140dH6oSiEx4Kqlenv6aHEHTacXcAF9mQIQ2p+HHpp4ap8CO5w1UlxNaYsBx QBi3tLYb0JfqZtS6NUXpvxB8uGV60Vfd7Hzae20jIgCQdkFRmyp5nj7nEooongU/9tpb5D 6GFfGJFbbpwHi0Vg/vxpIz4P+ecPjeU9PeKUGKB/RdknQl5hKrFNNz24zZn1vzfr3WThIW SldbJPimQkIJL/fB1PF+H9xqrIP3F3m73jyLlNeFKaLN38gwtiwH9kHdsHzVZC7wBpWp1j QI4qkIX73v04M3I1AfrlYfYrSQx+6VEhA0bvf170rkp62SahhfhFgQVJNQhHow== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1711474094; a=rsa-sha256; cv=none; b=sx9TR7MIPyGJznqKU3jSMdIjdDUZEG89fiyXciqcer0rtIGTJ5MPCrn45DrGumiZ0F5wlc YK5dD/JbxuoJCbLRVKTGpR5cnsxawnso2ATgRJ8KdPefRaON/Yqw9a1khKu+Ppwap2XaTg uTNdLbS1nip3jUruKT8/6xPvzG10NvBnrggPTZ3qnIFZNQwu8j8lkGIQHHtHrmvWjaGhMJ KAEj8muLbTPWlm817KsyI5GVRnjGWO9gE/+ANNHEGpMBNzm0GIuqqWOfGMzDom3AIEPJo6 AoaZNpMuS74yU9FYKL/08iMCDHHvmsWZqVcqGNfrF1cF0EzdnwVD8QG9fXUe5A== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1711474094; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=NXdPlw8LTH2KKUsXh+q/qsGfNlUrAlCaOThbbWe/UQ8=; b=vDmcKpl1HpELzJe1ARKA3mmg6nozpJsktuy6WyYp1w3r1fcMsfZGQkWH/mMcLzXO5pbhU3 q8o+B2a2zk7jQYLGIR/fH41tNXWmKEY5sNCsVoqdbPHLLqMBdlDp+W61tFbZedVC2k4rIO lbddyq4lLJioJqwIoEwQVh12UdHhseAxfJ6jt/jEcc8rJFFp2Lxmjlx5ijFJA8Vfxw4AnF isiY9yirSvCuZ7SskAlrJYJlqwCiZj3cPdRPt412S1GSPVPjrWD5n/5aqKRLQBjhd7hSj8 10qpXMkrUYKJNTgO4o3T6IESwhKVjGDSBCgfh5/1xjov0VILy1CjVfAlRlBSqQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4V3xbL0FSCz18Bn; Tue, 26 Mar 2024 17:28:14 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 42QHSDXu071086; Tue, 26 Mar 2024 17:28:13 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 42QHSDP0071083; Tue, 26 Mar 2024 17:28:13 GMT (envelope-from git) Date: Tue, 26 Mar 2024 17:28:13 GMT Message-Id: <202403261728.42QHSDP0071083@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: Matthew Seaman Subject: git: ae0d29991bd1 - main - security/vuxml: Add www/grafana and www/grafana9 data sourceprivilege escalation List-Id: Commits to the main branch of the FreeBSD ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-ports-main@freebsd.org X-BeenThere: dev-commits-ports-main@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: matthew X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: ae0d29991bd190d8526ca001ab7cda10876a4e40 Auto-Submitted: auto-generated The branch main has been updated by matthew: URL: https://cgit.FreeBSD.org/ports/commit/?id=ae0d29991bd190d8526ca001ab7cda10876a4e40 commit ae0d29991bd190d8526ca001ab7cda10876a4e40 Author: Boris Korzun AuthorDate: 2024-03-26 17:04:56 +0000 Commit: Matthew Seaman CommitDate: 2024-03-26 17:27:48 +0000 security/vuxml: Add www/grafana and www/grafana9 data sourceprivilege escalation PR: 277631 --- security/vuxml/vuln/2024.xml | 60 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 60 insertions(+) diff --git a/security/vuxml/vuln/2024.xml b/security/vuxml/vuln/2024.xml index 7b227fba72f2..f8b51831e1c0 100644 --- a/security/vuxml/vuln/2024.xml +++ b/security/vuxml/vuln/2024.xml @@ -315,6 +315,66 @@ + + Grafana -- Data source permission escalation + + + grafana + 8.5.09.5.17 + 10.0.010.0.12 + 10.1.010.1.8 + 10.2.010.2.5 + 10.3.010.3.4 + + + grafana9 + 9.5.17 + + + grafana10 + 10.0.12 + 10.1.010.1.8 + 10.2.010.2.5 + 10.3.010.3.4 + + + + +

Grafana Labs reports:

+
+

The vulnerability impacts Grafana Cloud and Grafana Enterprise instances, + and it is exploitable if a user who should not be able to access all data + sources is granted permissions to create a data source.

+

By default, only organization Administrators are allowed to create a data + source and have full access to all data sources. All other users need to be + explicitly granted permission to create a data source, which then means they + could exploit this vulnerability.

+

When a user creates a data source via the + API, + they can specify data source UID. If the UID is set to an asterisk (*), + the user gains permissions to query, update, and delete all data sources + in the organization. The exploit, however, does not stretch across + organizations — to exploit the vulnerability in several organizations, a user + would need permissions to create data sources in each organization.

+

The vulnerability comes from a lack of UID validation. When evaluating + permissions, we interpret an asterisk (*) as a wild card for all resources. + Therefore, we should treat it as a reserved value, and not allow the creation + of a resource with the UID set to an asterisk.

+

The CVSS score for this vulnerability is + 6 Medium.

+
+ + + + CVE-2024-1442 + https://grafana.com/security/security-advisories/cve-2024-1442/ + + + 2024-02-12 + 2024-03-11 + + + Unbound -- Denial-of-Service vulnerability