Bug 1193688 - (CVE-2021-43813) VUL-1: CVE-2021-43813: grafana: directory traversal vulnerability for .md files
(CVE-2021-43813)
VUL-1: CVE-2021-43813: grafana: directory traversal vulnerability for .md files
Status: CONFIRMED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Normal
: ---
Assigned To: E-Mail List
Security Team bot
https://smash.suse.de/issue/317105/
CVSSv3.1:SUSE:CVE-2021-43813:4.3:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-12-13 15:42 UTC by Carlos López
Modified: 2022-06-08 08:36 UTC (History)
7 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Carlos López 2021-12-13 15:43:45 UTC
Affected codestreams:
 - SUSE:SLE-12:Update
 - SUSE:SLE-12:Update:Products:ManagerToolsBeta:Update
 - SUSE:SLE-12-SP3:Update:Products:Cloud8:Update
 - SUSE:SLE-12-SP4:Update:Products:Cloud9:Update
 - SUSE:SLE-15:Update
 - SUSE:SLE-15:Update:Products:ManagerToolsBeta:Update
 - SUSE:SLE-15-SP1:Update:Products:SES6:Update

Also affected on openSUSE:
 - openSUSE:Backports:SLE-15-SP2:Update
 - openSUSE:Backports:SLE-15-SP3:Update
 - openSUSE:Leap:15.2:Update
 - openSUSE:Factory

This CVE was used originally to track two separate vulnerabilities,
each affecting .md and .csv files respectively. The .csv file bug was given CVE-2021-43815 (bnc#1193686) afterwards.

Upstream fix:
https://github.com/grafana/grafana/commit/d6ec6f8ad28f0212e584406730f939105ff6c6d3

7.5.x backport (omits fixes for CVE-2021-43815):
https://github.com/grafana/grafana/commit/ea77415cfe2cefe46ffce233076a1409abaa8df7
Comment 4 Witek Bedyk 2021-12-20 14:55:37 UTC
Updated package requested for openSUSE Tumbleweed
https://build.opensuse.org/request/show/941593
Comment 5 Witek Bedyk 2021-12-23 09:07:06 UTC
Uyuni and SUSE Manager submissions requested:

* https://build.opensuse.org/request/show/942200
* https://build.suse.de/request/show/261150
* https://build.suse.de/request/show/261149
Comment 6 Witek Bedyk 2021-12-23 14:34:06 UTC
Prepared maintenance requests for:

 - SUSE:SLE-12:Update https://build.suse.de/request/show/261167
 - SUSE:SLE-15:Update https://build.suse.de/request/show/261166
 - SUSE:SLE-15-SP2:Update https://build.suse.de/request/show/261165
Comment 8 Swamp Workflow Management 2022-01-20 17:21:35 UTC
SUSE-SU-2022:0138-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1191454,1193688
CVE References: CVE-2021-39226,CVE-2021-43813
JIRA References: 
Sources used:
SUSE Manager Tools 12 (src):    grafana-7.5.12-1.27.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Swamp Workflow Management 2022-01-20 17:24:08 UTC
openSUSE-SU-2022:0140-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1191454,1193688
CVE References: CVE-2021-39226,CVE-2021-43813
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    grafana-7.5.12-3.18.1
Comment 10 Swamp Workflow Management 2022-01-20 17:28:24 UTC
SUSE-SU-2022:0139-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1191454,1193688
CVE References: CVE-2021-39226,CVE-2021-43813
JIRA References: 
Sources used:
SUSE Manager Tools 15 (src):    grafana-7.5.12-1.27.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Swamp Workflow Management 2022-02-02 14:42:11 UTC
SUSE-SU-2022:0310-1: An update that solves two vulnerabilities and has four fixes is now available.

Category: security (moderate)
Bug References: 1173103,1191285,1191454,1192487,1193600,1193688
CVE References: CVE-2021-39226,CVE-2021-43813
JIRA References: 
Sources used:
SUSE Manager Tools 12-BETA (src):    grafana-7.5.12-4.18.1, kiwi-desc-saltboot-0.1.1639488226.7c9eab9-4.12.1, mgr-cfg-4.3.3-4.18.2, mgr-custom-info-4.3.3-4.12.1, mgr-osad-4.3.3-4.21.2, mgr-push-4.3.2-4.12.2, mgr-virtualization-4.3.2-4.12.2, python-hwdata-2.3.5-15.9.1, rhnlib-4.3.2-24.21.1, salt-3000-49.41.3, spacecmd-4.3.5-41.30.1, spacewalk-client-tools-4.3.5-55.36.2, spacewalk-koan-4.3.2-27.12.1, spacewalk-oscap-4.3.2-22.12.1, spacewalk-remote-utils-4.3.2-27.12.2, suseRegisterInfo-4.3.2-28.18.1, uyuni-common-libs-4.3.2-3.24.1, zypp-plugin-spacewalk-1.0.11-33.18.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Swamp Workflow Management 2022-02-02 14:54:00 UTC
SUSE-SU-2022:0311-1: An update that solves two vulnerabilities and has three fixes is now available.

Category: security (moderate)
Bug References: 1190781,1191454,1192487,1193600,1193688
CVE References: CVE-2021-39226,CVE-2021-43813
JIRA References: 
Sources used:
SUSE Manager Tools 15-BETA (src):    ansible-2.9.21-159000.3.6.2, grafana-7.5.12-159000.4.18.3, mgr-cfg-4.3.4-159000.4.20.2, mgr-custom-info-4.3.3-159000.4.12.3, mgr-osad-4.3.3-159000.4.21.4, mgr-push-4.3.2-159000.4.12.4, mgr-virtualization-4.3.2-159000.4.12.3, python-hwdata-2.3.5-159000.5.10.3, rhnlib-4.3.2-159000.6.21.3, salt-3003.3-159000.8.47.2, spacecmd-4.3.5-159000.6.30.3, spacewalk-client-tools-4.3.5-159000.6.36.5, spacewalk-koan-4.3.2-159000.6.12.3, spacewalk-oscap-4.3.2-159000.6.12.3, spacewalk-remote-utils-4.3.2-159000.6.12.3, suseRegisterInfo-4.3.2-159000.6.18.3, uyuni-common-libs-4.3.2-159000.3.24.4, zypp-plugin-spacewalk-1.0.11-159000.6.18.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Jordi Massaguer 2022-02-04 09:04:41 UTC
Is there anything else left to be done here?
Comment 17 Darragh O'Reilly 2022-02-15 15:43:28 UTC
Fix accepted into SOC 9 staging

https://build.suse.de/package/show/Devel:Cloud:9:Staging/grafana
Comment 19 Swamp Workflow Management 2022-05-18 19:16:58 UTC
SUSE-SU-2022:1729-1: An update that solves 17 vulnerabilities, contains two features and has one errata is now available.

Category: security (important)
Bug References: 1118088,1179534,1184177,1186380,1189390,1189794,1192070,1192073,1192075,1193597,1193688,1193752,1194521,1194551,1194552,1194952,1194954,1199138
CVE References: CVE-2018-19787,CVE-2020-27783,CVE-2021-28957,CVE-2021-38155,CVE-2021-40085,CVE-2021-41182,CVE-2021-41183,CVE-2021-41184,CVE-2021-43813,CVE-2021-43818,CVE-2021-44716,CVE-2022-22815,CVE-2022-22816,CVE-2022-22817,CVE-2022-23451,CVE-2022-23452,CVE-2022-29970
JIRA References: SOC-11620,SOC-11621
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    grafana-6.7.4-3.26.1, openstack-barbican-7.0.1~dev24-3.14.1, openstack-cinder-13.0.10~dev24-3.34.2, openstack-heat-gbp-14.0.1~dev4-3.9.1, openstack-horizon-plugin-gbp-ui-14.0.1~dev3-3.9.1, openstack-ironic-11.1.5~dev18-3.28.2, openstack-keystone-14.2.1~dev9-3.28.2, openstack-neutron-13.0.8~dev206-3.40.1, openstack-neutron-gbp-14.0.1~dev33-3.31.1, python-Pillow-5.2.0-3.17.1, python-XStatic-jquery-ui-1.13.0.1-4.3.1, python-lxml-4.2.4-3.3.1, release-notes-suse-openstack-cloud-9.20220413-3.30.1, rubygem-sinatra-1.4.6-4.3.1
SUSE OpenStack Cloud 9 (src):    ardana-barbican-9.0+git.1644879908.8a641c1-3.13.1, grafana-6.7.4-3.26.1, openstack-barbican-7.0.1~dev24-3.14.1, openstack-cinder-13.0.10~dev24-3.34.2, openstack-heat-gbp-14.0.1~dev4-3.9.1, openstack-horizon-plugin-gbp-ui-14.0.1~dev3-3.9.1, openstack-ironic-11.1.5~dev18-3.28.2, openstack-keystone-14.2.1~dev9-3.28.2, openstack-neutron-13.0.8~dev206-3.40.1, openstack-neutron-gbp-14.0.1~dev33-3.31.1, python-Pillow-5.2.0-3.17.1, python-XStatic-jquery-ui-1.13.0.1-4.3.1, python-lxml-4.2.4-3.3.1, release-notes-suse-openstack-cloud-9.20220413-3.30.1, venv-openstack-barbican-7.0.1~dev24-3.35.2, venv-openstack-cinder-13.0.10~dev24-3.38.1, venv-openstack-designate-7.0.2~dev2-3.35.1, venv-openstack-glance-17.0.1~dev30-3.33.1, venv-openstack-heat-11.0.4~dev4-3.35.1, venv-openstack-horizon-14.1.1~dev11-4.39.1, venv-openstack-ironic-11.1.5~dev18-4.33.1, venv-openstack-keystone-14.2.1~dev9-3.36.1, venv-openstack-magnum-7.2.1~dev1-4.35.1, venv-openstack-manila-7.4.2~dev60-3.41.1, venv-openstack-monasca-2.7.1~dev10-3.37.1, venv-openstack-monasca-ceilometer-1.8.2~dev3-3.35.1, venv-openstack-neutron-13.0.8~dev206-6.39.1, venv-openstack-nova-18.3.1~dev91-3.39.1, venv-openstack-octavia-3.2.3~dev7-4.35.1, venv-openstack-sahara-9.0.2~dev15-3.35.1, venv-openstack-swift-2.19.2~dev48-2.30.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 20 Christian Almeida de Oliveira 2022-06-08 08:36:19 UTC
SOC 8 is under LTSS, meaning only CVE with base score higher than 7 will be solved.
The fix for SOC 9 was included in the last MU.
Back to the Security team.