Bug 1193492 – VUL-0: CVE-2021-43798: grafana: arbitrary file read in the graph native plugin

Bug 1193492 - (CVE-2021-43798) VUL-0: CVE-2021-43798: grafana: arbitrary file read in the graph native plugin

(CVE-2021-43798)
Summary:	VUL-0: CVE-2021-43798: grafana: arbitrary file read in the graph native plugin

Status:	RESOLVED INVALID

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P2 - High Severity: Major
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:	CVSSv3.1:SUSE:CVE-2021-43798:7.5:(AV:...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2021-12-07 16:53 UTC by Thomas Leroy
Modified:	2021-12-13 08:21 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Screenshot of a poc (371.59 KB, image/jpeg) 2021-12-07 16:53 UTC, Thomas Leroy	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Thomas Leroy 2021-12-07 16:53:27 UTC

Created attachment 854380 [details]
Screenshot of a poc

An arbitrary file read has been dropped on Twitter on 2021-12-04. For the moment, no upstream fix is given.

A quick analysis of the code make the vuln probable, but we should monitor for acknowledgement from Grafana dev team, as well as a fix.

Probable vulnerable code is in getPluginAssets method, in grafana/blob/main/pkg/api/plugins.go:284.

References:
https://github.com/grafana/grafana/blob/a2ad0a0fb61b969ecf31b6cc9df3964cccf3e313/pkg/api/plugins.go#L284

Comment 1 Marcus Meissner 2021-12-08 08:36:30 UTC

https://grafana.com/blog/2021/12/07/grafana-8.3.1-8.2.7-8.1.8-and-8.0.7-released-with-high-severity-security-fix/

Comment 2 Thomas Leroy 2021-12-08 15:46:28 UTC

Upstream fix commit:
https://github.com/grafana/grafana/commit/c798c0e958d15d9cc7f27c72113d572fa58545ce

Security advisory:
https://github.com/grafana/grafana/security/advisories/GHSA-8pjx-jj86-j47p

Comment 3 Thomas Leroy 2021-12-08 16:27:59 UTC

The vulnerable commit [0] has been introduced in v8.0.0. But every version that we ship is <7.5.11. Moreover, I checked that the vulnerable commit has not been backported. Therefore, I think we are not affected.
In light of the importance this vulnerability seems to take, that would be great if someone can double-check my assessment.

[0] https://github.com/grafana/grafana/commit/c37a3bebb7b5eb3a0bee5ffb26798282f0abead0

Comment 4 Christian Almeida de Oliveira 2021-12-09 15:31:21 UTC

Cloud 8 and Cloud 9 use both version 6.7.4, thus not impacted.
Back to Security team.

Comment 5 Thomas Leroy 2021-12-13 08:21:39 UTC

Thanks Christian for confirming. Closing since we are not affected.