Bugzilla – Bug 1193688
VUL-1: CVE-2021-43813: grafana: directory traversal vulnerability for .md files
Last modified: 2022-09-27 13:22:32 UTC
rh#2031228 GitHub Security Labs notified us that there’s a limited directory traversal attack against Grafana 8.3.1 which allows access to '.md' files. During our internal follow-up investigation, we found an attack allowing access to `.csv` files. The vulnerable URL path is: '/api/plugins/.*/markdown/.*' References: https://bugzilla.redhat.com/show_bug.cgi?id=2031228 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-43813 http://seclists.org/oss-sec/2021/q4/153 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43813 https://github.com/grafana/grafana/security/advisories/GHSA-c3q8-26ph-9g2q https://github.com/grafana/grafana/commit/fd48aee61e4328aae8d5303a9efd045fa0ca308d http://www.cvedetails.com/cve/CVE-2021-43813/ https://github.com/github/securitylab-vulnerabilities/commit/689fc5d9fd665be4d5bba200a6a433b532172d0f https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-3-2/ https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-5-12/ https://grafana.com/blog/2021/12/10/grafana-8.3.2-and-7.5.12-released-with-moderate-severity-security-fix/
Affected codestreams: - SUSE:SLE-12:Update - SUSE:SLE-12:Update:Products:ManagerToolsBeta:Update - SUSE:SLE-12-SP3:Update:Products:Cloud8:Update - SUSE:SLE-12-SP4:Update:Products:Cloud9:Update - SUSE:SLE-15:Update - SUSE:SLE-15:Update:Products:ManagerToolsBeta:Update - SUSE:SLE-15-SP1:Update:Products:SES6:Update Also affected on openSUSE: - openSUSE:Backports:SLE-15-SP2:Update - openSUSE:Backports:SLE-15-SP3:Update - openSUSE:Leap:15.2:Update - openSUSE:Factory This CVE was used originally to track two separate vulnerabilities, each affecting .md and .csv files respectively. The .csv file bug was given CVE-2021-43815 (bnc#1193686) afterwards. Upstream fix: https://github.com/grafana/grafana/commit/d6ec6f8ad28f0212e584406730f939105ff6c6d3 7.5.x backport (omits fixes for CVE-2021-43815): https://github.com/grafana/grafana/commit/ea77415cfe2cefe46ffce233076a1409abaa8df7
Updated package requested for openSUSE Tumbleweed https://build.opensuse.org/request/show/941593
Uyuni and SUSE Manager submissions requested: * https://build.opensuse.org/request/show/942200 * https://build.suse.de/request/show/261150 * https://build.suse.de/request/show/261149
Prepared maintenance requests for: - SUSE:SLE-12:Update https://build.suse.de/request/show/261167 - SUSE:SLE-15:Update https://build.suse.de/request/show/261166 - SUSE:SLE-15-SP2:Update https://build.suse.de/request/show/261165
SUSE-SU-2022:0138-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 1191454,1193688 CVE References: CVE-2021-39226,CVE-2021-43813 JIRA References: Sources used: SUSE Manager Tools 12 (src): grafana-7.5.12-1.27.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2022:0140-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 1191454,1193688 CVE References: CVE-2021-39226,CVE-2021-43813 JIRA References: Sources used: openSUSE Leap 15.3 (src): grafana-7.5.12-3.18.1
SUSE-SU-2022:0139-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 1191454,1193688 CVE References: CVE-2021-39226,CVE-2021-43813 JIRA References: Sources used: SUSE Manager Tools 15 (src): grafana-7.5.12-1.27.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:0310-1: An update that solves two vulnerabilities and has four fixes is now available. Category: security (moderate) Bug References: 1173103,1191285,1191454,1192487,1193600,1193688 CVE References: CVE-2021-39226,CVE-2021-43813 JIRA References: Sources used: SUSE Manager Tools 12-BETA (src): grafana-7.5.12-4.18.1, kiwi-desc-saltboot-0.1.1639488226.7c9eab9-4.12.1, mgr-cfg-4.3.3-4.18.2, mgr-custom-info-4.3.3-4.12.1, mgr-osad-4.3.3-4.21.2, mgr-push-4.3.2-4.12.2, mgr-virtualization-4.3.2-4.12.2, python-hwdata-2.3.5-15.9.1, rhnlib-4.3.2-24.21.1, salt-3000-49.41.3, spacecmd-4.3.5-41.30.1, spacewalk-client-tools-4.3.5-55.36.2, spacewalk-koan-4.3.2-27.12.1, spacewalk-oscap-4.3.2-22.12.1, spacewalk-remote-utils-4.3.2-27.12.2, suseRegisterInfo-4.3.2-28.18.1, uyuni-common-libs-4.3.2-3.24.1, zypp-plugin-spacewalk-1.0.11-33.18.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:0311-1: An update that solves two vulnerabilities and has three fixes is now available. Category: security (moderate) Bug References: 1190781,1191454,1192487,1193600,1193688 CVE References: CVE-2021-39226,CVE-2021-43813 JIRA References: Sources used: SUSE Manager Tools 15-BETA (src): ansible-2.9.21-159000.3.6.2, grafana-7.5.12-159000.4.18.3, mgr-cfg-4.3.4-159000.4.20.2, mgr-custom-info-4.3.3-159000.4.12.3, mgr-osad-4.3.3-159000.4.21.4, mgr-push-4.3.2-159000.4.12.4, mgr-virtualization-4.3.2-159000.4.12.3, python-hwdata-2.3.5-159000.5.10.3, rhnlib-4.3.2-159000.6.21.3, salt-3003.3-159000.8.47.2, spacecmd-4.3.5-159000.6.30.3, spacewalk-client-tools-4.3.5-159000.6.36.5, spacewalk-koan-4.3.2-159000.6.12.3, spacewalk-oscap-4.3.2-159000.6.12.3, spacewalk-remote-utils-4.3.2-159000.6.12.3, suseRegisterInfo-4.3.2-159000.6.18.3, uyuni-common-libs-4.3.2-159000.3.24.4, zypp-plugin-spacewalk-1.0.11-159000.6.18.3 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Is there anything else left to be done here?
Fix accepted into SOC 9 staging https://build.suse.de/package/show/Devel:Cloud:9:Staging/grafana
SUSE-SU-2022:1729-1: An update that solves 17 vulnerabilities, contains two features and has one errata is now available. Category: security (important) Bug References: 1118088,1179534,1184177,1186380,1189390,1189794,1192070,1192073,1192075,1193597,1193688,1193752,1194521,1194551,1194552,1194952,1194954,1199138 CVE References: CVE-2018-19787,CVE-2020-27783,CVE-2021-28957,CVE-2021-38155,CVE-2021-40085,CVE-2021-41182,CVE-2021-41183,CVE-2021-41184,CVE-2021-43813,CVE-2021-43818,CVE-2021-44716,CVE-2022-22815,CVE-2022-22816,CVE-2022-22817,CVE-2022-23451,CVE-2022-23452,CVE-2022-29970 JIRA References: SOC-11620,SOC-11621 Sources used: SUSE OpenStack Cloud Crowbar 9 (src): grafana-6.7.4-3.26.1, openstack-barbican-7.0.1~dev24-3.14.1, openstack-cinder-13.0.10~dev24-3.34.2, openstack-heat-gbp-14.0.1~dev4-3.9.1, openstack-horizon-plugin-gbp-ui-14.0.1~dev3-3.9.1, openstack-ironic-11.1.5~dev18-3.28.2, openstack-keystone-14.2.1~dev9-3.28.2, openstack-neutron-13.0.8~dev206-3.40.1, openstack-neutron-gbp-14.0.1~dev33-3.31.1, python-Pillow-5.2.0-3.17.1, python-XStatic-jquery-ui-1.13.0.1-4.3.1, python-lxml-4.2.4-3.3.1, release-notes-suse-openstack-cloud-9.20220413-3.30.1, rubygem-sinatra-1.4.6-4.3.1 SUSE OpenStack Cloud 9 (src): ardana-barbican-9.0+git.1644879908.8a641c1-3.13.1, grafana-6.7.4-3.26.1, openstack-barbican-7.0.1~dev24-3.14.1, openstack-cinder-13.0.10~dev24-3.34.2, openstack-heat-gbp-14.0.1~dev4-3.9.1, openstack-horizon-plugin-gbp-ui-14.0.1~dev3-3.9.1, openstack-ironic-11.1.5~dev18-3.28.2, openstack-keystone-14.2.1~dev9-3.28.2, openstack-neutron-13.0.8~dev206-3.40.1, openstack-neutron-gbp-14.0.1~dev33-3.31.1, python-Pillow-5.2.0-3.17.1, python-XStatic-jquery-ui-1.13.0.1-4.3.1, python-lxml-4.2.4-3.3.1, release-notes-suse-openstack-cloud-9.20220413-3.30.1, venv-openstack-barbican-7.0.1~dev24-3.35.2, venv-openstack-cinder-13.0.10~dev24-3.38.1, venv-openstack-designate-7.0.2~dev2-3.35.1, venv-openstack-glance-17.0.1~dev30-3.33.1, venv-openstack-heat-11.0.4~dev4-3.35.1, venv-openstack-horizon-14.1.1~dev11-4.39.1, venv-openstack-ironic-11.1.5~dev18-4.33.1, venv-openstack-keystone-14.2.1~dev9-3.36.1, venv-openstack-magnum-7.2.1~dev1-4.35.1, venv-openstack-manila-7.4.2~dev60-3.41.1, venv-openstack-monasca-2.7.1~dev10-3.37.1, venv-openstack-monasca-ceilometer-1.8.2~dev3-3.35.1, venv-openstack-neutron-13.0.8~dev206-6.39.1, venv-openstack-nova-18.3.1~dev91-3.39.1, venv-openstack-octavia-3.2.3~dev7-4.35.1, venv-openstack-sahara-9.0.2~dev15-3.35.1, venv-openstack-swift-2.19.2~dev48-2.30.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SOC 8 is under LTSS, meaning only CVE with base score higher than 7 will be solved. The fix for SOC 9 was included in the last MU. Back to the Security team.
SUSE-SU-2022:3425-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 1191454,1193688 CVE References: CVE-2021-39226,CVE-2021-43813 JIRA References: Sources used: SUSE Enterprise Storage 6 (src): grafana-7.5.12-150100.3.9.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.