Chiwopsezo (CVE-2021-43798) chadziwika papulatifomu yotseguka ya Grafana, yomwe imakupatsani mwayi wothawira kupitilira chikwatu choyambira ndikupeza mafayilo osasinthika pamafayilo am'deralo a seva, mpaka paufulu wofikira. ya wogwiritsa ntchito yomwe Grafana ikuyendetsa imalola. Vutoli limayamba chifukwa chakugwiritsa ntchito kolakwika kwa woyendetsa njira "/public/plugins/ /", zomwe zimalola kugwiritsa ntchito zilembo ".."
Chiwopsezochi chingagwiritsidwe ntchito pofikira ulalo wa mapulagini omwe adayikidwa kale, monga "/public/plugins/graph/", "/public/plugins/mysql/" ndi "/public/plugins/prometheus/" (pafupifupi 40 mapulagini adakhazikitsidwa kale) . Mwachitsanzo, kuti mupeze fayilo ya /etc/passwd, mutha kutumiza pempho "/public/plugins/prometheus/../../../../../../../../etc /passwd". Kuti tidziwe zomwe zikuchitika, tikulimbikitsidwa kuyang'ana kukhalapo kwa chigoba cha "..%2f" muzolemba za seva http.
Vutoli lidawoneka kuyambira ku mtundu wa 8.0.0-beta1 ndipo lidakhazikitsidwa muzotulutsa za Grafana 8.3.1, 8.2.7, 8.1.8 ndi 8.0.7, koma zovuta zina ziwiri zofananira zidadziwika (CVE-2021-43813, CVE-2021- 43815) yomwe idawonekera kuyambira ku Grafana 5.0.0 ndi Grafana 8.0.0-beta3, ndikulola wogwiritsa ntchito Grafana wovomerezeka kuti apeze mafayilo osagwirizana padongosolo ndi zowonjezera ".md" ndi ".csv" (ndi fayilo mayina m'munsi kapena zilembo zazikulu zokha), kupyolera mukusintha zilembo za ".." munjira "/api/plugins/.*/markdown/.*" ndi "/api/ds/query". Pofuna kuthetsa kusatetezeka kumeneku, zosintha za Grafana 8.3.2 ndi 7.5.12 zidapangidwa.
Source: opennet.ru