Kusagadzikana (CVE-2021-43798) yakaonekwa mune yakavhurika data yekuona chikuva Grafana, iyo inokutendera kuti utize kupfuura iyo base dhairekitori uye uwane mukana wekupokana mafaera mune yenzvimbo faira system yeseva, kusvika kune kodzero yekuwana. yemushandisi ari pasi peGrafana inobvumira. Dambudziko rinokonzerwa nekusashanda zvisirizvo kwemubati wenzira "/public/plugins/ /", iyo yakabvumira kushandiswa kwe ".." mavara kuti asvike pasi pedhairekitori.
Kusagadzikana kunogona kushandiswa nekuwana iyo URL yeakajairika pre-yakaiswa plugins, senge "/public/plugins/graph/", "/public/plugins/mysql/" uye "/public/plugins/prometheus/" (anenge makumi mana mapulagi anofanoiswa-akazara) . Semuenzaniso, kuti uwane iyo /etc/passwd faira, unogona kutumira chikumbiro "/public/plugins/prometheus/../../../../../../../../etc /passwd". Kuti uone miitiro yekushandiswa, zvinokurudzirwa kutarisa kuvepo kwe "..% 40f" mask mu http server logs.
Dambudziko rakaonekwa richitanga kubva mushanduro 8.0.0-beta1 uye rakagadziriswa mukuburitswa kweGrafana 8.3.1, 8.2.7, 8.1.8 uye 8.0.7, asi pakazoonekwa zvimwe zviviri zvakada kufanana (CVE-2021-43813, CVE-2021- 43815) iyo yaionekwa kutanga kubva kuGrafana 5.0.0 uye Grafana 8.0.0-beta3, uye yakabvumira mushandisi weGrafana ane chokwadi kuti awane mafaera asina kurongeka pahurongwa neakawedzera ".md" uye ".csv" (ine faira mazita ari muzasi kana mumusoro chete), kuburikidza nekugadzirisa mavara ".." mumigwagwa "/api/plugins/.*/markdown/.*" uye "/api/ds/query". Kubvisa kusakuvara uku, Grafana 8.3.2 uye 7.5.12 zvigadziriso zvakagadzirwa.
Source: opennet.ru
