Nuglaanta (CVE-2021-43798) ayaa lagu aqoonsaday goobta xogta isha furan ee Grafana. Nuglaantani waxay u oggolaanaysaa marin hagaha iyo gelitaanka faylalka sabab la'aanta ah ee nidaamka faylalka maxalliga ah ee server-ka, oo ku salaysan oggolaanshaha isticmaalaha uu Grafana ku shaqeeyo. Arrinka waxaa sababay hawl-wadeenka jidka "/public/plugins/" khaldan. /", kaas oo u oggolaaday isticmaalka "..." jilayaasha si ay u galaan hagaha hoose.
Nuglaanta waxaa looga faa'iidaysan karaa gelitaanka URL-yada plugins-yada caadiga ah ee horay loo sii rakibay, sida "/ public/plugins/graph/," "/ public/plugins/mysql/," iyo "/ public/plugins/prometheus/" (waxaa jira ku dhawaad 40 plugins horay loo sii rakibay guud ahaan). Tusaale ahaan, si loo galo faylka /etc/passwd, mid ayaa soo diri kara codsiga "/public/plugins/prometheus/../../..././../../../../ Si loo ogaado raadadka dhiig-miirashada, waxaa lagu talinayaa in la hubiyo maaskarada "..."%2f" ee ku jira diiwaanka serverka HTTP.
Arrintu waxay joogtay laga bilaabo nooca 8.0.0-beta1 oo ku go'an Grafana 8.3.1, 8.2.7, 8.1.8 iyo 8.0.7, laakiin markaa laba baylah oo kale oo la mid ah (CVE-2021-43813, CVE-2021-43815) ayaa la helay 5.0.0 iyo Grafana. 8.0.0-beta3, waxayna u ogolaatay isticmaale Grafana la xaqiijiyay inuu galo faylal aan sabab lahayn nidaamka oo wata kordhinta ".md" iyo ".csv" (oo leh magacyo faylal kaliya oo farmaajo yar ama kaliya ku jira farmaajo), adoo adeegsanaya "..." jilayaasha wadooyinka "/api/plugins/.* ds/markdown/.* Si wax looga qabto dayacanka, Grafana 8.3.2 iyo 7.5.12 updates ayaa la sii daayay.
Source: opennet.ru
