Nuglaanta (CVE-2021-43798) ayaa lagu aqoonsaday madal xog-uruurinta furan ee Grafana, taas oo kuu ogolaanaysa inaad ka baxsato meel ka baxsan tusaha saldhiga oo aad gasho faylalka aan sabab lahayn ee nidaamka faylka deegaanka ee serverka, ilaa iyo inta xuquuqaha gelitaanka Isticmaalaha uu Grafana ku hoos shaqeynayo ayaa ogolaanaya. Dhibka waxaa keenay hawl-wadeenka dariiqa oo si khaldan u hawlgalay "/public/plugins/ /", kaas oo u oggolaaday isticmaalka "..." jilayaasha si ay u galaan hagaha hoose.
Nuglaanta waxaa looga faa'iidaysan karaa iyada oo la gelayo URL plugins-yada caadiga ah ee horay loo sii rakibay, sida "/ public/plugins/graph/", "/public/plugins/mysql/" iyo"/public/plugins/prometheus/"(qiyaastii 40) plugins ayaa hore loo rakibay guud ahaan). Tusaale ahaan, si aad u gasho faylka /etc/passwd, waxaad soo diri kartaa codsiga "/public/plugins/prometheus/../../.../../../../ /passwd" Si loo aqoonsado raadadka dhiig-miirashada, waxaa lagu talinayaa in la hubiyo joogitaanka maaskarada "...% 2f" ee ku jira diiwaanka server-ka http.
Dhibaatadu waxay ka soo muuqatay laga bilaabo nooca 8.0.0-beta1 waxaana lagu hagaajiyay siidaynta Grafana 8.3.1, 8.2.7, 8.1.8 iyo 8.0.7, laakiin markaa laba kale oo dayacan oo la mid ah ayaa la aqoonsaday (CVE-2021-43813, CVE-2021-43815) kaas oo ka soo muuqday laga bilaabo Grafana 5.0.0 iyo Grafana 8.0.0-beta3, oo u ogolaatay isticmaale Grafana oo la xaqiijiyay inuu galo faylal aan sabab lahayn nidaamka oo leh kordhinta ".md" iyo ".csv" (oo leh fayl Magacyada kaliya ee hoose ama kaliya ee xaraf waaweyn), iyada oo la adeegsanayo faragelinta "..." jilayaasha waddooyinka "/api/plugins/.*/markdown/.*" iyo "/api/ds/query". Si meesha looga saaro dayacanka, Grafana 8.3.2 iyo 7.5.12 updates ayaa la sameeyay.
Source: opennet.ru