Ho ba kotsing (CVE-2021-43798) ho khethiloe sethaleng se bulehileng sa pono ea data Grafana, e u lumellang hore u balehe ka nģ'ane ho lenane la motheo le ho fumana lifaele tse hanyetsanang tsamaisong ea faele ea sebaka sa seva, ho fihlela litokelo tsa ho fihlella. ea mosebelisi eo Grafana e sebetsang tlas'a eona e lumella. Bothata bo bakoa ke ts'ebetso e fosahetseng ea sebatli sa tsela "/public/plugins/ /", e lumelletseng ts'ebeliso ea ".." litlhaku ho fihlella litsamaiso tse ka tlase.
Ho ba kotsing ho ka sebelisoa hampe ka ho fihlella URL ea li-plugins tse kentsoeng esale pele, joalo ka “/public/plugins/graph/”, “/public/plugins/mysql/” le “/public/plugins/prometheus/” (hoo e ka bang 40 li-plugins li kentsoe esale pele ka kakaretso) . Mohlala, ho fihlella faele ea /etc/passwd, o ka romella kopo "/public/plugins/prometheus/../../../../../../../../etc /passwd". Ho tseba mekhoa ea ts'ebeliso, ho kgothaletswa ho hlahloba boteng ba mask "..% 2f" ho li-server tsa http.
Bothata bo hlahile ho tloha ho mofuta oa 8.0.0-beta1 mme bo ile ba lokisoa liphatlalatsong tsa Grafana 8.3.1, 8.2.7, 8.1.8 le 8.0.7, empa ho ile ha tsejoa likotsi tse ling tse peli tse tšoanang (CVE-2021-43813, CVE-2021- 43815) e hlahileng ho qala ho Grafana 5.0.0 le Grafana 8.0.0-beta3, mme e lumelletse mosebelisi oa Grafana ea netefalitsoeng ho fumana lifaele tse sa reroang ho sistimi ka li-extensions ".md" le ".csv" (ka faele mabitso a ka tlase kapa ka litlhaku tse kholo feela), ka ho fetola litlhaku tsa ".." litseleng "/api/plugins/.*/markdown/.*" le "/api/ds/query". Ho felisa bofokoli bona, Grafana 8.3.2 le 7.5.12 lintlafatso li entsoe.
Source: opennet.ru