Ukuba sengozini (CVE-2021-43798) kukhonjwe kuplathifomu evulekile yokubuka idatha i-Grafana, ekuvumela ukuthi ubalekele ngale kwenkomba eyisisekelo futhi uthole ukufinyelela kumafayela angenasizathu kusistimu yamafayela wendawo weseva, uze ufike emalungelweni okufinyelela. yomsebenzisi i-Grafana esebenza ngaphansi kwayo ivumela. Inkinga ibangelwa ukusebenza okungalungile kwesibambi sendlela “/public/plugins/ /", evumele ukusetshenziswa kwezinhlamvu ".." ukufinyelela uhla lwemibhalo oluyisisekelo.
Ukuba sengozini kungase kusetshenziswe ngokufinyelela i-URL yama-plugin ajwayelekile afakwe ngaphambilini, afana ne-“/public/plugins/graph/”, “/public/plugins/mysql/” kanye “/public/plugins/prometheus/” (cishe 40 ama-plugin afakwe ngaphambilini esewonke) . Isibonelo, ukuze ufinyelele ifayela /etc/passwd, ungathumela isicelo "/public/plugins/prometheus/../../../../../../../../etc /passwd". Ukuze uhlonze iminonjana yokuxhashazwa, kuyanconywa ukuthi uhlole ubukhona bemaski ethi “..%2f” kumalogi weseva ye-http.
Inkinga ivele kusukela kunguqulo engu-8.0.0-beta1 futhi yalungiswa ekukhishweni kwe-Grafana 8.3.1, 8.2.7, 8.1.8 kanye ne-8.0.7, kodwa kwabe sekukhonjwa ubungozi obufanayo obubili (CVE-2021-43813, CVE-2021- 43815) evele isuka ku-Grafana 5.0.0 kanye ne-Grafana 8.0.0-beta3, futhi yavumela umsebenzisi we-Grafana ogunyazwe ukuthi afinyelele amafayela angenasizathu kusistimu ngezandiso ".md" kanye ".csv" (nefayela amagama abhalwe phansi kuphela noma ngosonhlamvukazi kuphela), ngokukhohlisa izinhlamvu ezithi “..” ezindleleni “/api/plugins/.*/markdown/.*” kanye “/api/ds/query”. Ukuze kuqedwe lobu bungozi, kwakhiwe izibuyekezo ze-Grafana 8.3.2 kanye ne-7.5.12.
Source: opennet.ru