CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2021-41090 – Instance config inline secret exposure
https://notcve.org/view.php?id=CVE-2021-41090
Grafana Agent is a telemetry collector for sending metrics, logs, and trace data to the opinionated Grafana observability stack. Prior to versions 0.20.1 and 0.21.2, inline secrets defined within a metrics instance config are exposed in plaintext over two endpoints: metrics instance configs defined in the base YAML file are exposed at `/-/config` and metrics instance configs defined for the scraping service are exposed at `/agent/api/v1/configs/:key`. Inline secrets will be exposed to anyone being able to reach these endpoints. If HTTPS with client authentication is not configured, these endpoints are accessible to unauthenticated users. Secrets found in these sections are used for delivering metrics to a Prometheus Remote Write system, authenticating against a system for discovering Prometheus targets, and authenticating against a system for collecting metrics. • https://github.com/grafana/agent/commit/af7fb01e31fe2d389e5f1c36b399ddc46b412b21 https://github.com/grafana/agent/pull/1152 https://github.com/grafana/agent/releases/tag/v0.20.1 https://github.com/grafana/agent/releases/tag/v0.21.2 https://github.com/grafana/agent/security/advisories/GHSA-9c4x-5hgq-q3wh https://security.netapp.com/advisory/ntap-20211229-0004 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-312: Cleartext Storage of Sensitive Information •
CVSS: 7.5EPSS: 97%CPEs: 7EXPL: 38CVE-2021-43798 – Grafana path traversal
https://notcve.org/view.php?id=CVE-2021-43798
Grafana is an open-source platform for monitoring and observability. Grafana versions 8.0.0-beta1 through 8.3.0 (except for patched versions) iss vulnerable to directory traversal, allowing access to local files. The vulnerable URL path is: `<grafana_host_url>/public/plugins//`, where is the plugin ID for any installed plugin. At no time has Grafana Cloud been vulnerable. Users are advised to upgrade to patched versions 8.0.7, 8.1.8, 8.2.7, or 8.3.1. • https://github.com/jas502n/Grafana-CVE-2021-43798 https://www.exploit-db.com/exploits/50581 https://github.com/pedrohavay/exploit-grafana-CVE-2021-43798 https://github.com/Mr-xn/CVE-2021-43798 https://github.com/taythebot/CVE-2021-43798 https://github.com/zer0yu/CVE-2021-43798 https://github.com/ScorpionsMAX/CVE-2021-43798-Grafana-POC https://github.com/asaotomo/CVE-2021-43798-Grafana-Exp https://github.com/z3n70/CVE-2021-43798 https://github.com/M0ge/CVE-2021-43798&# • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2021-41244 – Cross organization admin control in Grafana
https://notcve.org/view.php?id=CVE-2021-41244
Grafana is an open-source platform for monitoring and observability. In affected versions when the fine-grained access control beta feature is enabled and there is more than one organization in the Grafana instance admins are able to access users from other organizations. Grafana 8.0 introduced a mechanism which allowed users with the Organization Admin role to list, add, remove, and update users’ roles in other organizations in which they are not an admin. With fine-grained access control enabled, organization admins can list, add, remove and update users' roles in another organization, where they do not have organization admin role. All installations between v8.0 and v8.2.3 that have fine-grained access control beta enabled and more than one organization should be upgraded as soon as possible. • http://www.openwall.com/lists/oss-security/2021/11/15/1 https://github.com/grafana/grafana/security/advisories/GHSA-mpwp-42x6-4wmx https://grafana.com/blog/2021/11/15/grafana-8.2.4-released-with-security-fixes https://security.netapp.com/advisory/ntap-20211223-0001 • CWE-610: Externally Controlled Reference to a Resource in Another Sphere CWE-863: Incorrect Authorization •
CVSS: 6.9EPSS: 95%CPEs: 1EXPL: 0CVE-2021-41174 – XSS vulnerability allowing arbitrary JavaScript execution
https://notcve.org/view.php?id=CVE-2021-41174
Grafana is an open-source platform for monitoring and observability. In affected versions if an attacker is able to convince a victim to visit a URL referencing a vulnerable page, arbitrary JavaScript content may be executed within the context of the victim's browser. The user visiting the malicious link must be unauthenticated and the link must be for a page that contains the login button in the menu bar. The url has to be crafted to exploit AngularJS rendering and contain the interpolation binding for AngularJS expressions. AngularJS uses double curly braces for interpolation binding: {{ }} ex: {{constructor.constructor(‘alert(1)’)()}}. • https://github.com/grafana/grafana/commit/31b78d51c693d828720a5b285107a50e6024c912 https://github.com/grafana/grafana/commit/3cb5214fa45eb5a571fd70d6c6edf0d729983f82 https://github.com/grafana/grafana/commit/fb85ed691290d211a5baa44d9a641ab137f0de88 https://github.com/grafana/grafana/security/advisories/GHSA-3j9m-hcv9-rpj8 https://security.netapp.com/advisory/ntap-20211125-0003 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 91%CPEs: 4EXPL: 1CVE-2021-39226 – Grafana Authentication Bypass Vulnerability
https://notcve.org/view.php?id=CVE-2021-39226
Grafana is an open source data visualization platform. In affected versions unauthenticated and authenticated users are able to view the snapshot with the lowest database key by accessing the literal paths: /dashboard/snapshot/:key, or /api/snapshots/:key. If the snapshot "public_mode" configuration setting is set to true (vs default of false), unauthenticated users are able to delete the snapshot with the lowest database key by accessing the literal path: /api/snapshots-delete/:deleteKey. Regardless of the snapshot "public_mode" setting, authenticated users are able to delete the snapshot with the lowest database key by accessing the literal paths: /api/snapshots/:key, or /api/snapshots-delete/:deleteKey. The combination of deletion and viewing enables a complete walk through all snapshot data while resulting in complete snapshot data loss. • http://www.openwall.com/lists/oss-security/2021/10/05/4 https://github.com/grafana/grafana/commit/2d456a6375855364d098ede379438bf7f0667269 https://github.com/grafana/grafana/security/advisories/GHSA-69j6-29vr-p3j9 https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-5-11 https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-1-6 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DCKBFUSY6V4VU5AQUYWKISREZX5NLQJT https://lists.fedoraproject • CWE-287: Improper Authentication CWE-639: Authorization Bypass Through User-Controlled Key •