grafana-7.5.11-2.el8
エラータID: AXSA:2022-3494:02
Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB.
The following packages have been upgraded to a later upstream version: grafana (7.5.11). (BZ#1993214)
Security Fix(es):
* grafana: directory traversal vulnerability (CVE-2021-43813)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Asianux Server 8.6 Release Notes linked from the References section.
CVE-2021-43813
Grafana is an open-source platform for monitoring and observability. Grafana prior to versions 8.3.2 and 7.5.12 contains a directory traversal vulnerability for fully lowercase or fully uppercase .md files. The vulnerability is limited in scope, and only allows access to files with the extension .md to authenticated users only. Grafana Cloud instances have not been affected by the vulnerability. Users should upgrade to patched versions 8.3.2 or 7.5.12. For users who cannot upgrade, running a reverse proxy in front of Grafana that normalizes the PATH of the request will mitigate the vulnerability. The proxy will have to also be able to handle url encoded paths. Alternatively, for fully lowercase or fully uppercase .md files, users can block /api/plugins/.*/markdown/.* without losing any functionality beyond inlined plugin help text.
Update packages.
Grafana is an open-source platform for monitoring and observability. Grafana prior to versions 8.3.2 and 7.5.12 contains a directory traversal vulnerability for fully lowercase or fully uppercase .md files. The vulnerability is limited in scope, and only allows access to files with the extension .md to authenticated users only. Grafana Cloud instances have not been affected by the vulnerability. Users should upgrade to patched versions 8.3.2 or 7.5.12. For users who cannot upgrade, running a reverse proxy in front of Grafana that normalizes the PATH of the request will mitigate the vulnerability. The proxy will have to also be able to handle url encoded paths. Alternatively, for fully lowercase or fully uppercase .md files, users can block /api/plugins/.*/markdown/.* without losing any functionality beyond inlined plugin help text.
N/A
SRPMS
- grafana-7.5.11-2.el8.src.rpm
MD5: 319d3f1aba835f71acbd5a367fc803b6
SHA-256: fda08526046cfc5212e94cf861cc9aa12c59ad8de5366b19de00e9f9f8beb5c9
Size: 116.73 MB
Asianux Server 8 for x86_64
- grafana-7.5.11-2.el8.x86_64.rpm
MD5: c30cfcb772f88cbdb97597f462d9a039
SHA-256: 777ade7f707eef85f02f9a1f535a990e12d724351629ba51093b700db09c7b12
Size: 40.00 MB