Grafana versions 8.0.0-beta1 to 8.3.0 have a path traversal vulnerability, allowing access to local files. The current 8.x version in the tree, 8.2.4, is vulnerable and needs to be updated to 8.2.7 or 8.3.1. Reproducible: Always
Thank you for reporting! I've started watching releases/security advisories in that repository so I'll notice these quicker in the future. Maintainer: please bump.
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=83bb4dff3c2fa1626118e11d6f4aa7cac5629b7b commit 83bb4dff3c2fa1626118e11d6f4aa7cac5629b7b Author: Patrick Lauer <patrick@gentoo.org> AuthorDate: 2021-12-09 06:37:31 +0000 Commit: Patrick Lauer <patrick@gentoo.org> CommitDate: 2021-12-09 06:37:54 +0000 www-apps/grafana-bin: Bump to 8.2.7 8.3.1 Remove old Closes: https://bugs.gentoo.org/828582 Package-Manager: Portage-3.0.28, Repoman-3.0.3 Signed-off-by: Patrick Lauer <patrick@gentoo.org> www-apps/grafana-bin/Manifest | 3 +- ...a-bin-8.2.4.ebuild => grafana-bin-8.2.7.ebuild} | 0 www-apps/grafana-bin/grafana-bin-8.3.1.ebuild | 64 ++++++++++++++++++++++ 3 files changed, 66 insertions(+), 1 deletion(-)
If you're going to close trivial security bugs on your own, please set whiteboard to [noglsa] and fixup the summary.
