| Summary: | <www-apps/grafana-bin-9.2.4: multiple vulnerabilities | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | John Helmert III <ajak> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | trivial | CC: | patrick |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://github.com/grafana/grafana/releases/tag/v9.2.3 | ||
| Whiteboard: | ~3 [noglsa] | ||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | |||
| Bug Blocks: | 880669 | ||
|
Description
John Helmert III
2022-11-01 16:14:50 UTC
CVE-2022-39306 (https://github.com/grafana/grafana/security/advisories/GHSA-2x6g-h2hg-rq84): Grafana is an open-source platform for monitoring and observability. Versions prior to 9.2.4, or 8.5.15 on the 8.X branch, are subject to Improper Input Validation. Grafana admins can invite other members to the organization they are an admin for. When admins add members to the organization, non existing users get an email invite, existing members are added directly to the organization. When an invite link is sent, it allows users to sign up with whatever username/email address the user chooses and become a member of the organization. This introduces a vulnerability which can be used with malicious intent. This issue is patched in version 9.2.4, and has been backported to 8.5.15. There are no known workarounds. Needs bump to 9.2.4. CVE-2022-39307 (https://github.com/grafana/grafana/security/advisories/GHSA-3p62-42x7-gxg5): Grafana is an open-source platform for monitoring and observability. When using the forget password on the login page, a POST request is made to the `/api/user/password/sent-reset-email` URL. When the username or email does not exist, a JSON response contains a “user not found” message. This leaks information to unauthenticated users and introduces a security risk. This issue has been patched in 9.2.4 and backported to 8.5.15. There are no known workarounds. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f3372327fcbb60401503751c4ab58f8ef272204a commit f3372327fcbb60401503751c4ab58f8ef272204a Author: John Helmert III <ajak@gentoo.org> AuthorDate: 2022-11-10 01:49:35 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-11-10 01:50:13 +0000 www-apps/grafana-bin: drop 8.5.14, 9.0.9, 9.1.8, 9.2.0 Bug: https://bugs.gentoo.org/877097 Bug: https://bugs.gentoo.org/879025 Bug: https://bugs.gentoo.org/880551 Signed-off-by: John Helmert III <ajak@gentoo.org> www-apps/grafana-bin/Manifest | 4 -- www-apps/grafana-bin/grafana-bin-8.5.14.ebuild | 66 -------------------------- www-apps/grafana-bin/grafana-bin-9.0.9.ebuild | 66 -------------------------- www-apps/grafana-bin/grafana-bin-9.1.8.ebuild | 66 -------------------------- www-apps/grafana-bin/grafana-bin-9.2.0.ebuild | 66 -------------------------- 5 files changed, 268 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b4c1fcd35fb637eebe424ca7ad4a19da02ab2398 commit b4c1fcd35fb637eebe424ca7ad4a19da02ab2398 Author: John Helmert III <ajak@gentoo.org> AuthorDate: 2022-11-10 01:48:42 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-11-10 01:49:55 +0000 www-apps/grafana-bin: add 9.2.4 Bug: https://bugs.gentoo.org/879025 Bug: https://bugs.gentoo.org/880551 Signed-off-by: John Helmert III <ajak@gentoo.org> www-apps/grafana-bin/Manifest | 1 + www-apps/grafana-bin/grafana-bin-9.2.4.ebuild | 66 +++++++++++++++++++++++++++ 2 files changed, 67 insertions(+) Cleanup done, all done. |