csaf_redhat - rhsa-2022

rhsa-2022_6024

Vulnerability from csaf_redhat

Published

2022-08-09 20:31

Modified

2024-11-06 01:21

Summary

Red Hat Security Advisory: New container image for Red Hat Ceph Storage 5.2 Security update

Notes

Topic

A new container image for Red Hat Ceph Storage 5.2 is now available in the Red Hat Ecosystem Catalog. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Details

Red Hat Ceph Storage is a scalable, open, software-defined storage platform that combines the most stable version of the Ceph storage system with a Ceph management platform, deployment utilities, and support services. This new container image is based on Red Hat Ceph Storage 5.2 and Red Hat Enterprise Linux 8.6 and Red Hat Enterprise Linux 9. Space precludes documenting all of these changes in this advisory. Users are directed to the Red Hat Ceph Storage Release Notes for information on the most significant of these changes: https://access.redhat.com/documentation/en-us/red_hat_ceph_storage/5.2/html-single/release_notes/index All users of Red Hat Ceph Storage are advised to pull these new images from the Red Hat Ecosystem catalog, which provides numerous enhancements and bug fixes. Security Fix(es): * grafana: Forward OAuth Identity Token can allow users to access some data sources (CVE-2022-21673) * grafana: directory traversal vulnerability (CVE-2021-43813) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "A new container image for Red Hat Ceph Storage 5.2 is now available in the Red Hat Ecosystem Catalog.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Red Hat Ceph Storage is a scalable, open, software-defined storage platform\nthat combines the most stable version of the Ceph storage system with a\nCeph management platform, deployment utilities, and support services.\n\nThis new container image is based on Red Hat Ceph Storage 5.2 and Red Hat\nEnterprise Linux 8.6 and Red Hat Enterprise Linux 9.\n\nSpace precludes documenting all of these changes in this advisory. Users\nare directed to the Red Hat Ceph Storage Release Notes for information on\nthe most significant of these changes:\n\nhttps://access.redhat.com/documentation/en-us/red_hat_ceph_storage/5.2/html-single/release_notes/index\n\nAll users of Red Hat Ceph Storage are advised to pull these new images from\nthe Red Hat Ecosystem catalog, which provides numerous enhancements and bug\nfixes.\n\nSecurity Fix(es):\n\n* grafana: Forward OAuth Identity Token can allow users to access some data sources (CVE-2022-21673)\n\n* grafana: directory traversal vulnerability (CVE-2021-43813)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2022:6024",
        "url": "https://access.redhat.com/errata/RHSA-2022:6024"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#moderate",
        "url": "https://access.redhat.com/security/updates/classification/#moderate"
      },
      {
        "category": "external",
        "summary": "2031228",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031228"
      },
      {
        "category": "external",
        "summary": "2044628",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2044628"
      },
      {
        "category": "external",
        "summary": "2115198",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2115198"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_6024.json"
      }
    ],
    "title": "Red Hat Security Advisory: New container image for Red Hat Ceph Storage 5.2 Security update",
    "tracking": {
      "current_release_date": "2024-11-06T01:21:50+00:00",
      "generator": {
        "date": "2024-11-06T01:21:50+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.1.1"
        }
      },
      "id": "RHSA-2022:6024",
      "initial_release_date": "2022-08-09T20:31:48+00:00",
      "revision_history": [
        {
          "date": "2022-08-09T20:31:48+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2022-08-09T20:31:48+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-11-06T01:21:50+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Ceph Storage 5.2 Tools",
                "product": {
                  "name": "Red Hat Ceph Storage 5.2 Tools",
                  "product_id": "8Base-RHCEPH-5.2-Tools",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:ceph_storage:5.2::el8"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Ceph Storage"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "rhceph/rhceph-5-dashboard-rhel8@sha256:d69e364a14d01dff8f0876856e3efe8a3e6496aa69a22131d877628c633a4dd7_s390x",
                "product": {
                  "name": "rhceph/rhceph-5-dashboard-rhel8@sha256:d69e364a14d01dff8f0876856e3efe8a3e6496aa69a22131d877628c633a4dd7_s390x",
                  "product_id": "rhceph/rhceph-5-dashboard-rhel8@sha256:d69e364a14d01dff8f0876856e3efe8a3e6496aa69a22131d877628c633a4dd7_s390x",
                  "product_identification_helper": {
                    "purl": "pkg:oci/rhceph-5-dashboard-rhel8@sha256:d69e364a14d01dff8f0876856e3efe8a3e6496aa69a22131d877628c633a4dd7?arch=s390x\u0026repository_url=registry.redhat.io/rhceph/rhceph-5-dashboard-rhel8\u0026tag=5-56"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rhceph/keepalived-rhel8@sha256:046f7d4bb244256dfaedd006af00575d63ade28b884ed8f96087c954453248c2_s390x",
                "product": {
                  "name": "rhceph/keepalived-rhel8@sha256:046f7d4bb244256dfaedd006af00575d63ade28b884ed8f96087c954453248c2_s390x",
                  "product_id": "rhceph/keepalived-rhel8@sha256:046f7d4bb244256dfaedd006af00575d63ade28b884ed8f96087c954453248c2_s390x",
                  "product_identification_helper": {
                    "purl": "pkg:oci/keepalived-rhel8@sha256:046f7d4bb244256dfaedd006af00575d63ade28b884ed8f96087c954453248c2?arch=s390x\u0026repository_url=registry.redhat.io/rhceph/keepalived-rhel8\u0026tag=2.1.5-16"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rhceph/rhceph-5-rhel8@sha256:5eba7b2a711ae6b43822d11db41c823de251a2a148903ba430d12fe4870ef2f1_s390x",
                "product": {
                  "name": "rhceph/rhceph-5-rhel8@sha256:5eba7b2a711ae6b43822d11db41c823de251a2a148903ba430d12fe4870ef2f1_s390x",
                  "product_id": "rhceph/rhceph-5-rhel8@sha256:5eba7b2a711ae6b43822d11db41c823de251a2a148903ba430d12fe4870ef2f1_s390x",
                  "product_identification_helper": {
                    "purl": "pkg:oci/rhceph-5-rhel8@sha256:5eba7b2a711ae6b43822d11db41c823de251a2a148903ba430d12fe4870ef2f1?arch=s390x\u0026repository_url=registry.redhat.io/rhceph/rhceph-5-rhel8\u0026tag=5-268"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rhceph/rhceph-haproxy-rhel8@sha256:1a6c034927989b231f4e358a358163c75a35a36b162756a0f5bc47c787d72074_s390x",
                "product": {
                  "name": "rhceph/rhceph-haproxy-rhel8@sha256:1a6c034927989b231f4e358a358163c75a35a36b162756a0f5bc47c787d72074_s390x",
                  "product_id": "rhceph/rhceph-haproxy-rhel8@sha256:1a6c034927989b231f4e358a358163c75a35a36b162756a0f5bc47c787d72074_s390x",
                  "product_identification_helper": {
                    "purl": "pkg:oci/rhceph-haproxy-rhel8@sha256:1a6c034927989b231f4e358a358163c75a35a36b162756a0f5bc47c787d72074?arch=s390x\u0026repository_url=registry.redhat.io/rhceph/rhceph-haproxy-rhel8\u0026tag=2.2.19-9"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rhceph/snmp-notifier-rhel8@sha256:75512f53c3938baaf69104244c5016d559ad5b709bc5d67f147c6e09963a6894_s390x",
                "product": {
                  "name": "rhceph/snmp-notifier-rhel8@sha256:75512f53c3938baaf69104244c5016d559ad5b709bc5d67f147c6e09963a6894_s390x",
                  "product_id": "rhceph/snmp-notifier-rhel8@sha256:75512f53c3938baaf69104244c5016d559ad5b709bc5d67f147c6e09963a6894_s390x",
                  "product_identification_helper": {
                    "purl": "pkg:oci/snmp-notifier-rhel8@sha256:75512f53c3938baaf69104244c5016d559ad5b709bc5d67f147c6e09963a6894?arch=s390x\u0026repository_url=registry.redhat.io/rhceph/snmp-notifier-rhel8\u0026tag=1.2.1-16"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "rhceph/rhceph-5-dashboard-rhel8@sha256:9d59cc5917110dee7d46e08c81b4440c7e3c4a3d841344ac508dd6dc45bd5572_ppc64le",
                "product": {
                  "name": "rhceph/rhceph-5-dashboard-rhel8@sha256:9d59cc5917110dee7d46e08c81b4440c7e3c4a3d841344ac508dd6dc45bd5572_ppc64le",
                  "product_id": "rhceph/rhceph-5-dashboard-rhel8@sha256:9d59cc5917110dee7d46e08c81b4440c7e3c4a3d841344ac508dd6dc45bd5572_ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:oci/rhceph-5-dashboard-rhel8@sha256:9d59cc5917110dee7d46e08c81b4440c7e3c4a3d841344ac508dd6dc45bd5572?arch=ppc64le\u0026repository_url=registry.redhat.io/rhceph/rhceph-5-dashboard-rhel8\u0026tag=5-56"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rhceph/keepalived-rhel8@sha256:0cba817cebbdf4ac325b722d515f5335c35a4c89ddc069ad1e00b2df91314dfc_ppc64le",
                "product": {
                  "name": "rhceph/keepalived-rhel8@sha256:0cba817cebbdf4ac325b722d515f5335c35a4c89ddc069ad1e00b2df91314dfc_ppc64le",
                  "product_id": "rhceph/keepalived-rhel8@sha256:0cba817cebbdf4ac325b722d515f5335c35a4c89ddc069ad1e00b2df91314dfc_ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:oci/keepalived-rhel8@sha256:0cba817cebbdf4ac325b722d515f5335c35a4c89ddc069ad1e00b2df91314dfc?arch=ppc64le\u0026repository_url=registry.redhat.io/rhceph/keepalived-rhel8\u0026tag=2.1.5-16"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rhceph/rhceph-5-rhel8@sha256:b1e3292d0ba697e36bfd03979900ab28edcfb3e005335cc4d909fe8de863b158_ppc64le",
                "product": {
                  "name": "rhceph/rhceph-5-rhel8@sha256:b1e3292d0ba697e36bfd03979900ab28edcfb3e005335cc4d909fe8de863b158_ppc64le",
                  "product_id": "rhceph/rhceph-5-rhel8@sha256:b1e3292d0ba697e36bfd03979900ab28edcfb3e005335cc4d909fe8de863b158_ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:oci/rhceph-5-rhel8@sha256:b1e3292d0ba697e36bfd03979900ab28edcfb3e005335cc4d909fe8de863b158?arch=ppc64le\u0026repository_url=registry.redhat.io/rhceph/rhceph-5-rhel8\u0026tag=5-268"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rhceph/rhceph-haproxy-rhel8@sha256:2a6c28d7ae35fa7aa98c31da08248997c92959e006ce8aea174bcaea299a1eec_ppc64le",
                "product": {
                  "name": "rhceph/rhceph-haproxy-rhel8@sha256:2a6c28d7ae35fa7aa98c31da08248997c92959e006ce8aea174bcaea299a1eec_ppc64le",
                  "product_id": "rhceph/rhceph-haproxy-rhel8@sha256:2a6c28d7ae35fa7aa98c31da08248997c92959e006ce8aea174bcaea299a1eec_ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:oci/rhceph-haproxy-rhel8@sha256:2a6c28d7ae35fa7aa98c31da08248997c92959e006ce8aea174bcaea299a1eec?arch=ppc64le\u0026repository_url=registry.redhat.io/rhceph/rhceph-haproxy-rhel8\u0026tag=2.2.19-9"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rhceph/snmp-notifier-rhel8@sha256:c33fb85b7fd24a9da09ec439a0fd9a76f4a25faf7a17adeae81ec62b086a84ad_ppc64le",
                "product": {
                  "name": "rhceph/snmp-notifier-rhel8@sha256:c33fb85b7fd24a9da09ec439a0fd9a76f4a25faf7a17adeae81ec62b086a84ad_ppc64le",
                  "product_id": "rhceph/snmp-notifier-rhel8@sha256:c33fb85b7fd24a9da09ec439a0fd9a76f4a25faf7a17adeae81ec62b086a84ad_ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:oci/snmp-notifier-rhel8@sha256:c33fb85b7fd24a9da09ec439a0fd9a76f4a25faf7a17adeae81ec62b086a84ad?arch=ppc64le\u0026repository_url=registry.redhat.io/rhceph/snmp-notifier-rhel8\u0026tag=1.2.1-16"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "rhceph/rhceph-5-dashboard-rhel8@sha256:78c523070ed4275b7efe6bd10eef95cb3ef97bfd97e2bba42f92e42953e90371_amd64",
                "product": {
                  "name": "rhceph/rhceph-5-dashboard-rhel8@sha256:78c523070ed4275b7efe6bd10eef95cb3ef97bfd97e2bba42f92e42953e90371_amd64",
                  "product_id": "rhceph/rhceph-5-dashboard-rhel8@sha256:78c523070ed4275b7efe6bd10eef95cb3ef97bfd97e2bba42f92e42953e90371_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/rhceph-5-dashboard-rhel8@sha256:78c523070ed4275b7efe6bd10eef95cb3ef97bfd97e2bba42f92e42953e90371?arch=amd64\u0026repository_url=registry.redhat.io/rhceph/rhceph-5-dashboard-rhel8\u0026tag=5-56"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rhceph/keepalived-rhel8@sha256:fa226b35008b7a420e48166c6f53d13331e703ef184d993fd9d7bad601ae1083_amd64",
                "product": {
                  "name": "rhceph/keepalived-rhel8@sha256:fa226b35008b7a420e48166c6f53d13331e703ef184d993fd9d7bad601ae1083_amd64",
                  "product_id": "rhceph/keepalived-rhel8@sha256:fa226b35008b7a420e48166c6f53d13331e703ef184d993fd9d7bad601ae1083_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/keepalived-rhel8@sha256:fa226b35008b7a420e48166c6f53d13331e703ef184d993fd9d7bad601ae1083?arch=amd64\u0026repository_url=registry.redhat.io/rhceph/keepalived-rhel8\u0026tag=2.1.5-16"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rhceph/rhceph-5-rhel8@sha256:03c87d18494d1d1796c8729871c001057d0fa19826a672d1bc34da6609e551ba_amd64",
                "product": {
                  "name": "rhceph/rhceph-5-rhel8@sha256:03c87d18494d1d1796c8729871c001057d0fa19826a672d1bc34da6609e551ba_amd64",
                  "product_id": "rhceph/rhceph-5-rhel8@sha256:03c87d18494d1d1796c8729871c001057d0fa19826a672d1bc34da6609e551ba_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/rhceph-5-rhel8@sha256:03c87d18494d1d1796c8729871c001057d0fa19826a672d1bc34da6609e551ba?arch=amd64\u0026repository_url=registry.redhat.io/rhceph/rhceph-5-rhel8\u0026tag=5-268"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rhceph/rhceph-haproxy-rhel8@sha256:dc65885f716a652fdabe6c43e5522eb81670178f323f944ee3a17b07ce48ecb7_amd64",
                "product": {
                  "name": "rhceph/rhceph-haproxy-rhel8@sha256:dc65885f716a652fdabe6c43e5522eb81670178f323f944ee3a17b07ce48ecb7_amd64",
                  "product_id": "rhceph/rhceph-haproxy-rhel8@sha256:dc65885f716a652fdabe6c43e5522eb81670178f323f944ee3a17b07ce48ecb7_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/rhceph-haproxy-rhel8@sha256:dc65885f716a652fdabe6c43e5522eb81670178f323f944ee3a17b07ce48ecb7?arch=amd64\u0026repository_url=registry.redhat.io/rhceph/rhceph-haproxy-rhel8\u0026tag=2.2.19-9"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rhceph/snmp-notifier-rhel8@sha256:b4e3f7682ace25f2446361df2631b02f28d9cd5c9172d8e904d05823e62c8c07_amd64",
                "product": {
                  "name": "rhceph/snmp-notifier-rhel8@sha256:b4e3f7682ace25f2446361df2631b02f28d9cd5c9172d8e904d05823e62c8c07_amd64",
                  "product_id": "rhceph/snmp-notifier-rhel8@sha256:b4e3f7682ace25f2446361df2631b02f28d9cd5c9172d8e904d05823e62c8c07_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/snmp-notifier-rhel8@sha256:b4e3f7682ace25f2446361df2631b02f28d9cd5c9172d8e904d05823e62c8c07?arch=amd64\u0026repository_url=registry.redhat.io/rhceph/snmp-notifier-rhel8\u0026tag=1.2.1-16"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "amd64"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhceph/keepalived-rhel8@sha256:046f7d4bb244256dfaedd006af00575d63ade28b884ed8f96087c954453248c2_s390x as a component of Red Hat Ceph Storage 5.2 Tools",
          "product_id": "8Base-RHCEPH-5.2-Tools:rhceph/keepalived-rhel8@sha256:046f7d4bb244256dfaedd006af00575d63ade28b884ed8f96087c954453248c2_s390x"
        },
        "product_reference": "rhceph/keepalived-rhel8@sha256:046f7d4bb244256dfaedd006af00575d63ade28b884ed8f96087c954453248c2_s390x",
        "relates_to_product_reference": "8Base-RHCEPH-5.2-Tools"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhceph/keepalived-rhel8@sha256:0cba817cebbdf4ac325b722d515f5335c35a4c89ddc069ad1e00b2df91314dfc_ppc64le as a component of Red Hat Ceph Storage 5.2 Tools",
          "product_id": "8Base-RHCEPH-5.2-Tools:rhceph/keepalived-rhel8@sha256:0cba817cebbdf4ac325b722d515f5335c35a4c89ddc069ad1e00b2df91314dfc_ppc64le"
        },
        "product_reference": "rhceph/keepalived-rhel8@sha256:0cba817cebbdf4ac325b722d515f5335c35a4c89ddc069ad1e00b2df91314dfc_ppc64le",
        "relates_to_product_reference": "8Base-RHCEPH-5.2-Tools"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhceph/keepalived-rhel8@sha256:fa226b35008b7a420e48166c6f53d13331e703ef184d993fd9d7bad601ae1083_amd64 as a component of Red Hat Ceph Storage 5.2 Tools",
          "product_id": "8Base-RHCEPH-5.2-Tools:rhceph/keepalived-rhel8@sha256:fa226b35008b7a420e48166c6f53d13331e703ef184d993fd9d7bad601ae1083_amd64"
        },
        "product_reference": "rhceph/keepalived-rhel8@sha256:fa226b35008b7a420e48166c6f53d13331e703ef184d993fd9d7bad601ae1083_amd64",
        "relates_to_product_reference": "8Base-RHCEPH-5.2-Tools"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhceph/rhceph-5-dashboard-rhel8@sha256:78c523070ed4275b7efe6bd10eef95cb3ef97bfd97e2bba42f92e42953e90371_amd64 as a component of Red Hat Ceph Storage 5.2 Tools",
          "product_id": "8Base-RHCEPH-5.2-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:78c523070ed4275b7efe6bd10eef95cb3ef97bfd97e2bba42f92e42953e90371_amd64"
        },
        "product_reference": "rhceph/rhceph-5-dashboard-rhel8@sha256:78c523070ed4275b7efe6bd10eef95cb3ef97bfd97e2bba42f92e42953e90371_amd64",
        "relates_to_product_reference": "8Base-RHCEPH-5.2-Tools"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhceph/rhceph-5-dashboard-rhel8@sha256:9d59cc5917110dee7d46e08c81b4440c7e3c4a3d841344ac508dd6dc45bd5572_ppc64le as a component of Red Hat Ceph Storage 5.2 Tools",
          "product_id": "8Base-RHCEPH-5.2-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:9d59cc5917110dee7d46e08c81b4440c7e3c4a3d841344ac508dd6dc45bd5572_ppc64le"
        },
        "product_reference": "rhceph/rhceph-5-dashboard-rhel8@sha256:9d59cc5917110dee7d46e08c81b4440c7e3c4a3d841344ac508dd6dc45bd5572_ppc64le",
        "relates_to_product_reference": "8Base-RHCEPH-5.2-Tools"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhceph/rhceph-5-dashboard-rhel8@sha256:d69e364a14d01dff8f0876856e3efe8a3e6496aa69a22131d877628c633a4dd7_s390x as a component of Red Hat Ceph Storage 5.2 Tools",
          "product_id": "8Base-RHCEPH-5.2-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:d69e364a14d01dff8f0876856e3efe8a3e6496aa69a22131d877628c633a4dd7_s390x"
        },
        "product_reference": "rhceph/rhceph-5-dashboard-rhel8@sha256:d69e364a14d01dff8f0876856e3efe8a3e6496aa69a22131d877628c633a4dd7_s390x",
        "relates_to_product_reference": "8Base-RHCEPH-5.2-Tools"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhceph/rhceph-5-rhel8@sha256:03c87d18494d1d1796c8729871c001057d0fa19826a672d1bc34da6609e551ba_amd64 as a component of Red Hat Ceph Storage 5.2 Tools",
          "product_id": "8Base-RHCEPH-5.2-Tools:rhceph/rhceph-5-rhel8@sha256:03c87d18494d1d1796c8729871c001057d0fa19826a672d1bc34da6609e551ba_amd64"
        },
        "product_reference": "rhceph/rhceph-5-rhel8@sha256:03c87d18494d1d1796c8729871c001057d0fa19826a672d1bc34da6609e551ba_amd64",
        "relates_to_product_reference": "8Base-RHCEPH-5.2-Tools"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhceph/rhceph-5-rhel8@sha256:5eba7b2a711ae6b43822d11db41c823de251a2a148903ba430d12fe4870ef2f1_s390x as a component of Red Hat Ceph Storage 5.2 Tools",
          "product_id": "8Base-RHCEPH-5.2-Tools:rhceph/rhceph-5-rhel8@sha256:5eba7b2a711ae6b43822d11db41c823de251a2a148903ba430d12fe4870ef2f1_s390x"
        },
        "product_reference": "rhceph/rhceph-5-rhel8@sha256:5eba7b2a711ae6b43822d11db41c823de251a2a148903ba430d12fe4870ef2f1_s390x",
        "relates_to_product_reference": "8Base-RHCEPH-5.2-Tools"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhceph/rhceph-5-rhel8@sha256:b1e3292d0ba697e36bfd03979900ab28edcfb3e005335cc4d909fe8de863b158_ppc64le as a component of Red Hat Ceph Storage 5.2 Tools",
          "product_id": "8Base-RHCEPH-5.2-Tools:rhceph/rhceph-5-rhel8@sha256:b1e3292d0ba697e36bfd03979900ab28edcfb3e005335cc4d909fe8de863b158_ppc64le"
        },
        "product_reference": "rhceph/rhceph-5-rhel8@sha256:b1e3292d0ba697e36bfd03979900ab28edcfb3e005335cc4d909fe8de863b158_ppc64le",
        "relates_to_product_reference": "8Base-RHCEPH-5.2-Tools"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhceph/rhceph-haproxy-rhel8@sha256:1a6c034927989b231f4e358a358163c75a35a36b162756a0f5bc47c787d72074_s390x as a component of Red Hat Ceph Storage 5.2 Tools",
          "product_id": "8Base-RHCEPH-5.2-Tools:rhceph/rhceph-haproxy-rhel8@sha256:1a6c034927989b231f4e358a358163c75a35a36b162756a0f5bc47c787d72074_s390x"
        },
        "product_reference": "rhceph/rhceph-haproxy-rhel8@sha256:1a6c034927989b231f4e358a358163c75a35a36b162756a0f5bc47c787d72074_s390x",
        "relates_to_product_reference": "8Base-RHCEPH-5.2-Tools"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhceph/rhceph-haproxy-rhel8@sha256:2a6c28d7ae35fa7aa98c31da08248997c92959e006ce8aea174bcaea299a1eec_ppc64le as a component of Red Hat Ceph Storage 5.2 Tools",
          "product_id": "8Base-RHCEPH-5.2-Tools:rhceph/rhceph-haproxy-rhel8@sha256:2a6c28d7ae35fa7aa98c31da08248997c92959e006ce8aea174bcaea299a1eec_ppc64le"
        },
        "product_reference": "rhceph/rhceph-haproxy-rhel8@sha256:2a6c28d7ae35fa7aa98c31da08248997c92959e006ce8aea174bcaea299a1eec_ppc64le",
        "relates_to_product_reference": "8Base-RHCEPH-5.2-Tools"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhceph/rhceph-haproxy-rhel8@sha256:dc65885f716a652fdabe6c43e5522eb81670178f323f944ee3a17b07ce48ecb7_amd64 as a component of Red Hat Ceph Storage 5.2 Tools",
          "product_id": "8Base-RHCEPH-5.2-Tools:rhceph/rhceph-haproxy-rhel8@sha256:dc65885f716a652fdabe6c43e5522eb81670178f323f944ee3a17b07ce48ecb7_amd64"
        },
        "product_reference": "rhceph/rhceph-haproxy-rhel8@sha256:dc65885f716a652fdabe6c43e5522eb81670178f323f944ee3a17b07ce48ecb7_amd64",
        "relates_to_product_reference": "8Base-RHCEPH-5.2-Tools"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhceph/snmp-notifier-rhel8@sha256:75512f53c3938baaf69104244c5016d559ad5b709bc5d67f147c6e09963a6894_s390x as a component of Red Hat Ceph Storage 5.2 Tools",
          "product_id": "8Base-RHCEPH-5.2-Tools:rhceph/snmp-notifier-rhel8@sha256:75512f53c3938baaf69104244c5016d559ad5b709bc5d67f147c6e09963a6894_s390x"
        },
        "product_reference": "rhceph/snmp-notifier-rhel8@sha256:75512f53c3938baaf69104244c5016d559ad5b709bc5d67f147c6e09963a6894_s390x",
        "relates_to_product_reference": "8Base-RHCEPH-5.2-Tools"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhceph/snmp-notifier-rhel8@sha256:b4e3f7682ace25f2446361df2631b02f28d9cd5c9172d8e904d05823e62c8c07_amd64 as a component of Red Hat Ceph Storage 5.2 Tools",
          "product_id": "8Base-RHCEPH-5.2-Tools:rhceph/snmp-notifier-rhel8@sha256:b4e3f7682ace25f2446361df2631b02f28d9cd5c9172d8e904d05823e62c8c07_amd64"
        },
        "product_reference": "rhceph/snmp-notifier-rhel8@sha256:b4e3f7682ace25f2446361df2631b02f28d9cd5c9172d8e904d05823e62c8c07_amd64",
        "relates_to_product_reference": "8Base-RHCEPH-5.2-Tools"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhceph/snmp-notifier-rhel8@sha256:c33fb85b7fd24a9da09ec439a0fd9a76f4a25faf7a17adeae81ec62b086a84ad_ppc64le as a component of Red Hat Ceph Storage 5.2 Tools",
          "product_id": "8Base-RHCEPH-5.2-Tools:rhceph/snmp-notifier-rhel8@sha256:c33fb85b7fd24a9da09ec439a0fd9a76f4a25faf7a17adeae81ec62b086a84ad_ppc64le"
        },
        "product_reference": "rhceph/snmp-notifier-rhel8@sha256:c33fb85b7fd24a9da09ec439a0fd9a76f4a25faf7a17adeae81ec62b086a84ad_ppc64le",
        "relates_to_product_reference": "8Base-RHCEPH-5.2-Tools"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2021-43813",
      "cwe": {
        "id": "CWE-22",
        "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
      },
      "discovery_date": "2021-12-09T00:00:00+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "8Base-RHCEPH-5.2-Tools:rhceph/keepalived-rhel8@sha256:046f7d4bb244256dfaedd006af00575d63ade28b884ed8f96087c954453248c2_s390x",
            "8Base-RHCEPH-5.2-Tools:rhceph/keepalived-rhel8@sha256:0cba817cebbdf4ac325b722d515f5335c35a4c89ddc069ad1e00b2df91314dfc_ppc64le",
            "8Base-RHCEPH-5.2-Tools:rhceph/keepalived-rhel8@sha256:fa226b35008b7a420e48166c6f53d13331e703ef184d993fd9d7bad601ae1083_amd64",
            "8Base-RHCEPH-5.2-Tools:rhceph/rhceph-5-rhel8@sha256:03c87d18494d1d1796c8729871c001057d0fa19826a672d1bc34da6609e551ba_amd64",
            "8Base-RHCEPH-5.2-Tools:rhceph/rhceph-5-rhel8@sha256:5eba7b2a711ae6b43822d11db41c823de251a2a148903ba430d12fe4870ef2f1_s390x",
            "8Base-RHCEPH-5.2-Tools:rhceph/rhceph-5-rhel8@sha256:b1e3292d0ba697e36bfd03979900ab28edcfb3e005335cc4d909fe8de863b158_ppc64le",
            "8Base-RHCEPH-5.2-Tools:rhceph/rhceph-haproxy-rhel8@sha256:1a6c034927989b231f4e358a358163c75a35a36b162756a0f5bc47c787d72074_s390x",
            "8Base-RHCEPH-5.2-Tools:rhceph/rhceph-haproxy-rhel8@sha256:2a6c28d7ae35fa7aa98c31da08248997c92959e006ce8aea174bcaea299a1eec_ppc64le",
            "8Base-RHCEPH-5.2-Tools:rhceph/rhceph-haproxy-rhel8@sha256:dc65885f716a652fdabe6c43e5522eb81670178f323f944ee3a17b07ce48ecb7_amd64",
            "8Base-RHCEPH-5.2-Tools:rhceph/snmp-notifier-rhel8@sha256:75512f53c3938baaf69104244c5016d559ad5b709bc5d67f147c6e09963a6894_s390x",
            "8Base-RHCEPH-5.2-Tools:rhceph/snmp-notifier-rhel8@sha256:b4e3f7682ace25f2446361df2631b02f28d9cd5c9172d8e904d05823e62c8c07_amd64",
            "8Base-RHCEPH-5.2-Tools:rhceph/snmp-notifier-rhel8@sha256:c33fb85b7fd24a9da09ec439a0fd9a76f4a25faf7a17adeae81ec62b086a84ad_ppc64le"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2031228"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Grafana is an open-source platform for monitoring and observability. Grafana prior to versions 8.3.2 and 7.5.12 contains a directory traversal vulnerability for fully lowercase or fully uppercase .md files. The vulnerability is limited in scope, and only allows access to files with the extension .md to authenticated users only. Grafana Cloud instances have not been affected by the vulnerability. Users should upgrade to patched versions 8.3.2 or 7.5.12. For users who cannot upgrade, running a reverse proxy in front of Grafana that normalizes the PATH of the request will mitigate the vulnerability. The proxy will have to also be able to handle url encoded paths. Alternatively, for fully lowercase or fully uppercase .md files, users can block /api/plugins/.*/markdown/.* without losing any functionality beyond inlined plugin help text.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "grafana: directory traversal vulnerability",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-RHCEPH-5.2-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:78c523070ed4275b7efe6bd10eef95cb3ef97bfd97e2bba42f92e42953e90371_amd64",
          "8Base-RHCEPH-5.2-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:9d59cc5917110dee7d46e08c81b4440c7e3c4a3d841344ac508dd6dc45bd5572_ppc64le",
          "8Base-RHCEPH-5.2-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:d69e364a14d01dff8f0876856e3efe8a3e6496aa69a22131d877628c633a4dd7_s390x"
        ],
        "known_not_affected": [
          "8Base-RHCEPH-5.2-Tools:rhceph/keepalived-rhel8@sha256:046f7d4bb244256dfaedd006af00575d63ade28b884ed8f96087c954453248c2_s390x",
          "8Base-RHCEPH-5.2-Tools:rhceph/keepalived-rhel8@sha256:0cba817cebbdf4ac325b722d515f5335c35a4c89ddc069ad1e00b2df91314dfc_ppc64le",
          "8Base-RHCEPH-5.2-Tools:rhceph/keepalived-rhel8@sha256:fa226b35008b7a420e48166c6f53d13331e703ef184d993fd9d7bad601ae1083_amd64",
          "8Base-RHCEPH-5.2-Tools:rhceph/rhceph-5-rhel8@sha256:03c87d18494d1d1796c8729871c001057d0fa19826a672d1bc34da6609e551ba_amd64",
          "8Base-RHCEPH-5.2-Tools:rhceph/rhceph-5-rhel8@sha256:5eba7b2a711ae6b43822d11db41c823de251a2a148903ba430d12fe4870ef2f1_s390x",
          "8Base-RHCEPH-5.2-Tools:rhceph/rhceph-5-rhel8@sha256:b1e3292d0ba697e36bfd03979900ab28edcfb3e005335cc4d909fe8de863b158_ppc64le",
          "8Base-RHCEPH-5.2-Tools:rhceph/rhceph-haproxy-rhel8@sha256:1a6c034927989b231f4e358a358163c75a35a36b162756a0f5bc47c787d72074_s390x",
          "8Base-RHCEPH-5.2-Tools:rhceph/rhceph-haproxy-rhel8@sha256:2a6c28d7ae35fa7aa98c31da08248997c92959e006ce8aea174bcaea299a1eec_ppc64le",
          "8Base-RHCEPH-5.2-Tools:rhceph/rhceph-haproxy-rhel8@sha256:dc65885f716a652fdabe6c43e5522eb81670178f323f944ee3a17b07ce48ecb7_amd64",
          "8Base-RHCEPH-5.2-Tools:rhceph/snmp-notifier-rhel8@sha256:75512f53c3938baaf69104244c5016d559ad5b709bc5d67f147c6e09963a6894_s390x",
          "8Base-RHCEPH-5.2-Tools:rhceph/snmp-notifier-rhel8@sha256:b4e3f7682ace25f2446361df2631b02f28d9cd5c9172d8e904d05823e62c8c07_amd64",
          "8Base-RHCEPH-5.2-Tools:rhceph/snmp-notifier-rhel8@sha256:c33fb85b7fd24a9da09ec439a0fd9a76f4a25faf7a17adeae81ec62b086a84ad_ppc64le"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2021-43813"
        },
        {
          "category": "external",
          "summary": "RHBZ#2031228",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031228"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2021-43813",
          "url": "https://www.cve.org/CVERecord?id=CVE-2021-43813"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-43813",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43813"
        },
        {
          "category": "external",
          "summary": "https://grafana.com/blog/2021/12/10/grafana-8.3.2-and-7.5.12-released-with-moderate-severity-security-fix/",
          "url": "https://grafana.com/blog/2021/12/10/grafana-8.3.2-and-7.5.12-released-with-moderate-severity-security-fix/"
        }
      ],
      "release_date": "2021-12-10T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2022-08-09T20:31:48+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/2789521\n\nFor supported configurations, refer to:\n\nhttps://access.redhat.com/articles/1548993",
          "product_ids": [
            "8Base-RHCEPH-5.2-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:78c523070ed4275b7efe6bd10eef95cb3ef97bfd97e2bba42f92e42953e90371_amd64",
            "8Base-RHCEPH-5.2-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:9d59cc5917110dee7d46e08c81b4440c7e3c4a3d841344ac508dd6dc45bd5572_ppc64le",
            "8Base-RHCEPH-5.2-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:d69e364a14d01dff8f0876856e3efe8a3e6496aa69a22131d877628c633a4dd7_s390x"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2022:6024"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "8Base-RHCEPH-5.2-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:78c523070ed4275b7efe6bd10eef95cb3ef97bfd97e2bba42f92e42953e90371_amd64",
            "8Base-RHCEPH-5.2-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:9d59cc5917110dee7d46e08c81b4440c7e3c4a3d841344ac508dd6dc45bd5572_ppc64le",
            "8Base-RHCEPH-5.2-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:d69e364a14d01dff8f0876856e3efe8a3e6496aa69a22131d877628c633a4dd7_s390x"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ],
      "title": "grafana: directory traversal vulnerability"
    },
    {
      "cve": "CVE-2022-21673",
      "cwe": {
        "id": "CWE-201",
        "name": "Insertion of Sensitive Information Into Sent Data"
      },
      "discovery_date": "2022-01-24T00:00:00+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "8Base-RHCEPH-5.2-Tools:rhceph/keepalived-rhel8@sha256:046f7d4bb244256dfaedd006af00575d63ade28b884ed8f96087c954453248c2_s390x",
            "8Base-RHCEPH-5.2-Tools:rhceph/keepalived-rhel8@sha256:0cba817cebbdf4ac325b722d515f5335c35a4c89ddc069ad1e00b2df91314dfc_ppc64le",
            "8Base-RHCEPH-5.2-Tools:rhceph/keepalived-rhel8@sha256:fa226b35008b7a420e48166c6f53d13331e703ef184d993fd9d7bad601ae1083_amd64",
            "8Base-RHCEPH-5.2-Tools:rhceph/rhceph-5-rhel8@sha256:03c87d18494d1d1796c8729871c001057d0fa19826a672d1bc34da6609e551ba_amd64",
            "8Base-RHCEPH-5.2-Tools:rhceph/rhceph-5-rhel8@sha256:5eba7b2a711ae6b43822d11db41c823de251a2a148903ba430d12fe4870ef2f1_s390x",
            "8Base-RHCEPH-5.2-Tools:rhceph/rhceph-5-rhel8@sha256:b1e3292d0ba697e36bfd03979900ab28edcfb3e005335cc4d909fe8de863b158_ppc64le",
            "8Base-RHCEPH-5.2-Tools:rhceph/rhceph-haproxy-rhel8@sha256:1a6c034927989b231f4e358a358163c75a35a36b162756a0f5bc47c787d72074_s390x",
            "8Base-RHCEPH-5.2-Tools:rhceph/rhceph-haproxy-rhel8@sha256:2a6c28d7ae35fa7aa98c31da08248997c92959e006ce8aea174bcaea299a1eec_ppc64le",
            "8Base-RHCEPH-5.2-Tools:rhceph/rhceph-haproxy-rhel8@sha256:dc65885f716a652fdabe6c43e5522eb81670178f323f944ee3a17b07ce48ecb7_amd64",
            "8Base-RHCEPH-5.2-Tools:rhceph/snmp-notifier-rhel8@sha256:75512f53c3938baaf69104244c5016d559ad5b709bc5d67f147c6e09963a6894_s390x",
            "8Base-RHCEPH-5.2-Tools:rhceph/snmp-notifier-rhel8@sha256:b4e3f7682ace25f2446361df2631b02f28d9cd5c9172d8e904d05823e62c8c07_amd64",
            "8Base-RHCEPH-5.2-Tools:rhceph/snmp-notifier-rhel8@sha256:c33fb85b7fd24a9da09ec439a0fd9a76f4a25faf7a17adeae81ec62b086a84ad_ppc64le"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2044628"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "An information-disclosure flaw was found in grafana. When a data source has the Forward OAuth Identity feature enabled, sending a query to that data source with an API token (and no other user credentials) will forward the OAuth Identity of the most recently logged-in user. This flaw allows API token holders to retrieve data to which they may not be authorized.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "grafana: Forward OAuth Identity Token can allow users to access some data sources",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-RHCEPH-5.2-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:78c523070ed4275b7efe6bd10eef95cb3ef97bfd97e2bba42f92e42953e90371_amd64",
          "8Base-RHCEPH-5.2-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:9d59cc5917110dee7d46e08c81b4440c7e3c4a3d841344ac508dd6dc45bd5572_ppc64le",
          "8Base-RHCEPH-5.2-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:d69e364a14d01dff8f0876856e3efe8a3e6496aa69a22131d877628c633a4dd7_s390x"
        ],
        "known_not_affected": [
          "8Base-RHCEPH-5.2-Tools:rhceph/keepalived-rhel8@sha256:046f7d4bb244256dfaedd006af00575d63ade28b884ed8f96087c954453248c2_s390x",
          "8Base-RHCEPH-5.2-Tools:rhceph/keepalived-rhel8@sha256:0cba817cebbdf4ac325b722d515f5335c35a4c89ddc069ad1e00b2df91314dfc_ppc64le",
          "8Base-RHCEPH-5.2-Tools:rhceph/keepalived-rhel8@sha256:fa226b35008b7a420e48166c6f53d13331e703ef184d993fd9d7bad601ae1083_amd64",
          "8Base-RHCEPH-5.2-Tools:rhceph/rhceph-5-rhel8@sha256:03c87d18494d1d1796c8729871c001057d0fa19826a672d1bc34da6609e551ba_amd64",
          "8Base-RHCEPH-5.2-Tools:rhceph/rhceph-5-rhel8@sha256:5eba7b2a711ae6b43822d11db41c823de251a2a148903ba430d12fe4870ef2f1_s390x",
          "8Base-RHCEPH-5.2-Tools:rhceph/rhceph-5-rhel8@sha256:b1e3292d0ba697e36bfd03979900ab28edcfb3e005335cc4d909fe8de863b158_ppc64le",
          "8Base-RHCEPH-5.2-Tools:rhceph/rhceph-haproxy-rhel8@sha256:1a6c034927989b231f4e358a358163c75a35a36b162756a0f5bc47c787d72074_s390x",
          "8Base-RHCEPH-5.2-Tools:rhceph/rhceph-haproxy-rhel8@sha256:2a6c28d7ae35fa7aa98c31da08248997c92959e006ce8aea174bcaea299a1eec_ppc64le",
          "8Base-RHCEPH-5.2-Tools:rhceph/rhceph-haproxy-rhel8@sha256:dc65885f716a652fdabe6c43e5522eb81670178f323f944ee3a17b07ce48ecb7_amd64",
          "8Base-RHCEPH-5.2-Tools:rhceph/snmp-notifier-rhel8@sha256:75512f53c3938baaf69104244c5016d559ad5b709bc5d67f147c6e09963a6894_s390x",
          "8Base-RHCEPH-5.2-Tools:rhceph/snmp-notifier-rhel8@sha256:b4e3f7682ace25f2446361df2631b02f28d9cd5c9172d8e904d05823e62c8c07_amd64",
          "8Base-RHCEPH-5.2-Tools:rhceph/snmp-notifier-rhel8@sha256:c33fb85b7fd24a9da09ec439a0fd9a76f4a25faf7a17adeae81ec62b086a84ad_ppc64le"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2022-21673"
        },
        {
          "category": "external",
          "summary": "RHBZ#2044628",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2044628"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2022-21673",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-21673"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-21673",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21673"
        },
        {
          "category": "external",
          "summary": "https://grafana.com/blog/2022/01/18/grafana-8.3.4-and-7.5.13-released-with-important-security-fix/",
          "url": "https://grafana.com/blog/2022/01/18/grafana-8.3.4-and-7.5.13-released-with-important-security-fix/"
        }
      ],
      "release_date": "2022-01-18T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2022-08-09T20:31:48+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/2789521\n\nFor supported configurations, refer to:\n\nhttps://access.redhat.com/articles/1548993",
          "product_ids": [
            "8Base-RHCEPH-5.2-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:78c523070ed4275b7efe6bd10eef95cb3ef97bfd97e2bba42f92e42953e90371_amd64",
            "8Base-RHCEPH-5.2-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:9d59cc5917110dee7d46e08c81b4440c7e3c4a3d841344ac508dd6dc45bd5572_ppc64le",
            "8Base-RHCEPH-5.2-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:d69e364a14d01dff8f0876856e3efe8a3e6496aa69a22131d877628c633a4dd7_s390x"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2022:6024"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "8Base-RHCEPH-5.2-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:78c523070ed4275b7efe6bd10eef95cb3ef97bfd97e2bba42f92e42953e90371_amd64",
            "8Base-RHCEPH-5.2-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:9d59cc5917110dee7d46e08c81b4440c7e3c4a3d841344ac508dd6dc45bd5572_ppc64le",
            "8Base-RHCEPH-5.2-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:d69e364a14d01dff8f0876856e3efe8a3e6496aa69a22131d877628c633a4dd7_s390x"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "grafana: Forward OAuth Identity Token can allow users to access some data sources"
    }
  ]
}

cve-2022-21673

Vulnerability from cvelistv5

Published

2022-01-18 21:35

Modified

2024-08-03 02:46

Severity ?

4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Summary

OAuth Identity Token exposure in Grafana

References

▼	URL	Tags
	https://github.com/grafana/grafana/security/advisories/GHSA-8wjh-59cw-9xh4	x_refsource_CONFIRM
	https://github.com/grafana/grafana/releases/tag/v7.5.13	x_refsource_MISC
	https://github.com/grafana/grafana/releases/tag/v8.3.4	x_refsource_MISC
	https://security.netapp.com/advisory/ntap-20220303-0004/	x_refsource_CONFIRM
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HLAQRRGNSO5MYCPAXGPH2OCSHOGHSQMQ/	vendor-advisory, x_refsource_FEDORA
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2PFW6Q2LXXWTFRTMTRN4ZGADFRQPKJ3D/	vendor-advisory, x_refsource_FEDORA
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/36GUEPA5TPSC57DZTPYPBL6T7UPQ2FRH/	vendor-advisory, x_refsource_FEDORA

Impacted products

▼	Vendor	Product
	grafana	grafana

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T02:46:39.413Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/grafana/grafana/security/advisories/GHSA-8wjh-59cw-9xh4"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/grafana/grafana/releases/tag/v7.5.13"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/grafana/grafana/releases/tag/v8.3.4"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20220303-0004/"
          },
          {
            "name": "FEDORA-2022-83405f9d5b",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HLAQRRGNSO5MYCPAXGPH2OCSHOGHSQMQ/"
          },
          {
            "name": "FEDORA-2022-9dd03cab55",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2PFW6Q2LXXWTFRTMTRN4ZGADFRQPKJ3D/"
          },
          {
            "name": "FEDORA-2022-c5383675d9",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/36GUEPA5TPSC57DZTPYPBL6T7UPQ2FRH/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "grafana",
          "vendor": "grafana",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 7.2.0, \u003c 7.5.13"
            },
            {
              "status": "affected",
              "version": "\u003e= 8.0.0, \u003c 8.3.4"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Grafana is an open-source platform for monitoring and observability. In affected versions when a data source has the Forward OAuth Identity feature enabled, sending a query to that datasource with an API token (and no other user credentials) will forward the OAuth Identity of the most recently logged-in user. This can allow API token holders to retrieve data for which they may not have intended access. This attack relies on the Grafana instance having data sources that support the Forward OAuth Identity feature, the Grafana instance having a data source with the Forward OAuth Identity feature toggled on, the Grafana instance having OAuth enabled, and the Grafana instance having usable API keys. This issue has been patched in versions 7.5.13 and 8.3.4."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-05-07T07:06:34",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/grafana/grafana/security/advisories/GHSA-8wjh-59cw-9xh4"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/grafana/grafana/releases/tag/v7.5.13"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/grafana/grafana/releases/tag/v8.3.4"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20220303-0004/"
        },
        {
          "name": "FEDORA-2022-83405f9d5b",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HLAQRRGNSO5MYCPAXGPH2OCSHOGHSQMQ/"
        },
        {
          "name": "FEDORA-2022-9dd03cab55",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2PFW6Q2LXXWTFRTMTRN4ZGADFRQPKJ3D/"
        },
        {
          "name": "FEDORA-2022-c5383675d9",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/36GUEPA5TPSC57DZTPYPBL6T7UPQ2FRH/"
        }
      ],
      "source": {
        "advisory": "GHSA-8wjh-59cw-9xh4",
        "discovery": "UNKNOWN"
      },
      "title": "OAuth Identity Token exposure in Grafana",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2022-21673",
          "STATE": "PUBLIC",
          "TITLE": "OAuth Identity Token exposure in Grafana"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "grafana",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003e= 7.2.0, \u003c 7.5.13"
                          },
                          {
                            "version_value": "\u003e= 8.0.0, \u003c 8.3.4"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "grafana"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Grafana is an open-source platform for monitoring and observability. In affected versions when a data source has the Forward OAuth Identity feature enabled, sending a query to that datasource with an API token (and no other user credentials) will forward the OAuth Identity of the most recently logged-in user. This can allow API token holders to retrieve data for which they may not have intended access. This attack relies on the Grafana instance having data sources that support the Forward OAuth Identity feature, the Grafana instance having a data source with the Forward OAuth Identity feature toggled on, the Grafana instance having OAuth enabled, and the Grafana instance having usable API keys. This issue has been patched in versions 7.5.13 and 8.3.4."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/grafana/grafana/security/advisories/GHSA-8wjh-59cw-9xh4",
              "refsource": "CONFIRM",
              "url": "https://github.com/grafana/grafana/security/advisories/GHSA-8wjh-59cw-9xh4"
            },
            {
              "name": "https://github.com/grafana/grafana/releases/tag/v7.5.13",
              "refsource": "MISC",
              "url": "https://github.com/grafana/grafana/releases/tag/v7.5.13"
            },
            {
              "name": "https://github.com/grafana/grafana/releases/tag/v8.3.4",
              "refsource": "MISC",
              "url": "https://github.com/grafana/grafana/releases/tag/v8.3.4"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20220303-0004/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20220303-0004/"
            },
            {
              "name": "FEDORA-2022-83405f9d5b",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HLAQRRGNSO5MYCPAXGPH2OCSHOGHSQMQ/"
            },
            {
              "name": "FEDORA-2022-9dd03cab55",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2PFW6Q2LXXWTFRTMTRN4ZGADFRQPKJ3D/"
            },
            {
              "name": "FEDORA-2022-c5383675d9",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/36GUEPA5TPSC57DZTPYPBL6T7UPQ2FRH/"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-8wjh-59cw-9xh4",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2022-21673",
    "datePublished": "2022-01-18T21:35:10",
    "dateReserved": "2021-11-16T00:00:00",
    "dateUpdated": "2024-08-03T02:46:39.413Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2021-43813

Vulnerability from cvelistv5

Published

2021-12-10 17:30

Modified

2024-08-04 04:03

Severity ?

4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Summary

Directory Traversal in Grafana

References

▼	URL	Tags
	https://github.com/grafana/grafana/security/advisories/GHSA-c3q8-26ph-9g2q	x_refsource_CONFIRM
	https://github.com/github/securitylab-vulnerabilities/commit/689fc5d9fd665be4d5bba200a6a433b532172d0f	x_refsource_MISC
	https://github.com/grafana/grafana/commit/fd48aee61e4328aae8d5303a9efd045fa0ca308d	x_refsource_MISC
	https://grafana.com/blog/2021/12/10/grafana-8.3.2-and-7.5.12-released-with-moderate-severity-security-fix/	x_refsource_MISC
	https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-5-12/	x_refsource_MISC
	https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-3-2/	x_refsource_MISC
	http://www.openwall.com/lists/oss-security/2021/12/10/4	mailing-list, x_refsource_MLIST
	https://security.netapp.com/advisory/ntap-20220107-0006/	x_refsource_CONFIRM

Impacted products

▼	Vendor	Product
	grafana	grafana

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T04:03:09.012Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/grafana/grafana/security/advisories/GHSA-c3q8-26ph-9g2q"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/github/securitylab-vulnerabilities/commit/689fc5d9fd665be4d5bba200a6a433b532172d0f"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/grafana/grafana/commit/fd48aee61e4328aae8d5303a9efd045fa0ca308d"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://grafana.com/blog/2021/12/10/grafana-8.3.2-and-7.5.12-released-with-moderate-severity-security-fix/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-5-12/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-3-2/"
          },
          {
            "name": "[oss-security] 20211210 CVE-2021-43813 and CVE-2021-43815 - Grafana directory traversal for some .md and .csv files",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2021/12/10/4"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20220107-0006/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "grafana",
          "vendor": "grafana",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 5.0.0, \u003c 7.5.12"
            },
            {
              "status": "affected",
              "version": "\u003e= 8.0.0, \u003c 8.3.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Grafana is an open-source platform for monitoring and observability. Grafana prior to versions 8.3.2 and 7.5.12 contains a directory traversal vulnerability for fully lowercase or fully uppercase .md files. The vulnerability is limited in scope, and only allows access to files with the extension .md to authenticated users only. Grafana Cloud instances have not been affected by the vulnerability. Users should upgrade to patched versions 8.3.2 or 7.5.12. For users who cannot upgrade, running a reverse proxy in front of Grafana that normalizes the PATH of the request will mitigate the vulnerability. The proxy will have to also be able to handle url encoded paths. Alternatively, for fully lowercase or fully uppercase .md files, users can block /api/plugins/.*/markdown/.* without losing any functionality beyond inlined plugin help text."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-01-07T12:06:27",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/grafana/grafana/security/advisories/GHSA-c3q8-26ph-9g2q"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/github/securitylab-vulnerabilities/commit/689fc5d9fd665be4d5bba200a6a433b532172d0f"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/grafana/grafana/commit/fd48aee61e4328aae8d5303a9efd045fa0ca308d"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://grafana.com/blog/2021/12/10/grafana-8.3.2-and-7.5.12-released-with-moderate-severity-security-fix/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-5-12/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-3-2/"
        },
        {
          "name": "[oss-security] 20211210 CVE-2021-43813 and CVE-2021-43815 - Grafana directory traversal for some .md and .csv files",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2021/12/10/4"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20220107-0006/"
        }
      ],
      "source": {
        "advisory": "GHSA-c3q8-26ph-9g2q",
        "discovery": "UNKNOWN"
      },
      "title": "Directory Traversal in Grafana",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2021-43813",
          "STATE": "PUBLIC",
          "TITLE": "Directory Traversal in Grafana"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "grafana",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003e= 5.0.0, \u003c 7.5.12"
                          },
                          {
                            "version_value": "\u003e= 8.0.0, \u003c 8.3.2"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "grafana"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Grafana is an open-source platform for monitoring and observability. Grafana prior to versions 8.3.2 and 7.5.12 contains a directory traversal vulnerability for fully lowercase or fully uppercase .md files. The vulnerability is limited in scope, and only allows access to files with the extension .md to authenticated users only. Grafana Cloud instances have not been affected by the vulnerability. Users should upgrade to patched versions 8.3.2 or 7.5.12. For users who cannot upgrade, running a reverse proxy in front of Grafana that normalizes the PATH of the request will mitigate the vulnerability. The proxy will have to also be able to handle url encoded paths. Alternatively, for fully lowercase or fully uppercase .md files, users can block /api/plugins/.*/markdown/.* without losing any functionality beyond inlined plugin help text."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/grafana/grafana/security/advisories/GHSA-c3q8-26ph-9g2q",
              "refsource": "CONFIRM",
              "url": "https://github.com/grafana/grafana/security/advisories/GHSA-c3q8-26ph-9g2q"
            },
            {
              "name": "https://github.com/github/securitylab-vulnerabilities/commit/689fc5d9fd665be4d5bba200a6a433b532172d0f",
              "refsource": "MISC",
              "url": "https://github.com/github/securitylab-vulnerabilities/commit/689fc5d9fd665be4d5bba200a6a433b532172d0f"
            },
            {
              "name": "https://github.com/grafana/grafana/commit/fd48aee61e4328aae8d5303a9efd045fa0ca308d",
              "refsource": "MISC",
              "url": "https://github.com/grafana/grafana/commit/fd48aee61e4328aae8d5303a9efd045fa0ca308d"
            },
            {
              "name": "https://grafana.com/blog/2021/12/10/grafana-8.3.2-and-7.5.12-released-with-moderate-severity-security-fix/",
              "refsource": "MISC",
              "url": "https://grafana.com/blog/2021/12/10/grafana-8.3.2-and-7.5.12-released-with-moderate-severity-security-fix/"
            },
            {
              "name": "https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-5-12/",
              "refsource": "MISC",
              "url": "https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-5-12/"
            },
            {
              "name": "https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-3-2/",
              "refsource": "MISC",
              "url": "https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-3-2/"
            },
            {
              "name": "[oss-security] 20211210 CVE-2021-43813 and CVE-2021-43815 - Grafana directory traversal for some .md and .csv files",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2021/12/10/4"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20220107-0006/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20220107-0006/"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-c3q8-26ph-9g2q",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2021-43813",
    "datePublished": "2021-12-10T17:30:12",
    "dateReserved": "2021-11-16T00:00:00",
    "dateUpdated": "2024-08-04T04:03:09.012Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

rhsa-2022_6024

Vulnerability from csaf_redhat

cve-2022-21673

Vulnerability from cvelistv5

cve-2021-43813

Vulnerability from cvelistv5

Tags

Sightings

Nomenclature