github.com/grafana/grafana is vulnerable to path traversal. The vulnerability exists in the pluginMarkdown
function in plugins.go
, allowing an authenticated attacker to access fully lowercase or fully uppercase ‘.md’ files outside the expected directory.
www.openwall.com/lists/oss-security/2021/12/10/4
github.com/github/securitylab-vulnerabilities/commit/689fc5d9fd665be4d5bba200a6a433b532172d0f
github.com/grafana/grafana/commit/d6ec6f8ad28f0212e584406730f939105ff6c6d3
github.com/grafana/grafana/commit/fd48aee61e4328aae8d5303a9efd045fa0ca308d
github.com/grafana/grafana/pull/42979
github.com/grafana/grafana/releases/tag/v8.3.2
github.com/grafana/grafana/security/advisories/GHSA-c3q8-26ph-9g2q
grafana.com/blog/2021/12/10/grafana-8.3.2-and-7.5.12-released-with-moderate-severity-security-fix/
grafana.com/docs/grafana/latest/release-notes/release-notes-7-5-12/
grafana.com/docs/grafana/latest/release-notes/release-notes-8-3-2/
security.netapp.com/advisory/ntap-20220107-0006/
www.openwall.com/lists/oss-security/2021/12/10/4