Done
Details
Details
Assignee
Unassigned
UnassignedReporter
Roma Novikov
Roma Novikov(Deactivated)Priority
CriticalComponents
Fix versions
Created November 13, 2018 at 5:52 PM
Updated March 6, 2024 at 6:41 AM
Resolved November 19, 2018 at 2:42 PM
Skip to:
Critical
Grafana released "Grafana 5.3.3 and 4.6.5 Security Update" https://community.grafana.com/t/grafana-5-3-3-and-4-6-5-security-update/11961 and included a specific patch indicating the .
Note: we using Grafana 5.1.3 so we can't use patch directly, we need to modify it.
User Impact:
Any users with Editor or Admin permissions in Grafana can read from the file system any file the Grafana process has access to. In order to exploit this you would need to be logged in to the system as a legitimate user with Editor or Admin permissions.
This affects PMM Server since release February 7th 2017 in 1.1.0 Beta while April 20 2018 release 1.10.0 was our first non-vulnerable release (we started building Grafana ourselves and unintentionally omitted the PhantomJS binary).
Users on release 1.10.0 or newer, you are not affected by this vulnerability.
In 1.17.0 ew are fixing PhantomJS functionality
Steps to Reproduce:
Not disclosed at this time.
Current Result:
Any user authenticated to Grafana with Editor or Admin role can read any file that the Grafana process can read from the file system.
Expected Results:
Grafana Users cannot gain access to the file system.
The workaround for users unable to upgrade is to perform two actions:
Set all Users to Viewer access level only
Remove all dashboards that contain text panels
----------
pls see this
https://github.com/grafana/grafana/commit/a8aa16673ed577b786eb2752e1ededc5cb309193#diff-3d553362b377027c6be7867e68a4a75c
can we apply changes form pkg/services/rendering/phantomjs.go to our build?