x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-m25m-5778-fm22 #2519

GoVulnBot · 2024-02-01T22:01:22Z

In GitHub Security Advisory GHSA-m25m-5778-fm22, there is a vulnerability in the following Go packages or modules:

Unit	Fixed	Vulnerable Ranges
github.com/grafana/grafana	7.2.1	>= 6.0, < 7.2.1

Cross references:

Module github.com/grafana/grafana appears in issue x/vulndb: potential Go vuln in github.com/grafana/grafana: CVE-2021-41244 #259 EFFECTIVELY_PRIVATE
Module github.com/grafana/grafana appears in issue x/vulndb: potential Go vuln in github.com/grafana/grafana: CVE-2021-43798 #275 EFFECTIVELY_PRIVATE
Module github.com/grafana/grafana appears in issue x/vulndb: potential Go vuln in github.com/grafana/grafana: CVE-2021-43813 #276 EFFECTIVELY_PRIVATE
Module github.com/grafana/grafana appears in issue x/vulndb: potential Go vuln in github.com/grafana/grafana: CVE-2021-43815 #277 EFFECTIVELY_PRIVATE
Module github.com/grafana/grafana appears in issue x/vulndb: potential Go vuln in github.com/grafana/grafana: CVE-2022-21673 #296 EFFECTIVELY_PRIVATE
Module github.com/grafana/grafana appears in issue x/vulndb: potential Go vuln in github.com/grafana/grafana: CVE-2022-21702 #311 EFFECTIVELY_PRIVATE
Module github.com/grafana/grafana appears in issue x/vulndb: potential Go vuln in github.com/grafana/grafana: CVE-2022-21703 #312 EFFECTIVELY_PRIVATE
Module github.com/grafana/grafana appears in issue x/vulndb: potential Go vuln in github.com/grafana/grafana: CVE-2022-21713 #313 EFFECTIVELY_PRIVATE
Module github.com/grafana/grafana appears in issue x/vulndb: potential Go vuln in github.com/grafana/grafana: CVE-2018-18623 #342 NOT_IMPORTABLE
Module github.com/grafana/grafana appears in issue x/vulndb: potential Go vuln in github.com/grafana/grafana/pkg/api: GHSA-rgjg-66cx-5x9m #707 EFFECTIVELY_PRIVATE
Module github.com/grafana/grafana appears in issue x/vulndb: potential Go vuln in github.com/grafana/grafana/pkg/api/avatar: GHSA-wc9w-wvq2-ffm9 #753 EFFECTIVELY_PRIVATE
Module github.com/grafana/grafana appears in issue x/vulndb: potential Go vuln in github.com/grafana/grafana: CVE-2021-27358, GHSA-h5rh-w6vm-9ghc #773 #773 EFFECTIVELY_PRIVATE
Module github.com/grafana/grafana appears in issue x/vulndb: potential Go vuln in github.com/grafana/grafana: CVE-2021-39226, GHSA-69j6-29vr-p3j9 #934 NOT_IMPORTABLE
Module github.com/grafana/grafana appears in issue x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-7rqg-hjwc-6mjf #1599 EFFECTIVELY_PRIVATE
Module github.com/grafana/grafana appears in issue x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-hjv9-hm2f-rpcj #1603 EFFECTIVELY_PRIVATE
Module github.com/grafana/grafana appears in issue x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-xw5p-hw8j-xg4q #1604 EFFECTIVELY_PRIVATE
Module github.com/grafana/grafana appears in issue x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-3cgw-hfw7-wc7j #1673 NOT_A_VULNERABILITY
Module github.com/grafana/grafana appears in issue x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-qrrg-gw7w-vp76 #1674 EFFECTIVELY_PRIVATE
Module github.com/grafana/grafana appears in issue x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-7phr-6cc9-4m5q #1680 NOT_GO_CODE
Module github.com/grafana/grafana appears in issue x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-wm7r-3qxj-5xgq #1843 EFFECTIVELY_PRIVATE
Module github.com/grafana/grafana appears in issue x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-x2w4-c67p-g44j #1844 EFFECTIVELY_PRIVATE
Module github.com/grafana/grafana appears in issue x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-cvm3-pp2j-chr3 #1856 EFFECTIVELY_PRIVATE
Module github.com/grafana/grafana appears in issue x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-mpv3-g8m3-3fjc #1875 EFFECTIVELY_PRIVATE
Module github.com/grafana/grafana appears in issue x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-x5fh-fvvr-892f #1964 EFFECTIVELY_PRIVATE
Module github.com/grafana/grafana appears in issue x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-fw9c-75hh-89p6 #2120 EFFECTIVELY_PRIVATE

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/grafana/grafana
      versions:
        - introduced: 6.0.0
          fixed: 7.2.1
      packages:
        - package: github.com/grafana/grafana
summary: Grafana world readable configuration files
cves:
    - CVE-2020-12459
ghsas:
    - GHSA-m25m-5778-fm22
references:
    - web: https://nvd.nist.gov/vuln/detail/CVE-2020-12459
    - report: https://github.com/grafana/grafana/issues/8283
    - web: https://access.redhat.com/security/cve/CVE-2020-12459
    - web: https://bugzilla.redhat.com/show_bug.cgi?id=1827765
    - web: https://bugzilla.redhat.com/show_bug.cgi?id=1829724
    - web: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CTQCKJZZYXMCSHJFZZ3YXEO5NUBANGZS/
    - web: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WEBCIEVSYIDDCA7FTRS2IFUOYLIQU34A/
    - web: https://security.netapp.com/advisory/ntap-20200518-0004/
    - web: https://src.fedoraproject.org/rpms/grafana/c/fab93d67363eb0a9678d9faf160cc88237f26277
    - fix: https://github.com/grafana/grafana/commit/102448040d5132460e3b0013e03ebedec0677e00
    - advisory: https://github.com/advisories/GHSA-m25m-5778-fm22

The text was updated successfully, but these errors were encountered:

timothy-king · 2024-02-01T22:46:47Z

Duplicate of #2513

gopherbot · 2024-07-02T17:07:52Z

Change https://go.dev/cl/596175 mentions this issue: data/reports: add GO-2024-2519, update GO-2024-2833

gopherbot · 2024-08-16T21:16:36Z

Change https://go.dev/cl/606358 mentions this issue: data/reports: regenerate 50 reports

- data/reports/GO-2024-2428.yaml - data/reports/GO-2024-2442.yaml - data/reports/GO-2024-2444.yaml - data/reports/GO-2024-2445.yaml - data/reports/GO-2024-2446.yaml - data/reports/GO-2024-2447.yaml - data/reports/GO-2024-2448.yaml - data/reports/GO-2024-2449.yaml - data/reports/GO-2024-2450.yaml - data/reports/GO-2024-2478.yaml - data/reports/GO-2024-2485.yaml - data/reports/GO-2024-2486.yaml - data/reports/GO-2024-2488.yaml - data/reports/GO-2024-2499.yaml - data/reports/GO-2024-2501.yaml - data/reports/GO-2024-2505.yaml - data/reports/GO-2024-2508.yaml - data/reports/GO-2024-2509.yaml - data/reports/GO-2024-2511.yaml - data/reports/GO-2024-2513.yaml - data/reports/GO-2024-2514.yaml - data/reports/GO-2024-2515.yaml - data/reports/GO-2024-2517.yaml - data/reports/GO-2024-2519.yaml - data/reports/GO-2024-2520.yaml - data/reports/GO-2024-2523.yaml - data/reports/GO-2024-2540.yaml - data/reports/GO-2024-2541.yaml - data/reports/GO-2024-2566.yaml - data/reports/GO-2024-2568.yaml - data/reports/GO-2024-2569.yaml - data/reports/GO-2024-2576.yaml - data/reports/GO-2024-2578.yaml - data/reports/GO-2024-2579.yaml - data/reports/GO-2024-2580.yaml - data/reports/GO-2024-2582.yaml - data/reports/GO-2024-2588.yaml - data/reports/GO-2024-2589.yaml - data/reports/GO-2024-2590.yaml - data/reports/GO-2024-2591.yaml - data/reports/GO-2024-2592.yaml - data/reports/GO-2024-2593.yaml - data/reports/GO-2024-2594.yaml - data/reports/GO-2024-2595.yaml - data/reports/GO-2024-2597.yaml - data/reports/GO-2024-2629.yaml - data/reports/GO-2024-2635.yaml - data/reports/GO-2024-2636.yaml - data/reports/GO-2024-2637.yaml - data/reports/GO-2024-2641.yaml Updates #2428 Updates #2442 Updates #2444 Updates #2445 Updates #2446 Updates #2447 Updates #2448 Updates #2449 Updates #2450 Updates #2478 Updates #2485 Updates #2486 Updates #2488 Updates #2499 Updates #2501 Updates #2505 Updates #2508 Updates #2509 Updates #2511 Updates #2513 Updates #2514 Updates #2515 Updates #2517 Updates #2519 Updates #2520 Updates #2523 Updates #2540 Updates #2541 Updates #2566 Updates #2568 Updates #2569 Updates #2576 Updates #2578 Updates #2579 Updates #2580 Updates #2582 Updates #2588 Updates #2589 Updates #2590 Updates #2591 Updates #2592 Updates #2593 Updates #2594 Updates #2595 Updates #2597 Updates #2629 Updates #2635 Updates #2636 Updates #2637 Updates #2641 Change-Id: If02ad5ae2b621addda56b45d8c84b0476a12737b Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/606358 Reviewed-by: Damien Neil <dneil@google.com> Auto-Submit: Tatiana Bradley <tatianabradley@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>

timothy-king added the duplicate label Feb 1, 2024

timothy-king marked this as a duplicate of #2517 Feb 1, 2024

timothy-king marked this as a duplicate of #2513 Feb 1, 2024

tatianab closed this as completed Feb 7, 2024

tatianab removed the duplicate label Jul 2, 2024

tatianab self-assigned this Jul 2, 2024

tatianab reopened this Jul 2, 2024

tatianab added the triaged label Jul 2, 2024

gopherbot closed this as completed in 3fc0880 Jul 2, 2024

GoVulnBot mentioned this issue Aug 20, 2024

x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-hh8p-374f-qgr5 #3079

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-m25m-5778-fm22 #2519

x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-m25m-5778-fm22 #2519

GoVulnBot commented Feb 1, 2024

timothy-king commented Feb 1, 2024 •

edited

Loading

gopherbot commented Jul 2, 2024

gopherbot commented Aug 16, 2024

x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-m25m-5778-fm22 #2519

x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-m25m-5778-fm22 #2519

Comments

GoVulnBot commented Feb 1, 2024

timothy-king commented Feb 1, 2024 • edited Loading

gopherbot commented Jul 2, 2024

gopherbot commented Aug 16, 2024

timothy-king commented Feb 1, 2024 •

edited

Loading