Oval Definition:oval:org.opensuse.security:def:202143815
Revision Date:2022-09-02Version:1
Title:CVE-2021-43815
Description:

Grafana is an open-source platform for monitoring and observability. Grafana prior to versions 8.3.2 and 7.5.12 has a directory traversal for arbitrary .csv files. It only affects instances that have the developer testing tool called TestData DB data source enabled and configured. The vulnerability is limited in scope, and only allows access to files with the extension .csv to authenticated users only. Grafana Cloud instances have not been affected by the vulnerability. Versions 8.3.2 and 7.5.12 contain a patch for this issue. There is a workaround available for users who cannot upgrade. Running a reverse proxy in front of Grafana that normalizes the PATH of the request will mitigate the vulnerability. The proxy will have to also be able to handle url encoded paths.
Family:unixClass:vulnerability
Status:Reference(s):Mitre CVE-2021-43815
SUSE CVE-2021-43815
SUSE-SU-2022:0751-1
SUSE-SU-2022:1396-1
SUSE-CU-2022:878-1
SUSE-SU-2022:2134-1
Platform(s):openSUSE Leap 15.3
openSUSE Leap 15.4
SUSE Enterprise Storage 6
SUSE Linux Enterprise Module for SUSE Manager Server 4.2
SUSE Linux Enterprise Server 12 SP4-ESPOS
SUSE Linux Enterprise Server 12 SP4-LTSS
SUSE Linux Enterprise Server 12 SP5
SUSE Linux Enterprise Server for SAP Applications 12 SP4
SUSE Linux Enterprise Server for SAP Applications 12 SP5
SUSE Manager Server 4.2
SUSE OpenStack Cloud 8
SUSE OpenStack Cloud 9
SUSE OpenStack Cloud Crowbar 8
SUSE OpenStack Cloud Crowbar 9
Product(s):
Definition Synopsis
  • Release Information
  • SUSE OpenStack Cloud 8 is installed
  • OR SUSE OpenStack Cloud Crowbar 8 is installed
  • AND grafana is not affected
    • Definition Synopsis
  • Release Information
  • SUSE OpenStack Cloud 9 is installed
  • OR SUSE OpenStack Cloud Crowbar 9 is installed
  • AND grafana is not affected
    • Definition Synopsis
  • SUSE Enterprise Storage 6 is installed
  • AND grafana is not affected
    • Definition Synopsis
  • Release Information
  • SUSE Linux Enterprise Module for SUSE Manager Server 4.2 is installed
  • OR SUSE Manager Server 4.2 is installed
  • AND prometheus-postgres_exporter-0.10.0-150000.1.3.1 is installed
    • Definition Synopsis
  • openSUSE Leap 15.4 is installed
  • AND Package Information
  • grafana-8.3.5-150200.3.21.1 is installed
  • AND grafana is signed with openSUSE key
    • Definition Synopsis
  • openSUSE Leap 15.3 is installed
  • AND Package Information
  • grafana-8.3.5-150200.3.21.1 is installed
  • AND grafana is signed with openSUSE key
  • OR
  • prometheus-postgres_exporter-0.10.0-150000.1.3.1 is installed
  • AND prometheus-postgres_exporter is signed with openSUSE key
  • OR
  • python3-rhnlib-4.2.6-150000.3.34.1 is installed
  • AND python3-rhnlib is signed with openSUSE key
  • OR
  • spacecmd-4.2.16-150000.3.77.1 is installed
  • AND spacecmd is signed with openSUSE key
    • Definition Synopsis
  • Release Information
  • SUSE Linux Enterprise Server 12 SP5 is installed
  • OR SUSE Linux Enterprise Server for SAP Applications 12 SP5 is installed
  • AND golang-github-prometheus-node_exporter-1.3.0-1.15.3 is installed
    • Definition Synopsis
  • Release Information
  • SUSE Linux Enterprise Server for SAP Applications 12 SP4 is installed
  • AND golang-github-prometheus-node_exporter-1.3.0-1.15.3 is installed
  • OR Package Information
  • SUSE Linux Enterprise Server 12 SP4-LTSS is installed
  • AND golang-github-prometheus-node_exporter-1.3.0-1.15.3 is installed
  • OR Package Information
  • SUSE Linux Enterprise Server 12 SP4-ESPOS is installed
  • AND golang-github-prometheus-node_exporter-1.3.0-1.15.3 is installed
    • BACK