Site icon API Security Blog

grafana security, bug fix, and enhancement update

[7.5.15-3]
– resolve CVE-2022-1962 golang: go/parser: stack exhaustion in all Parse* functions
– resolve CVE-2022-1705 golang: net/https: improper sanitization of Transfer-Encoding header
– resolve CVE-2022-32148 golang: net/http/httputil: NewSingleHostReverseProxy – omit X-Forwarded-For not working
– resolve CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read
– resolve CVE-2022-30630 golang: io/fs: stack exhaustion in Glob
– resolve CVE-2022-30632 golang: path/filepath: stack exhaustion in Glob
– resolve CVE-2022-30635 golang: encoding/gob: stack exhaustion in Decoder.Decode
– resolve CVE-2022-28131 golang: encoding/xml: stack exhaustion in Decoder.Skip
– resolve CVE-2022-30633 golang: encoding/xml: stack exhaustion in Unmarshal
[7.5.15-2]
– resolve CVE-2022-31107 grafana: OAuth account takeover
[7.5.15-1]
– update to 7.5.15 tagged upstream community sources, see CHANGELOG
– resolve CVE-2022-21673 grafana: Forward OAuth Identity Token can allow users to access some data sources
– resolve CVE-2022-21702 grafana: XSS vulnerability in data source handling
– resolve CVE-2022-21703 grafana: CSRF vulnerability can lead to privilege escalation
– resolve CVE-2022-21713 grafana: IDOR vulnerability can lead to information disclosure
– resolve CVE-2021-23648 sanitize-url: XSS
– resolve CVE-2022-21698 prometheus/client_golang: Denial of service using InstrumentHandlerCounter
– declare Node.js dependencies of subpackages
– make vendor and webpack tarballs reproducible
[7.5.11-3]
– use HMAC-SHA-256 instead of SHA-1 to generate password reset tokens
– update FIPS tests in check phase
[7.5.11-2]
– resolve CVE-2021-44716 golang: net/https: limit growth of header canonicalization cache
– resolve CVE-2021-43813 grafana: directory traversal vulnerability for *.md files
[7.5.11-1]
– update to 7.5.11 tagged upstream community sources, see CHANGELOG
– resolve CVE-2021-39226Read More

Exit mobile version