Critical Vulnerability Report
Jeremy Stanley
fungi at yuggoth.org
Sun Feb 28 15:46:34 UTC 2021
On 2021-02-28 17:03:13 +0530 (+0530), Divya Singh wrote:
> Any update on this?
[...]
Thanks for the reminder, subsequent discussion ended up happening in
IRC and we neglected to follow up to this mailing list thread.
Roughly 22 hours after you contacted this discussion list (some of
the delay was waiting on list moderators like me to approve the
message), we merged https://review.opendev.org/775548 to block
access to any paths starting with "/api/snapshots" after confirming
that the latest Grafana release was still vulnerable for sites like
ours configured with anonymous access. At the same time, we also
reached out to the Grafana maintainers privately via encrypted
E-mail to let them know about this alternative avenue to the
vulnerability.
A couple of days later they pushed and merged
https://github.com/grafana/grafana/pull/31263 to correct it,
cherry-picking a backport of it to the v7.4.x series in
https://github.com/grafana/grafana/pull/31266 and immediately
releasing that as v7.4.2. The next day we merged
https://review.opendev.org/776553 to upgrade our deployment to the
new fixed version, but kept access to /api/snapshots blocked as we
treat the service as a read-only interface anyway (configured and
managed exclusively through automated orchestration tools driven by
code-reviewed Git commits).
Thanks again for bringing this to our attention!
--
Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.opendev.org/pipermail/service-discuss/attachments/20210228/11f8ddf8/attachment.sig>
More information about the service-discuss
mailing list