Critical Vulnerability Report
Divya Singh
dgirlwhohacks at gmail.com
Sun Feb 28 16:05:24 UTC 2021
Hey thanks for the response can I get any kind of token of appreciation for
my work if possible?
Best,
Dgirlwhohacks
On Sun, 28 Feb, 2021, 9:16 pm Jeremy Stanley, <fungi at yuggoth.org> wrote:
> On 2021-02-28 17:03:13 +0530 (+0530), Divya Singh wrote:
> > Any update on this?
> [...]
>
> Thanks for the reminder, subsequent discussion ended up happening in
> IRC and we neglected to follow up to this mailing list thread.
>
> Roughly 22 hours after you contacted this discussion list (some of
> the delay was waiting on list moderators like me to approve the
> message), we merged https://review.opendev.org/775548 to block
> access to any paths starting with "/api/snapshots" after confirming
> that the latest Grafana release was still vulnerable for sites like
> ours configured with anonymous access. At the same time, we also
> reached out to the Grafana maintainers privately via encrypted
> E-mail to let them know about this alternative avenue to the
> vulnerability.
>
> A couple of days later they pushed and merged
> https://github.com/grafana/grafana/pull/31263 to correct it,
> cherry-picking a backport of it to the v7.4.x series in
> https://github.com/grafana/grafana/pull/31266 and immediately
> releasing that as v7.4.2. The next day we merged
> https://review.opendev.org/776553 to upgrade our deployment to the
> new fixed version, but kept access to /api/snapshots blocked as we
> treat the service as a read-only interface anyway (configured and
> managed exclusively through automated orchestration tools driven by
> code-reviewed Git commits).
>
> Thanks again for bringing this to our attention!
> --
> Jeremy Stanley
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendev.org/pipermail/service-discuss/attachments/20210228/721c5345/attachment.html>
More information about the service-discuss
mailing list