BIT-grafana-image-renderer-2022-31176

See a problem?
Import Source
https://github.com/bitnami/vulndb/tree/main/data/grafana-image-renderer/BIT-grafana-image-renderer-2022-31176.json
JSON Data
https://api.osv.dev/v1/vulns/BIT-grafana-image-renderer-2022-31176
Aliases
Published
2024-03-06T10:52:34.878Z
Modified
2024-03-06T11:25:28.861Z
Summary
[none]
Details

Grafana Image Renderer is a Grafana backend plugin that handles rendering of panels & dashboards to PNGs using a headless browser (Chromium/Chrome). An internal security review identified an unauthorized file disclosure vulnerability. It is possible for a malicious user to retrieve unauthorized files under some network conditions or via a fake datasource (if user has admin permissions in Grafana). All Grafana installations should be upgraded to version 3.6.1 as soon as possible. As a workaround it is possible to disable HTTP remote rendering.

References

Affected packages

Bitnami / grafana-image-renderer

Package

Name
grafana-image-renderer
Purl
pkg:bitnami/grafana-image-renderer

Severity

  • 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H CVSS Calculator

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.6.1