The remote SUSE Linux SUSE15 host has a package installed that is affected by multiple vulnerabilities as referenced in the openSUSE-SU-2021:1148-1 advisory.
The snapshot feature in Grafana 6.7.3 through 7.4.1 can allow an unauthenticated remote attackers to trigger a Denial of Service via a remote API call if a commonly used configuration is set.
(CVE-2021-27358)
Grafana Enterprise 7.2.x and 7.3.x before 7.3.10 and 7.4.x before 7.4.5 allows a dashboard editor to bypass a permission check concerning a data source they should not be able to access. (CVE-2021-27962)
The team sync HTTP API in Grafana Enterprise 7.4.x before 7.4.5 has an Incorrect Access Control issue. On Grafana instances using an external authentication service, this vulnerability allows any authenticated user to add external groups to existing teams. This can be used to grant a user team permissions that the user isn’t supposed to have. (CVE-2021-28146)
The team sync HTTP API in Grafana Enterprise 6.x before 6.7.6, 7.x before 7.3.10, and 7.4.x before 7.4.5 has an Incorrect Access Control issue. On Grafana instances using an external authentication service and having the EditorsCanAdmin feature enabled, this vulnerability allows any authenticated user to add external groups to any existing team. This can be used to grant a user team permissions that the user isn’t supposed to have. (CVE-2021-28147)
One of the usage insights HTTP API endpoints in Grafana Enterprise 6.x before 6.7.6, 7.x before 7.3.10, and 7.4.x before 7.4.5 is accessible without any authentication. This allows any unauthenticated user to send an unlimited number of requests to the endpoint, leading to a denial of service (DoS) attack against a Grafana Enterprise instance. (CVE-2021-28148)
Note that Nessus has not tested for this issue but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 70300
##
# (C) Tenable Network Security, Inc.
#
# The package checks in this plugin were extracted from
# openSUSE Security Update openSUSE-SU-2021:1148-1. The text itself
# is copyright (C) SUSE.
##
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(152561);
script_version("1.2");
script_set_attribute(attribute:"plugin_modification_date", value:"2021/08/14");
script_cve_id(
"CVE-2021-27358",
"CVE-2021-27962",
"CVE-2021-28146",
"CVE-2021-28147",
"CVE-2021-28148"
);
script_name(english:"openSUSE 15 Security Update : grafana (openSUSE-SU-2021:1148-1)");
script_set_attribute(attribute:"synopsis", value:
"The remote SUSE host is missing one or more security updates.");
script_set_attribute(attribute:"description", value:
"The remote SUSE Linux SUSE15 host has a package installed that is affected by multiple vulnerabilities as referenced in
the openSUSE-SU-2021:1148-1 advisory.
- The snapshot feature in Grafana 6.7.3 through 7.4.1 can allow an unauthenticated remote attackers to
trigger a Denial of Service via a remote API call if a commonly used configuration is set.
(CVE-2021-27358)
- Grafana Enterprise 7.2.x and 7.3.x before 7.3.10 and 7.4.x before 7.4.5 allows a dashboard editor to
bypass a permission check concerning a data source they should not be able to access. (CVE-2021-27962)
- The team sync HTTP API in Grafana Enterprise 7.4.x before 7.4.5 has an Incorrect Access Control issue. On
Grafana instances using an external authentication service, this vulnerability allows any authenticated
user to add external groups to existing teams. This can be used to grant a user team permissions that the
user isn't supposed to have. (CVE-2021-28146)
- The team sync HTTP API in Grafana Enterprise 6.x before 6.7.6, 7.x before 7.3.10, and 7.4.x before 7.4.5
has an Incorrect Access Control issue. On Grafana instances using an external authentication service and
having the EditorsCanAdmin feature enabled, this vulnerability allows any authenticated user to add
external groups to any existing team. This can be used to grant a user team permissions that the user
isn't supposed to have. (CVE-2021-28147)
- One of the usage insights HTTP API endpoints in Grafana Enterprise 6.x before 6.7.6, 7.x before 7.3.10,
and 7.4.x before 7.4.5 is accessible without any authentication. This allows any unauthenticated user to
send an unlimited number of requests to the endpoint, leading to a denial of service (DoS) attack against
a Grafana Enterprise instance. (CVE-2021-28148)
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1183803");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1183809");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1183811");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1183813");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1184371");
# https://lists.opensuse.org/archives/list/[email protected]/thread/7FZP3KR7QVZ36DM2NRRT76CHYDLB44JX/
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?2f9c9551");
script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2021-27358");
script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2021-27962");
script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2021-28146");
script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2021-28147");
script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2021-28148");
script_set_attribute(attribute:"solution", value:
"Update the affected grafana package.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:N");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-27962");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2021/03/18");
script_set_attribute(attribute:"patch_publication_date", value:"2021/08/13");
script_set_attribute(attribute:"plugin_publication_date", value:"2021/08/14");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:grafana");
script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:15.2");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"SuSE Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
exit(0);
}
include('audit.inc');
include('global_settings.inc');
include('misc_func.inc');
include('rpm.inc');
if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var release = get_kb_item('Host/SuSE/release');
if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, 'openSUSE');
var os_ver = pregmatch(pattern: "^SUSE([\d.]+)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'openSUSE');
os_ver = os_ver[1];
if (release !~ "^(SUSE15\.2)$") audit(AUDIT_OS_RELEASE_NOT, 'openSUSE', '15.2', release);
if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'openSUSE ' + os_ver, cpu);
var pkgs = [
{'reference':'grafana-7.5.7-lp152.2.16.1', 'cpu':'x86_64', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE}
];
var flag = 0;
foreach package_array ( pkgs ) {
var reference = NULL;
var release = NULL;
var cpu = NULL;
var rpm_spec_vers_cmp = NULL;
if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
if (!empty_or_null(package_array['release'])) release = package_array['release'];
if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];
if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
if (reference && release) {
if (rpm_check(release:release, cpu:cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;
}
}
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_WARNING,
extra : rpm_report_get()
);
exit(0);
}
else
{
var tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'grafana');
}
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27358
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27962
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28146
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28147
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28148
www.nessus.org/u?2f9c9551
bugzilla.suse.com/1183803
bugzilla.suse.com/1183809
bugzilla.suse.com/1183811
bugzilla.suse.com/1183813
bugzilla.suse.com/1184371
www.suse.com/security/cve/CVE-2021-27358
www.suse.com/security/cve/CVE-2021-27962
www.suse.com/security/cve/CVE-2021-28146
www.suse.com/security/cve/CVE-2021-28147
www.suse.com/security/cve/CVE-2021-28148