In this week’s digest, we’ll cover:
- Grafana security release.
- Integer overflow in VLC.and
- Snapd race condition vulnerability.
Grafana Security Release
Privilege Escalation: Unauthorized Access to Arbitrary Endpoints
CVE-2022-39328 is a race condition in the Grafana codebase that allows unauthenticated users to query arbitrary endpoints in Grafana. A race condition in the creation of the HTTP context can cause the HTTP request to be assigned to the authentication/authorization middleware in another call. Under heavy load, calls protected by privileged middleware may receive public query middleware instead. As a result, an unauthenticated user with malicious intent can successfully query the protected endpoint.
All installations of the Grafana version >=9.2.x Affected. Grafana recommends upgrading your instance to fully address CVE-2022-39328.
Privilege escalation: username/email not trusted
Grafana admins can invite other members to the organization for which they are admins. When admins add members to the organization, non-existent users receive an invitation email while existing members are added directly to the organization. Once the invite link is sent, anyone with access to the link can sign up with the user’s chosen username/email address and become a member of the organization.CVSS score of CVE-2022-39306 teeth 6.4 Moderate.
All installations of Grafana versions <=9.x, <8.x are affected. Grafana recommends upgrading your instance to fully address CVE-2022-39306.
Username enumeration
If you forget your password on the login page, the POST request /api/user/password/sent-reset-email URLs. If the username or email does not exist, the JSON response will contain a “user not found” message. This can be used by unauthenticated users to disclose information about the affected endpoint.
CVSS score of CVE-2022-39307 teeth 5.3 ModerateAll installations of Grafana versions <=9.x, <8.x are affected. Grafana recommends upgrading your instance to fully address this vulnerability.
Integer overflow in VLC
VLC Media Player (formerly VideoLAN Client, commonly known simply as VLC) is a free, open source, portable, cross-platform media player software and streaming media server developed by the VideoLAN project. CVE-2022-41325 exists in VNC moduleVLC can use that URI to display the VNC video stream. vlc vnc://ip_address_of_server:port/
If an attacker has control over the VNC server, they can trick VLC into allocating a shorter memory buffer than expected. Attackers use powerful relative “write-what-where” primitives. It can crash VLC or, under certain conditions, execute arbitrary code. VNC support is provided through a 3rd party library (LibVNCClient), but the affected code is in her VLC itself.
Versions 3.0.17.4 and earlier are affected. VLC team fixed vulnerability in commit here.
Snapd race condition vulnerability
of snap limit The program is used internally by snapd to build the execution environment for the snap application, which is a containerized software package. CVE-2022-3328 Describes a race condition vulnerability in . must_mkdir_and_open_with_perms() Ubuntu works with snap-confine which is installed as a SUID-root program by default. This was introduced as part of a fix for . CVE-2021-44731.
An attacker with normal user privileges can exploit the multipath privilege escalation vulnerability (CVE-2022-41974) and multipath symlink vulnerabilities, binding /tmp Change directories to any directory in the file system and elevate regular user privileges to ROOT privileges.
Affected snapd versions are 2.54.3 – 2.57.6A formal security version has now been released to fix this vulnerability. Recommended for affected users. upgrade to the new version.