qwqdanchun
/
Goby
mirror of https://github.com/qwqdanchun/Goby.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
Goby/json/Grafana-Arbitrary-File-Read...

135 lines
4.3 KiB
JSON
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

{
"Name": "Grafana Arbitrary File Read vulnerability",
"Description": "<p>Grafana is a cross-platform, open source data visualization network application platform.</p><p>Grafana has an unauthorized arbitrary file reading vulnerability. Attackers can use this vulnerability to read leaked source code, database configuration files, etc., resulting in an extremely insecure state of the website.</p>",
"Product": "Grafana",
"Homepage": "https://grafana.com/",
"DisclosureDate": "2021-12-07",
"Author": "keeeee",
"FofaQuery": "app=\"Grafana\"||app=\"Grafana_Labs-公司产品\"",
"GobyQuery": "app=\"Grafana\"||app=\"Grafana_Labs-公司产品\"",
"Level": "3",
"Impact": "<p>Attackers can use this vulnerability to read the leaked source code, database configuration files, etc., resulting in an extremely insecure website.</p>",
"Recommendation": "<p>There is currently no detailed solution provided, please pay attention to the manufacturer's homepage update:<a href=\"https://github.com/grafana/grafana\" target=\"_blank\">https://github.com/grafana/grafana</a></p><p>Temporary repair suggestions:</p><p>1. Set access policies and whitelist access through security devices such as firewalls.</p><p>2.If not necessary, prohibit public network access to the system.",
"References": [
"https://fofa.so/"
],
"Is0day": false,
"Translation": {
"CN": {
"Name": "Grafana 任意文件读取漏洞",
"Product": "Grafana",
"VulType": [
"文件读取"
],
"Tags": [
"文件读取"
],
"Description": "<p>Grafana 是一个跨平台、开源的数据可视化网络应用程序平台。<br></p><p>Grafana 存在未授权任意文件读取漏洞。<span style=\"font-size: 16px;\">攻击者可通过该漏洞读取泄露源码、数据库配置文件等等,导致网站处于极度不安全状态。 </span><br></p>",
"Impact": "<p><span style=\"font-size: 16px;\">攻击者可通过该漏洞读取泄露源码、数据库配置文件等等,导致网站处于极度不安全状态。 </span><br></p>",
"Recommendation": "<p><span style=\"font-size: 16px;\">目前没有详细的解决方案提供,请关注厂商主页更新:</span><a href=\"https://github.com/grafana/grafana\">https://github.com/grafana/grafana</a><br></p><p>临时修复建议:</p><p>1、通过防火墙等安全设备设置访问策略设置白名单访问。</p><p>2、如非必要禁止公网访问该系统。</p>"
}
},
"HasExp": true,
"ExpParams": [
{
"name": "fileName",
"type": "input",
"value": "/etc/passwd"
}
],
"ExpTips": {
"Type": "",
"Content": ""
},
"ScanSteps": [
"AND",
{
"Request": {
"method": "GET",
"uri": "/test.php",
"follow_redirect": true,
"header": {},
"data_type": "text",
"data": ""
},
"ResponseTest": {
"type": "group",
"operation": "AND",
"checks": [
{
"type": "item",
"variable": "$code",
"operation": "==",
"value": "200",
"bz": ""
},
{
"type": "item",
"variable": "$body",
"operation": "contains",
"value": "test",
"bz": ""
}
]
},
"SetVariable": []
}
],
"ExploitSteps": [
"AND",
{
"Request": {
"method": "GET",
"uri": "/test.php",
"follow_redirect": true,
"header": {},
"data_type": "text",
"data": ""
},
"ResponseTest": {
"type": "group",
"operation": "AND",
"checks": [
{
"type": "item",
"variable": "$code",
"operation": "==",
"value": "200",
"bz": ""
},
{
"type": "item",
"variable": "$body",
"operation": "contains",
"value": "test",
"bz": ""
}
]
},
"SetVariable": []
}
],
"Tags": [
"file-read"
],
"VulType": [
"file-read"
],
"CVEIDs": [
""
],
"CNNVD": [
""
],
"CNVD": [
""
],
"CVSSScore": "8.5",
"AttackSurfaces": {
"Application": null,
"Support": null,
"Service": null,
"System": null,
"Hardware": null
}
}
Reference in New Issue View Git Blame Copy Permalink