Grafana released "Grafana 5.3.3 and 4.6.5 Security Update" https://community.grafana.com/t/grafana-5-3-3-and-4-6-5-security-update/11961 and included a specific patch indicating the .
Note: we using Grafana 5.1.3 so we can't use patch directly, we need to modify it.
Any users with Editor or Admin permissions in Grafana can read from the file system any file the Grafana process has access to. In order to exploit this you would need to be logged in to the system as a legitimate user with Editor or Admin permissions.
This affects PMM Server since release February 7th 2017 in 1.1.0 Beta while April 20 2018 release 1.10.0 was our first non-vulnerable release (we started building Grafana ourselves and unintentionally omitted the PhantomJS binary).
Users on release 1.10.0 or newer, you are not affected by this vulnerability.
In 1.17.0 ew are fixing PhantomJS functionality
Steps to Reproduce:
Not disclosed at this time.
Any user authenticated to Grafana with Editor or Admin role can read any file that the Grafana process can read from the file system.
Grafana Users cannot gain access to the file system.
The workaround for users unable to upgrade is to perform two actions:
- Set all Users to Viewer access level only
- Remove all dashboards that contain text panels
pls see this
can we apply changes form pkg/services/rendering/phantomjs.go to our build?