Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Path Traversal in Tempo and Loki Data Source Plugins — Credential Leakage and Admin Endpoint Access
Vulnerability Description
The Tempo and Loki datasource plugins construct backend HTTP requests by interpolating user-supplied input into URL paths without sanitization, enabling path traversal. A Viewer-role user can: (1) capture admin-configured datasource credentials (secureJsonData custom headers) by traversing to an attacker-controlled endpoint, (2) invoke state-changing admin endpoints on Tempo (e.g. /flush, /shutdown), and (3) exfiltrate internal service data via Loki's CallResource which returns full HTTP response bodies.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Vulnerability Type
N/A
Vulnerability Title
Grafana OSS 安全漏洞
Vulnerability Description
Grafana OSS是Grafana公司开源的一个可视化仪表盘。 Grafana OSS 11.6.0版本存在安全漏洞,该漏洞源于Tempo和Loki datasource plugins在构造后端HTTP请求时将用户输入插入URL路径而未进行清理,可能导致路径遍历攻击。
CVSS Information
N/A
Vulnerability Type
N/A