From a6f8de3a0b6e269c1eea8310d9907772eb9f5088 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Fri, 20 Oct 2023 23:28:48 +0000 Subject: [PATCH] Publish GHSA-37x5-qpm8-53rq --- .../GHSA-37x5-qpm8-53rq.json | 35 +++++++++++++++---- 1 file changed, 29 insertions(+), 6 deletions(-) rename advisories/{unreviewed => github-reviewed}/2023/10/GHSA-37x5-qpm8-53rq/GHSA-37x5-qpm8-53rq.json (57%) diff --git a/advisories/unreviewed/2023/10/GHSA-37x5-qpm8-53rq/GHSA-37x5-qpm8-53rq.json b/advisories/github-reviewed/2023/10/GHSA-37x5-qpm8-53rq/GHSA-37x5-qpm8-53rq.json similarity index 57% rename from advisories/unreviewed/2023/10/GHSA-37x5-qpm8-53rq/GHSA-37x5-qpm8-53rq.json rename to advisories/github-reviewed/2023/10/GHSA-37x5-qpm8-53rq/GHSA-37x5-qpm8-53rq.json index a0ba791195757..02f2be98107b3 100644 --- a/advisories/unreviewed/2023/10/GHSA-37x5-qpm8-53rq/GHSA-37x5-qpm8-53rq.json +++ b/advisories/github-reviewed/2023/10/GHSA-37x5-qpm8-53rq/GHSA-37x5-qpm8-53rq.json @@ -1,12 +1,13 @@ { "schema_version": "1.4.0", "id": "GHSA-37x5-qpm8-53rq", - "modified": "2023-10-16T12:33:36Z", + "modified": "2023-10-20T23:27:36Z", "published": "2023-10-16T12:33:36Z", "aliases": [ "CVE-2023-4457" ], - "details": "Grafana is an open-source platform for monitoring and observability.\n\nThe Google Sheets data source plugin for Grafana, versions 0.9.0 to 1.2.2 are vulnerable to an information disclosure vulnerability.\n\nThe plugin did not properly sanitize error messages, making it potentially expose the Google Sheet API-key that is configured for the data source.\n\nThis vulnerability was fixed in version 1.2.2.\n\n", + "summary": "Google Sheets data source plugin for Grafana information disclosure vulnerability", + "details": "Grafana is an open-source platform for monitoring and observability.\n\nThe Google Sheets data source plugin for Grafana, versions 0.9.0 to 1.2.2 are vulnerable to an information disclosure vulnerability.\n\nThe plugin did not properly sanitize error messages, making it potentially expose the Google Sheet API-key that is configured for the data source.\n\nThis vulnerability was fixed in version 1.2.2.", "severity": [ { "type": "CVSS_V3", @@ -14,13 +15,35 @@ } ], "affected": [ - + { + "package": { + "ecosystem": "Go", + "name": "github.com/grafana/google-sheets-datasource" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0.9.0" + }, + { + "fixed": "1.2.2" + } + ] + } + ] + } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4457" }, + { + "type": "PACKAGE", + "url": "https://github.com/grafana/google-sheets-datasource" + }, { "type": "WEB", "url": "https://grafana.com/security/security-advisories/cve-2023-4457/" @@ -30,9 +53,9 @@ "cwe_ids": [ "CWE-209" ], - "severity": null, - "github_reviewed": false, - "github_reviewed_at": null, + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2023-10-20T23:27:36Z", "nvd_published_at": null } } \ No newline at end of file