#git

Vault and Vault Enterprise (“Vault”) may expose sensitive information when enabling an audit device which specifies the `log_raw` option, which may log sensitive information to other audit devices, regardless of whether they are configured to use `log_raw`.

For nearly two years, police have been tracking down the culprit behind a wave of hoax threats. A digital trail took them to the door of a 17-year-old in California.

Today we are releasing Grafana 8.3.1, 8.2.7, 8.1.8, 8.0.7. This patch release includes a high severity security fix that affects Grafana versions from v8.0.0-beta1 through v8.3.0. Release v8.3.1, only containing a security fix: - [Download Grafana 8.3.1](https://grafana.com/grafana/download/8.3.1) - [Release notes](https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-3-1/) Release v8.2.7, only containing a security fix: - [Download Grafana 8.2.7](https://grafana.com/grafana/download/8.2.7) - [Release notes](https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-2-7/) Release v8.1.8, only containing a security fix: - [Download Grafana 8.1.8](https://grafana.com/grafana/download/8.1.8) - [Release notes](https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-1-8/) Release v8.0.7, only containing a security fix: - [Download Grafana 8.0.7](https://grafana.com/grafana/download/8.0.7) - [Release notes](https://grafana.com/docs/grafana/lat...

Today we are releasing Grafana 8.3.5 and 7.5.15. This patch release includes MEDIUM severity security fix for Cross Site Request Forgery for Grafana. Release v.8.3.5, only containing security fixes: - [Download Grafana 8.3.5](https://grafana.com/grafana/download/8.3.5) - [Release notes](https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-3-5/) Release v.7.5.15, only containing security fixes: - [Download Grafana 7.5.15](https://grafana.com/grafana/download/7.5.15) - [Release notes](https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-5-15/) ## CSRF ([CVE-2022-21703](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21703)) ### Summary On Jan. 18, security researchers [jub0bs](https://twitter.com/jub0bs) and [abrahack](https://twitter.com/theabrahack) contacted Grafana to disclose a CSRF vulnerability which allows anonymous attackers to elevate their privileges by mounting cross-origin attacks against authenticated high-privilege Grafana us...

### Impact There is a bug in Wasmtime's C API implementation where the definition of the `wasmtime_trap_code` does not match its declared signature in the `wasmtime/trap.h` header file. This discrepancy causes the function implementation to perform a 4-byte write into a 1-byte buffer provided by the caller. This can lead to three zero bytes being written beyond the 1-byte location provided by the caller. ### Patches This bug has been patched and users should upgrade to Wasmtime 2.0.2. ### Workarounds This can be worked around by providing a 4-byte buffer casted to a 1-byte buffer when calling `wasmtime_trap_code`. Users of the `wasmtime` crate are not affected by this issue, only users of the C API function `wasmtime_trap_code` are affected. ### References * [Definition of `wasmtime_trap_code`](https://docs.wasmtime.dev/c-api/trap_8h.html#a6580f4f209d3eaebb6e8b9a901a30b7a) * [Mailing list announcement](https://groups.google.com/a/bytecodealliance.org/g/sec-announce/c/c1HBDDJwNPA...

## Impact A bug was found in Moby (Docker Engine) where the data directory (typically `/var/lib/docker`) contained subdirectories with insufficiently restricted permissions, allowing otherwise unprivileged Linux users to traverse directory contents and execute programs. When containers included executable programs with extended permission bits (such as `setuid`), unprivileged Linux users could discover and execute those programs. When the UID of an unprivileged Linux user on the host collided with the file owner or group inside a container, the unprivileged Linux user on the host could discover, read, and modify those files. ## Patches This bug has been fixed in Moby (Docker Engine) 20.10.9. Users should update to this version as soon as possible. Running containers should be stopped and restarted for the permissions to be fixed. ## Workarounds Limit access to the host to trusted users. Limit access to host volumes to trusted containers. ## Credits The Moby project would li...

Grafana before 5.2.0-beta1 has XSS vulnerabilities in dashboard links.

An issue was discovered in Docker Moby before 17.06.0. The Docker engine validated a client TLS certificate using both the configured client CA root certificate and all system roots on non-Windows systems. This allowed a client with any domain validated certificate signed by a system-trusted root CA (as opposed to one signed by the configured CA root certificate) to authenticate.

## Impact Containers launched through containerd's CRI implementation (through Kubernetes, crictl, or any other pod/container client that uses the containerd CRI service) that share the same image may receive incorrect environment variables, including values that are defined for other containers. If the affected containers have different security contexts, this may allow sensitive information to be unintentionally shared. If you are not using containerd’s CRI implementation (through one of the mechanisms described above), you are not vulnerable to this issue. If you are not launching multiple containers or Kubernetes pods from the same image which have different environment variables, you are not vulnerable to this issue. If you are not launching multiple containers or Kubernetes pods from the same image in rapid succession, you have reduced likelihood of being vulnerable to this issue ## Patches This vulnerability has been fixed in containerd 1.3.10 and containerd 1.4.4. Users...

HashiCorp Vault Enterprise 1.6.0 & 1.6.1 allowed the `remove-peer` raft operator command to be executed against DR secondaries without authentication. Fixed in 1.6.2.