Today we are releasing Grafana 6.7.5, 7.2.3, and 7.3.6. These patch releases include an important security fix for an issue that affects all Grafana Enterprise versions from 6.3 through 7.3.5. MITRE assigned CVE-2020-29509, CVE-2020-29510, and CVE-2020-29511 to the underlying vulnerabilities. CVE-2020-27846 was assigned to the crewjam/saml implementation.
Mattermost contacted us on 2020-12-11 about HIGH severity issues and released information on 2020-12-14 in Go’s encoding/xml package. For more information, please see this blog post.
Grafana OSS is not affected as it does not use SAML. This is a janitorial release to keep version information in sync.
We thank Mattermost for bringing this to our attention privately before public release.
Grafana Enterprise releases 6.3 through 7.3.5 (excluding patched versions listed below)
6.7.5, 7.2.3, and 7.3.6
Solutions and mitigations
Download and install the appropriate patch for your version of Grafana.
Grafana Cloud instances have already been patched, and Grafana Enterprise customers were provided with updated binaries 2020-12-14.
Reporting security issues
If you think you have found a security vulnerability, please send a report to email@example.com. This address can be used for all of Grafana Labs’ open source and commercial products (including but not limited to Grafana, Grafana Cloud, Grafana Enterprise, and grafana.com). We only accept vulnerability reports at this address. We would prefer that you encrypt your message to us using our PGP key. The key fingerprint is:
F988 7BEA 027A 049F AE8E 5CAA D125 8932 BE24 C5CA
The key is available from keys.gnupg.net by searching for security@grafana.
We maintain a category on the community site named Security Announcements, where we will post a summary, remediation, and mitigation details for any patch containing security fixes. You can also subscribe to email updates to this category if you have a grafana.com account and sign in to the community site, or via updates from our Security Announcements RSS feed.