Detections
Analytics

FreeBSD : Grafana -- Public Dashboards time range restriction on annotations can be bypassed (83cd53f7-58ff-11f1-b525-3c7c3fba4204)

medium Nessus Plugin ID 317063

Language:

Synopsis

The remote FreeBSD host is missing one or more security-related updates.

Description

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 83cd53f7-58ff-11f1-b525-3c7c3fba4204 advisory.

 https://grafana.com/security/security-advisories/cve-2026-21722 reports:
 Public dashboards with annotations enabled did not limit their annotation timerange to the locked timerange of the public dashboard.
 This means one could read the entire history of annotations visible on the specific dashboard, even those outside the locked timerange.

 This did not leak any annotations that would not otherwise be visible on the public dashboard.

Tenable has extracted the preceding description block directly from the FreeBSD security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://cveawg.mitre.org/api/cve/CVE-2026-21722

http://www.nessus.org/u?7021715d

Plugin Details

Severity: Medium

ID: 317063

File Name: freebsd_pkg_83cd53f758ff11f1b5253c7c3fba4204.nasl

Version: 1.1

Type: Local

Published: 5/27/2026

Updated: 5/27/2026

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 1.4

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Score Source: CVE-2026-21722

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Temporal Score: 4.6

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:freebsd:freebsd, p-cpe:/a:freebsd:freebsd:grafana

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Exploit Ease: No known exploits are available

Patch Publication Date: 5/26/2026

Vulnerability Publication Date: 1/29/2026

Reference Information

CVE: CVE-2026-21722

IAVB: 2026-B-0025-S