CVE-2021-4379x
This challenge covers the review of a CVE and its patch
The Code Review Patch challenges are designed to enhance your skills in identifying and understanding security vulnerabilities in code. In this specific lab, you are provided with vulnerable code from the Grafana project along with the corresponding patch that fixes the issue. The goal is to first attempt to find the vulnerability without looking at the patch. If you struggle to identify the issue or want to confirm your findings, you can refer to the patch.
This exercise focuses on a CVE from 2021 that impacts Grafana's plugin system, written in Golang. Grafana is a widely-used open-source dashboard management system, often exposed to the internet. The lab involves scrutinizing around 500 lines of code to identify a function that appears to block an attack but fails to do so. The challenge emphasizes thoroughly reviewing code and understanding the actual behavior of functions, rather than relying solely on their names or comments.