{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "A9B9C101-2003-4213-9B6D-B92CDD6C3370",
              "versionEndExcluding": "8.2.3",
              "versionStartIncluding": "8.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Grafana is an open-source platform for monitoring and observability. In affected versions if an attacker is able to convince a victim to visit a URL referencing a vulnerable page, arbitrary JavaScript content may be executed within the context of the victim\u0027s browser. The user visiting the malicious link must be unauthenticated and the link must be for a page that contains the login button in the menu bar. The url has to be crafted to exploit AngularJS rendering and contain the interpolation binding for AngularJS expressions. AngularJS uses double curly braces for interpolation binding: {{ }} ex: {{constructor.constructor(\u2018alert(1)\u2019)()}}. When the user follows the link and the page renders, the login button will contain the original link with a query parameter to force a redirect to the login page. The URL is not validated and the AngularJS rendering engine will execute the JavaScript expression contained in the URL. Users are advised to upgrade as soon as possible. If for some reason you cannot upgrade, you can use a reverse proxy or similar to block access to block the literal string {{ in the path."
    },
    {
      "lang": "es",
      "value": "Grafana es una plataforma de c\u00f3digo abierto para la monitorizaci\u00f3n y la observabilidad. En las versiones afectadas, si un atacante es capaz de convencer a una v\u00edctima de que visite una URL que haga referencia a una p\u00e1gina vulnerable, se puede ejecutar contenido JavaScript arbitrario en el contexto del navegador de la v\u00edctima. El usuario que visita el enlace malicioso debe no estar autenticado y el enlace debe ser para una p\u00e1gina que contenga el bot\u00f3n de inicio de sesi\u00f3n en la barra de men\u00fa. La url tiene que estar dise\u00f1ada para explotar el renderizado de AngularJS y contener el enlace de interpolaci\u00f3n para las expresiones de AngularJS. AngularJS utiliza llaves dobles para la interpolaci\u00f3n: {{ }} ej: {{constructor.constructor(\u0027alert(1)\u0027)()}}. Cuando el usuario sigue el enlace y la p\u00e1gina se renderiza, el bot\u00f3n de inicio de sesi\u00f3n contendr\u00e1 el enlace original con un par\u00e1metro de consulta para forzar una redirecci\u00f3n a la p\u00e1gina de inicio de sesi\u00f3n. La URL no se valida y el motor de renderizado de AngularJS ejecutar\u00e1 la expresi\u00f3n JavaScript contenida en la URL. Se recomienda a los usuarios que actualicen lo antes posible. Si por alguna raz\u00f3n no pueden actualizar, pueden utilizar un proxy inverso o similar para bloquear el acceso a la cadena literal {{ en la ruta"
    }
  ],
  "id": "CVE-2021-41174",
  "lastModified": "2024-11-21T06:25:40.410",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.9,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.6,
        "impactScore": 4.7,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.1,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2021-11-03T18:15:08.413",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/grafana/grafana/commit/31b78d51c693d828720a5b285107a50e6024c912"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/grafana/grafana/commit/3cb5214fa45eb5a571fd70d6c6edf0d729983f82"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/grafana/grafana/commit/fb85ed691290d211a5baa44d9a641ab137f0de88"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/grafana/grafana/security/advisories/GHSA-3j9m-hcv9-rpj8"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.netapp.com/advisory/ntap-20211125-0003/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/grafana/grafana/commit/31b78d51c693d828720a5b285107a50e6024c912"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/grafana/grafana/commit/3cb5214fa45eb5a571fd70d6c6edf0d729983f82"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/grafana/grafana/commit/fb85ed691290d211a5baa44d9a641ab137f0de88"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/grafana/grafana/security/advisories/GHSA-3j9m-hcv9-rpj8"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.netapp.com/advisory/ntap-20211125-0003/"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@grafana/data"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.0.0"
            },
            {
              "fixed": "8.2.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-41174"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-11-03T18:18:08Z",
    "nvd_published_at": "2021-11-03T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Today we are releasing Grafana 8.2.3. This patch release includes an important security fix for an issue that affects all Grafana versions from 8.0.0-beta1.\n\n[Grafana Cloud](https://grafana.com/cloud) instances have already been patched and an audit did not find any usage of this attack vector. [Grafana Enterprise](https://grafana.com/products/enterprise) customers were provided with updated binaries under embargo.\n\n## CVE-2021-41174 XSS vulnerability on unauthenticated pages\n\n### Summary\n\nCVSS Score: 6.9 Medium\nCVSS:[CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:N/E:U/RL:O/RC:R/CR:L/MAV:N/MAC:H/MPR:N/MUI:R/MS:C/MC:N/MI:H/MA:L](https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:N/E:U/RL:O/RC:R/CR:L/MAV:N/MAC:H/MPR:N/MUI:R/MS:C/MC:N/MI:H/MA:L)\n\nWe received a security report to security@grafana.com on 2021-10-21 about a vulnerability in Grafana regarding the XSS vulnerability.\n\nIt was later identified as affecting Grafana versions from 8.0.0-beta1 to 8.2.2. [CVE-2021-41174](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41174) has been assigned to this vulnerability.\n\n### Impact\n\nIf an attacker is able to convince a victim to visit a URL referencing a vulnerable page, arbitrary JavaScript content may be executed within the context of the victim\u0027s browser.\n\nThe user visiting the malicious link must be unauthenticated and the link must be for a page that contains the login button in the menu bar.\n\nThere are two ways an unauthenticated user can open a page in Grafana that contains the login button:\n- Anonymous authentication is enabled. This means all pages in Grafana would be open for the attack.\n- The link is to an unauthenticated page. The following pages are vulnerable:\n  - `/dashboard-solo/snapshot/*`\n  - `/dashboard/snapshot/*`\n  - `/invite/:code`\n\nThe url has to be crafted to exploit AngularJS rendering and contain the interpolation binding for AngularJS expressions. AngularJS uses double curly braces for interpolation binding: {{ }} \n\nAn example of an expression would be: `{{constructor.constructor(\u2018alert(1)\u2019)()}}`. This can be included in the link URL like this: \n\nhttps://play.grafana.org/dashboard/snapshot/%7B%7Bconstructor.constructor(\u0027alert(1)\u0027)()%7D%7D?orgId=1\n\nWhen the user follows the link and the page renders, the login button will contain the original link with a query parameter to force a redirect to the login page. The URL is not validated and the AngularJS rendering engine will execute the JavaScript expression contained in the URL.\n\n### Attack audit\n\nWe can not guarantee that the below will identify all attacks, so if you find something using the audit process described below, you should consider doing a full assessment.\n\n#### Through reverse proxy/load balancer logs\n\nTo determine if your Grafana installation has been exploited for this vulnerability, search through your reverse proxy/load balancer access logs for instances where the path contains `{{` followed by something that would invoke JavaScript code. For example, this could be code that attempts to show a fake login page or to steal browser or session data. The [OWASP cheat sheet](https://cheatsheetseries.owasp.org/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.html) has several examples of XSS attacks.\n\n#### Through the Grafana Enterprise audit feature\n\nIf you enabled \u201cLog web requests\u201d in your configuration with `router_logging = true`, look for requests where `path` contains `{{` followed by something that would invoke JavaScript code.\n\n### Patched versions\n\nRelease 8.2.3:\n\n- [Download Grafana 8.2.3](https://grafana.com/grafana/download/8.2.3)\n- [Release notes](https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-2-3/)\n\n### Solutions and mitigations\n\nDownload and install the appropriate patch for your version of Grafana.\n\n[Grafana Cloud](https://grafana.com/cloud) instances have already been patched, and [Grafana Enterprise](https://grafana.com/products/enterprise) customers were provided with updated binaries under embargo.\n\n### Workaround\n\nIf for some reason you cannot upgrade, you can use a reverse proxy or similar to block access to block the literal string `{{` in the path.\n\nExample of an Nginx rule to block the literal string `{{`:\n\n```\nlocation ~ \\{\\{ {\n    deny all;\n}\n```\n### Timeline and postmortem\n\nHere is a detailed timeline starting from when we originally learned of the issue. All times in UTC. \n\n* 2021-10-21 23:13: Security researcher sends the initial report about an XSS vulnerability.\n* 2021-10-21 23:13: Confirmed to be reproducible in at least versions 8.0.5 and 8.2.2.\n* 2021-10-22 02:02 MEDIUM severity declared.\n* 2021-10-22 09:22: it is discovered that Grafana instances with anonymous auth turned on are vulnerable. This includes https://play.grafana.org/ .\n* 2021-10-22 09:50: Anonymous access disabled for all instances on Grafana Cloud as a mitigation measure.\n* 2021-10-22 11:15: Workaround deployed on Grafana Cloud that blocks malicious requests.\n* 2021-10-22 12:35: Enabled anonymous access for instances on Grafana Cloud. \n* 2021-10-22 12:51: All instances protected by the workaround. From this point forward, Grafana Cloud is no longer affected.\n* 2021-10-22 14:05 Grafana Cloud instances updated with a fix.\n* 2021-10-22 19:23 :Determination that no weekend work is needed as the issue is of MEDIUM severity and the root cause has been identified.\n* 2021-10-25 14:13: Audit of Grafana Cloud concluded, no evidence of exploitation.\n* 2021-10-27 12:00: Grafana Enterprise images released to customers under embargo.\n* 2021-11-03 12:00: Public release.\n\n## Reporting security issues\n\nIf you think you have found a security vulnerability, please send a report to [security@grafana.com](mailto:security@grafana.com). This address can be used for all of\nGrafana Labs\u0027 open source and commercial products (including but not limited to Grafana, Tempo, Loki, k6, Tanka, and  Grafana Cloud, Grafana Enterprise, and grafana.com). We only accept vulnerability reports at this address. We would prefer that you encrypt your message to us using our PGP key. The key fingerprint is:\n\nF988 7BEA 027A 049F AE8E  5CAA D125 8932 BE24 C5CA\n\nThe key is available from [ keyserver.ubuntu.com]( https://keyserver.ubuntu.com/pks/lookup?op=get\u0026fingerprint=on\u0026search=0xD1258932BE24C5CA) by searching for [security@grafana]( https://keyserver.ubuntu.com/pks/lookup?search=security@grafana\u0026fingerprint=on\u0026op=index).\n\n## Security announcements\n\nThere is a Security [category](https://grafana.com/tags/security/) on the Grafana blog where we will post a summary, remediation, and mitigation details for any patch containing security fixes and you can subscribe to updates from our [Security Announcements RSS feed](https://grafana.com/tags/security/index.xml).",
  "id": "GHSA-3j9m-hcv9-rpj8",
  "modified": "2021-11-29T15:05:31Z",
  "published": "2021-11-08T18:13:19Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/grafana/grafana/security/advisories/GHSA-3j9m-hcv9-rpj8"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41174"
    },
    {
      "type": "WEB",
      "url": "https://github.com/grafana/grafana/commit/31b78d51c693d828720a5b285107a50e6024c912"
    },
    {
      "type": "WEB",
      "url": "https://github.com/grafana/grafana/commit/3cb5214fa45eb5a571fd70d6c6edf0d729983f82"
    },
    {
      "type": "WEB",
      "url": "https://github.com/grafana/grafana/commit/fb85ed691290d211a5baa44d9a641ab137f0de88"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/grafana/grafana"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20211125-0003"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "XSS vulnerability allowing arbitrary JavaScript execution"
}

{
  "GSD": {
    "alias": "CVE-2021-41174",
    "description": "Grafana is an open-source platform for monitoring and observability. In affected versions if an attacker is able to convince a victim to visit a URL referencing a vulnerable page, arbitrary JavaScript content may be executed within the context of the victim\u0027s browser. The user visiting the malicious link must be unauthenticated and the link must be for a page that contains the login button in the menu bar. The url has to be crafted to exploit AngularJS rendering and contain the interpolation binding for AngularJS expressions. AngularJS uses double curly braces for interpolation binding: {{ }} ex: {{constructor.constructor(\u2018alert(1)\u2019)()}}. When the user follows the link and the page renders, the login button will contain the original link with a query parameter to force a redirect to the login page. The URL is not validated and the AngularJS rendering engine will execute the JavaScript expression contained in the URL. Users are advised to upgrade as soon as possible. If for some reason you cannot upgrade, you can use a reverse proxy or similar to block access to block the literal string {{ in the path.",
    "id": "GSD-2021-41174",
    "references": [
      "https://www.suse.com/security/cve/CVE-2021-41174.html",
      "https://security.archlinux.org/CVE-2021-41174"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2021-41174"
      ],
      "details": "Grafana is an open-source platform for monitoring and observability. In affected versions if an attacker is able to convince a victim to visit a URL referencing a vulnerable page, arbitrary JavaScript content may be executed within the context of the victim\u0027s browser. The user visiting the malicious link must be unauthenticated and the link must be for a page that contains the login button in the menu bar. The url has to be crafted to exploit AngularJS rendering and contain the interpolation binding for AngularJS expressions. AngularJS uses double curly braces for interpolation binding: {{ }} ex: {{constructor.constructor(\u2018alert(1)\u2019)()}}. When the user follows the link and the page renders, the login button will contain the original link with a query parameter to force a redirect to the login page. The URL is not validated and the AngularJS rendering engine will execute the JavaScript expression contained in the URL. Users are advised to upgrade as soon as possible. If for some reason you cannot upgrade, you can use a reverse proxy or similar to block access to block the literal string {{ in the path.",
      "id": "GSD-2021-41174",
      "modified": "2023-12-13T01:23:27.256947Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2021-41174",
        "STATE": "PUBLIC",
        "TITLE": "XSS vulnerability allowing arbitrary JavaScript execution"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "grafana",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "\u003e= 8.0.0, \u003c 8.2.3"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "grafana"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Grafana is an open-source platform for monitoring and observability. In affected versions if an attacker is able to convince a victim to visit a URL referencing a vulnerable page, arbitrary JavaScript content may be executed within the context of the victim\u0027s browser. The user visiting the malicious link must be unauthenticated and the link must be for a page that contains the login button in the menu bar. The url has to be crafted to exploit AngularJS rendering and contain the interpolation binding for AngularJS expressions. AngularJS uses double curly braces for interpolation binding: {{ }} ex: {{constructor.constructor(\u2018alert(1)\u2019)()}}. When the user follows the link and the page renders, the login button will contain the original link with a query parameter to force a redirect to the login page. The URL is not validated and the AngularJS rendering engine will execute the JavaScript expression contained in the URL. Users are advised to upgrade as soon as possible. If for some reason you cannot upgrade, you can use a reverse proxy or similar to block access to block the literal string {{ in the path."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.9,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:N",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/grafana/grafana/security/advisories/GHSA-3j9m-hcv9-rpj8",
            "refsource": "CONFIRM",
            "url": "https://github.com/grafana/grafana/security/advisories/GHSA-3j9m-hcv9-rpj8"
          },
          {
            "name": "https://github.com/grafana/grafana/commit/31b78d51c693d828720a5b285107a50e6024c912",
            "refsource": "MISC",
            "url": "https://github.com/grafana/grafana/commit/31b78d51c693d828720a5b285107a50e6024c912"
          },
          {
            "name": "https://github.com/grafana/grafana/commit/3cb5214fa45eb5a571fd70d6c6edf0d729983f82",
            "refsource": "MISC",
            "url": "https://github.com/grafana/grafana/commit/3cb5214fa45eb5a571fd70d6c6edf0d729983f82"
          },
          {
            "name": "https://github.com/grafana/grafana/commit/fb85ed691290d211a5baa44d9a641ab137f0de88",
            "refsource": "MISC",
            "url": "https://github.com/grafana/grafana/commit/fb85ed691290d211a5baa44d9a641ab137f0de88"
          },
          {
            "name": "https://security.netapp.com/advisory/ntap-20211125-0003/",
            "refsource": "CONFIRM",
            "url": "https://security.netapp.com/advisory/ntap-20211125-0003/"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-3j9m-hcv9-rpj8",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003e=8.0.0 \u003c8.2.3",
          "affected_versions": "All versions starting from 8.0.0 before 8.2.3",
          "cvss_v2": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-79",
            "CWE-79",
            "CWE-937"
          ],
          "date": "2021-11-29",
          "description": "Grafana is an open-source platform for monitoring and observability. arbitrary JavaScript content may be executed within the context of the victim\u0027s browser. The user visiting the malicious link must be unauthenticated and the link must be for a page that contains the login button in the menu bar. The url has to be crafted to exploit AngularJS rendering and contain the interpolation binding for AngularJS expressions. AngularJS uses double curly braces for interpolation binding: {{ }} ex: {{constructor.constructor(\u2018alert(1)\u2019)()}}. When the user follows the link and the page renders, the login button will contain the original link with a query parameter to force a redirect to the login page. The URL is not validated and the AngularJS rendering engine will execute the JavaScript expression contained in the URL. Users are advised to upgrade as soon as possible. If for some reason you cannot upgrade, you can use a reverse proxy or similar to block access to block the literal string {{ in the path.",
          "fixed_versions": [
            "8.2.3"
          ],
          "identifier": "CVE-2021-41174",
          "identifiers": [
            "GHSA-3j9m-hcv9-rpj8",
            "CVE-2021-41174"
          ],
          "not_impacted": "All versions before 8.0.0, all versions starting from 8.2.3",
          "package_slug": "npm/@grafana/data",
          "pubdate": "2021-11-08",
          "solution": "Upgrade to version 8.2.3 or above.",
          "title": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
          "urls": [
            "https://github.com/grafana/grafana/security/advisories/GHSA-3j9m-hcv9-rpj8",
            "https://github.com/grafana/grafana/commit/31b78d51c693d828720a5b285107a50e6024c912",
            "https://github.com/grafana/grafana/commit/3cb5214fa45eb5a571fd70d6c6edf0d729983f82",
            "https://github.com/grafana/grafana/commit/fb85ed691290d211a5baa44d9a641ab137f0de88",
            "https://nvd.nist.gov/vuln/detail/CVE-2021-41174",
            "https://security.netapp.com/advisory/ntap-20211125-0003/",
            "https://github.com/advisories/GHSA-3j9m-hcv9-rpj8"
          ],
          "uuid": "35963801-c88c-4b69-a91b-782735339643"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "8.2.3",
                "versionStartIncluding": "8.0.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2021-41174"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Grafana is an open-source platform for monitoring and observability. In affected versions if an attacker is able to convince a victim to visit a URL referencing a vulnerable page, arbitrary JavaScript content may be executed within the context of the victim\u0027s browser. The user visiting the malicious link must be unauthenticated and the link must be for a page that contains the login button in the menu bar. The url has to be crafted to exploit AngularJS rendering and contain the interpolation binding for AngularJS expressions. AngularJS uses double curly braces for interpolation binding: {{ }} ex: {{constructor.constructor(\u2018alert(1)\u2019)()}}. When the user follows the link and the page renders, the login button will contain the original link with a query parameter to force a redirect to the login page. The URL is not validated and the AngularJS rendering engine will execute the JavaScript expression contained in the URL. Users are advised to upgrade as soon as possible. If for some reason you cannot upgrade, you can use a reverse proxy or similar to block access to block the literal string {{ in the path."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-79"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/grafana/grafana/commit/3cb5214fa45eb5a571fd70d6c6edf0d729983f82",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/grafana/grafana/commit/3cb5214fa45eb5a571fd70d6c6edf0d729983f82"
            },
            {
              "name": "https://github.com/grafana/grafana/commit/31b78d51c693d828720a5b285107a50e6024c912",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/grafana/grafana/commit/31b78d51c693d828720a5b285107a50e6024c912"
            },
            {
              "name": "https://github.com/grafana/grafana/commit/fb85ed691290d211a5baa44d9a641ab137f0de88",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/grafana/grafana/commit/fb85ed691290d211a5baa44d9a641ab137f0de88"
            },
            {
              "name": "https://github.com/grafana/grafana/security/advisories/GHSA-3j9m-hcv9-rpj8",
              "refsource": "CONFIRM",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://github.com/grafana/grafana/security/advisories/GHSA-3j9m-hcv9-rpj8"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20211125-0003/",
              "refsource": "CONFIRM",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://security.netapp.com/advisory/ntap-20211125-0003/"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 8.6,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": true
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 2.7
        }
      },
      "lastModifiedDate": "2021-11-29T17:13Z",
      "publishedDate": "2021-11-03T18:15Z"
    }
  }
}

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "grafana-8.3.4-1.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the grafana-8.3.4-1.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2024-11816",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_11816-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2021-36222 page",
        "url": "https://www.suse.com/security/cve/CVE-2021-36222/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2021-3711 page",
        "url": "https://www.suse.com/security/cve/CVE-2021-3711/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2021-41174 page",
        "url": "https://www.suse.com/security/cve/CVE-2021-41174/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2021-41244 page",
        "url": "https://www.suse.com/security/cve/CVE-2021-41244/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2021-43798 page",
        "url": "https://www.suse.com/security/cve/CVE-2021-43798/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2022-21673 page",
        "url": "https://www.suse.com/security/cve/CVE-2022-21673/"
      }
    ],
    "title": "grafana-8.3.4-1.1 on GA media",
    "tracking": {
      "current_release_date": "2024-06-15T00:00:00Z",
      "generator": {
        "date": "2024-06-15T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2024:11816-1",
      "initial_release_date": "2024-06-15T00:00:00Z",
      "revision_history": [
        {
          "date": "2024-06-15T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "grafana-8.3.4-1.1.aarch64",
                "product": {
                  "name": "grafana-8.3.4-1.1.aarch64",
                  "product_id": "grafana-8.3.4-1.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "grafana-8.3.4-1.1.ppc64le",
                "product": {
                  "name": "grafana-8.3.4-1.1.ppc64le",
                  "product_id": "grafana-8.3.4-1.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "grafana-8.3.4-1.1.s390x",
                "product": {
                  "name": "grafana-8.3.4-1.1.s390x",
                  "product_id": "grafana-8.3.4-1.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "grafana-8.3.4-1.1.x86_64",
                "product": {
                  "name": "grafana-8.3.4-1.1.x86_64",
                  "product_id": "grafana-8.3.4-1.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "grafana-8.3.4-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:grafana-8.3.4-1.1.aarch64"
        },
        "product_reference": "grafana-8.3.4-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "grafana-8.3.4-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:grafana-8.3.4-1.1.ppc64le"
        },
        "product_reference": "grafana-8.3.4-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "grafana-8.3.4-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:grafana-8.3.4-1.1.s390x"
        },
        "product_reference": "grafana-8.3.4-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "grafana-8.3.4-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:grafana-8.3.4-1.1.x86_64"
        },
        "product_reference": "grafana-8.3.4-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2021-36222",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2021-36222"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "ec_verify in kdc/kdc_preauth_ec.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.18.4 and 1.19.x before 1.19.2 allows remote attackers to cause a NULL pointer dereference and daemon crash. This occurs because a return value is not properly managed in a certain situation.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:grafana-8.3.4-1.1.aarch64",
          "openSUSE Tumbleweed:grafana-8.3.4-1.1.ppc64le",
          "openSUSE Tumbleweed:grafana-8.3.4-1.1.s390x",
          "openSUSE Tumbleweed:grafana-8.3.4-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2021-36222",
          "url": "https://www.suse.com/security/cve/CVE-2021-36222"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1188571 for CVE-2021-36222",
          "url": "https://bugzilla.suse.com/1188571"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:grafana-8.3.4-1.1.aarch64",
            "openSUSE Tumbleweed:grafana-8.3.4-1.1.ppc64le",
            "openSUSE Tumbleweed:grafana-8.3.4-1.1.s390x",
            "openSUSE Tumbleweed:grafana-8.3.4-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:grafana-8.3.4-1.1.aarch64",
            "openSUSE Tumbleweed:grafana-8.3.4-1.1.ppc64le",
            "openSUSE Tumbleweed:grafana-8.3.4-1.1.s390x",
            "openSUSE Tumbleweed:grafana-8.3.4-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2021-36222"
    },
    {
      "cve": "CVE-2021-3711",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2021-3711"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the \"out\" parameter can be NULL and, on exit, the \"outlen\" parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the \"out\" parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:grafana-8.3.4-1.1.aarch64",
          "openSUSE Tumbleweed:grafana-8.3.4-1.1.ppc64le",
          "openSUSE Tumbleweed:grafana-8.3.4-1.1.s390x",
          "openSUSE Tumbleweed:grafana-8.3.4-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2021-3711",
          "url": "https://www.suse.com/security/cve/CVE-2021-3711"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1189520 for CVE-2021-3711",
          "url": "https://bugzilla.suse.com/1189520"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1190129 for CVE-2021-3711",
          "url": "https://bugzilla.suse.com/1190129"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1192100 for CVE-2021-3711",
          "url": "https://bugzilla.suse.com/1192100"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1205663 for CVE-2021-3711",
          "url": "https://bugzilla.suse.com/1205663"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1225628 for CVE-2021-3711",
          "url": "https://bugzilla.suse.com/1225628"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:grafana-8.3.4-1.1.aarch64",
            "openSUSE Tumbleweed:grafana-8.3.4-1.1.ppc64le",
            "openSUSE Tumbleweed:grafana-8.3.4-1.1.s390x",
            "openSUSE Tumbleweed:grafana-8.3.4-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:grafana-8.3.4-1.1.aarch64",
            "openSUSE Tumbleweed:grafana-8.3.4-1.1.ppc64le",
            "openSUSE Tumbleweed:grafana-8.3.4-1.1.s390x",
            "openSUSE Tumbleweed:grafana-8.3.4-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "critical"
        }
      ],
      "title": "CVE-2021-3711"
    },
    {
      "cve": "CVE-2021-41174",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2021-41174"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Grafana is an open-source platform for monitoring and observability. In affected versions if an attacker is able to convince a victim to visit a URL referencing a vulnerable page, arbitrary JavaScript content may be executed within the context of the victim\u0027s browser. The user visiting the malicious link must be unauthenticated and the link must be for a page that contains the login button in the menu bar. The url has to be crafted to exploit AngularJS rendering and contain the interpolation binding for AngularJS expressions. AngularJS uses double curly braces for interpolation binding: {{ }} ex: {{constructor.constructor(\u0027alert(1)\u0027)()}}. When the user follows the link and the page renders, the login button will contain the original link with a query parameter to force a redirect to the login page. The URL is not validated and the AngularJS rendering engine will execute the JavaScript expression contained in the URL. Users are advised to upgrade as soon as possible. If for some reason you cannot upgrade, you can use a reverse proxy or similar to block access to block the literal string {{ in the path.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:grafana-8.3.4-1.1.aarch64",
          "openSUSE Tumbleweed:grafana-8.3.4-1.1.ppc64le",
          "openSUSE Tumbleweed:grafana-8.3.4-1.1.s390x",
          "openSUSE Tumbleweed:grafana-8.3.4-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2021-41174",
          "url": "https://www.suse.com/security/cve/CVE-2021-41174"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1192383 for CVE-2021-41174",
          "url": "https://bugzilla.suse.com/1192383"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:grafana-8.3.4-1.1.aarch64",
            "openSUSE Tumbleweed:grafana-8.3.4-1.1.ppc64le",
            "openSUSE Tumbleweed:grafana-8.3.4-1.1.s390x",
            "openSUSE Tumbleweed:grafana-8.3.4-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:grafana-8.3.4-1.1.aarch64",
            "openSUSE Tumbleweed:grafana-8.3.4-1.1.ppc64le",
            "openSUSE Tumbleweed:grafana-8.3.4-1.1.s390x",
            "openSUSE Tumbleweed:grafana-8.3.4-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2021-41174"
    },
    {
      "cve": "CVE-2021-41244",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2021-41244"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Grafana is an open-source platform for monitoring and observability. In affected versions when the fine-grained access control beta feature is enabled and there is more than one organization in the Grafana instance admins are able to access users from other organizations. Grafana 8.0 introduced a mechanism which allowed users with the Organization Admin role to list, add, remove, and update users\u0027 roles in other organizations in which they are not an admin. With fine-grained access control enabled, organization admins can list, add, remove and update users\u0027 roles in another organization, where they do not have organization admin role. All installations between v8.0 and v8.2.3 that have fine-grained access control beta enabled and more than one organization should be upgraded as soon as possible. If you cannot upgrade, you should turn off the fine-grained access control using a feature flag.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:grafana-8.3.4-1.1.aarch64",
          "openSUSE Tumbleweed:grafana-8.3.4-1.1.ppc64le",
          "openSUSE Tumbleweed:grafana-8.3.4-1.1.s390x",
          "openSUSE Tumbleweed:grafana-8.3.4-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2021-41244",
          "url": "https://www.suse.com/security/cve/CVE-2021-41244"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1192763 for CVE-2021-41244",
          "url": "https://bugzilla.suse.com/1192763"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:grafana-8.3.4-1.1.aarch64",
            "openSUSE Tumbleweed:grafana-8.3.4-1.1.ppc64le",
            "openSUSE Tumbleweed:grafana-8.3.4-1.1.s390x",
            "openSUSE Tumbleweed:grafana-8.3.4-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:grafana-8.3.4-1.1.aarch64",
            "openSUSE Tumbleweed:grafana-8.3.4-1.1.ppc64le",
            "openSUSE Tumbleweed:grafana-8.3.4-1.1.s390x",
            "openSUSE Tumbleweed:grafana-8.3.4-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "critical"
        }
      ],
      "title": "CVE-2021-41244"
    },
    {
      "cve": "CVE-2021-43798",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2021-43798"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Grafana is an open-source platform for monitoring and observability. Grafana versions 8.0.0-beta1 through 8.3.0 (except for patched versions) iss vulnerable to directory traversal, allowing access to local files. The vulnerable URL path is: `\u003cgrafana_host_url\u003e/public/plugins//`, where is the plugin ID for any installed plugin. At no time has Grafana Cloud been vulnerable. Users are advised to upgrade to patched versions 8.0.7, 8.1.8, 8.2.7, or 8.3.1. The GitHub Security Advisory contains more information about vulnerable URL paths, mitigation, and the disclosure timeline.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:grafana-8.3.4-1.1.aarch64",
          "openSUSE Tumbleweed:grafana-8.3.4-1.1.ppc64le",
          "openSUSE Tumbleweed:grafana-8.3.4-1.1.s390x",
          "openSUSE Tumbleweed:grafana-8.3.4-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2021-43798",
          "url": "https://www.suse.com/security/cve/CVE-2021-43798"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1193492 for CVE-2021-43798",
          "url": "https://bugzilla.suse.com/1193492"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:grafana-8.3.4-1.1.aarch64",
            "openSUSE Tumbleweed:grafana-8.3.4-1.1.ppc64le",
            "openSUSE Tumbleweed:grafana-8.3.4-1.1.s390x",
            "openSUSE Tumbleweed:grafana-8.3.4-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:grafana-8.3.4-1.1.aarch64",
            "openSUSE Tumbleweed:grafana-8.3.4-1.1.ppc64le",
            "openSUSE Tumbleweed:grafana-8.3.4-1.1.s390x",
            "openSUSE Tumbleweed:grafana-8.3.4-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2021-43798"
    },
    {
      "cve": "CVE-2022-21673",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2022-21673"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Grafana is an open-source platform for monitoring and observability. In affected versions when a data source has the Forward OAuth Identity feature enabled, sending a query to that datasource with an API token (and no other user credentials) will forward the OAuth Identity of the most recently logged-in user. This can allow API token holders to retrieve data for which they may not have intended access. This attack relies on the Grafana instance having data sources that support the Forward OAuth Identity feature, the Grafana instance having a data source with the Forward OAuth Identity feature toggled on, the Grafana instance having OAuth enabled, and the Grafana instance having usable API keys. This issue has been patched in versions 7.5.13 and 8.3.4.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:grafana-8.3.4-1.1.aarch64",
          "openSUSE Tumbleweed:grafana-8.3.4-1.1.ppc64le",
          "openSUSE Tumbleweed:grafana-8.3.4-1.1.s390x",
          "openSUSE Tumbleweed:grafana-8.3.4-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2022-21673",
          "url": "https://www.suse.com/security/cve/CVE-2022-21673"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1194873 for CVE-2022-21673",
          "url": "https://bugzilla.suse.com/1194873"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:grafana-8.3.4-1.1.aarch64",
            "openSUSE Tumbleweed:grafana-8.3.4-1.1.ppc64le",
            "openSUSE Tumbleweed:grafana-8.3.4-1.1.s390x",
            "openSUSE Tumbleweed:grafana-8.3.4-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:grafana-8.3.4-1.1.aarch64",
            "openSUSE Tumbleweed:grafana-8.3.4-1.1.ppc64le",
            "openSUSE Tumbleweed:grafana-8.3.4-1.1.s390x",
            "openSUSE Tumbleweed:grafana-8.3.4-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2022-21673"
    }
  ]
}

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Feature update for grafana",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for grafana fixes the following issues:\n\nUpdate from version 7.5.12 to version 8.3.5 (jsc#SLE-23422)\n\n- Security:\n\n    * CVE-2022-21702: XSS vulnerability in handling data sources (bsc#1195726)\n    * CVE-2022-21703: cross-origin request forgery vulnerability (bsc#1195727)\n    * CVE-2022-21713: Insecure Direct Object Reference vulnerability in Teams API (bsc#1195728)\n    * CVE-2022-21673: GetUserInfo: return an error if no user was found (bsc#1194873)\n    * CVE-2021-43813, CVE-2021-43815, CVE-2021-41244, CVE-2021-41174, CVE-2021-43798, CVE-2021-39226.\n    * Upgrade Docker base image to Alpine 3.14.3.\n    * CVE-2021-3711: Docker: Force use of libcrypto1.1 and libssl1.1 versions\n    * Update dependencies to fix CVE-2021-36222.\n    * Upgrade Go to 1.17.2.\n    * Fix stylesheet injection vulnerability.\n    * Fix short URL vulnerability.\n\n- License update:\n    * AGPL License: Update license from Apache 2.0 to the GNU Affero General Public License (AGPL).\n\n- Breaking changes:\n    * Grafana 8 Alerting enabled by default for installations that do not use legacy alerting.\n    * Keep Last State for \u0027If execution error or timeout\u0027 when upgrading to Grafana 8 alerting.\n    * Fix No Data behaviour in Legacy Alerting.\n    * The following endpoints were deprecated for Grafana v5.0 and\n      support for them has now been removed:\n      * `GET /dashboards/db/:slug`\n      * `GET /dashboard-solo/db/:slug`\n      * `GET /api/dashboard/db/:slug`\n      * `DELETE /api/dashboards/db/:slug`\n    * The default HTTP method for Prometheus data source is now POST.\n    * Removes the never refresh option for Query variables.\n    * Removes the experimental Tags feature for Variables.\n\n- Deprecations:\n    * The InfoBox \u0026 FeatureInfoBox are now deprecated please use\n      the Alert component instead with severity info.\n\n- Bug fixes:\n    * Azure Monitor: Bug fix for variable interpolations in metrics dropdowns.\n    * Azure Monitor: Improved error messages for variable queries.\n    * CloudMonitoring: Fixes broken variable queries that use group bys.\n    * Configuration: You can now see your expired API keys if you have no active ones.\n    * Elasticsearch: Fix handling multiple datalinks for a single field.\n    * Export: Fix error when exporting dashboards using query variables that reference the default datasource.\n    * ImportDashboard: Fixes issue with importing dashboard and name ending up in uid.\n    * Login: Page no longer overflows on mobile.\n    * Plugins: Set backend metadata property for core plugins.\n    * Prometheus: Fill missing steps with null values.\n    * Prometheus: Fix interpolation of `$__rate_interval` variable.\n    * Prometheus: Interpolate variables with curly brackets syntax.\n    * Prometheus: Respect the http-method data source setting.\n    * Table: Fixes issue with field config applied to wrong fields when hiding columns.\n    * Toolkit: Fix bug with rootUrls not being properly parsed when signing a private plugin.\n    * Variables: Fix so data source variables are added to adhoc configuration.\n    * AnnoListPanel: Fix interpolation of variables in tags.\n    * CloudWatch: Allow queries to have no dimensions specified.\n    * CloudWatch: Fix broken queries for users migrating from 8.2.4/8.2.5 to 8.3.0.\n    * CloudWatch: Make sure MatchExact flag gets the right value.\n    * Dashboards: Fix so that empty folders can be deleted from the manage dashboards/folders page.\n    * InfluxDB: Improve handling of metadata query errors in InfluxQL.\n    * Loki: Fix adding of ad hoc filters for queries with parser and line_format expressions.\n    * Prometheus: Fix running of exemplar queries for non-histogram metrics.\n    * Prometheus: Interpolate template variables in interval.\n    * StateTimeline: Fix toolitp not showing when for frames with multiple fields.\n    * TraceView: Fix virtualized scrolling when trace view is opened in right pane in Explore.\n    * Variables: Fix repeating panels for on time range changed variables.\n    * Variables: Fix so queryparam option works for scoped variables.\n    * Alerting: Clear alerting rule evaluation errors after intermittent failures.\n    * Alerting: Fix refresh on legacy Alert List panel.\n    * Dashboard: Fix queries for panels with non-integer widths.\n    * Explore: Fix url update inconsistency.\n    * Prometheus: Fix range variables interpolation for time ranges smaller than 1 second.\n    * ValueMappings: Fixes issue with regex value mapping that only sets color.\n    * AccessControl: Renamed orgs roles, removed fixed:orgs:reader introduced in beta1.\n    * Azure Monitor: Add trap focus for modals in grafana/ui and other small a11y fixes for Azure Monitor.\n    * CodeEditor: Prevent suggestions from being clipped.\n    * Dashboard: Fix cache timeout persistence.\n    * Datasource: Fix stable sort order of query responses.\n    * Explore: Fix error in query history when removing last item.\n    * Logs: Fix requesting of older logs when flipped order.\n    * Prometheus: Fix running of health check query based on access mode.\n    * TextPanel: Fix suggestions for existing panels.\n    * Tracing: Fix incorrect indentations due to reoccurring spanIDs.\n    * Tracing: Show start time of trace with milliseconds precision.\n    * Variables: Make renamed or missing variable section expandable.\n    * API: Fix dashboard quota limit for imports.\n    * Alerting: Fix rule editor issues with Azure Monitor data source.\n    * Azure monitor: Make sure alert rule editor is not enabled when template variables are being used.\n    * CloudMonitoring: Fix annotation queries.\n    * CodeEditor: Trigger the latest getSuggestions() passed to CodeEditor.\n    * Dashboard: Remove the current panel from the list of options in the Dashboard datasource.\n    * Encryption: Fix decrypting secrets in alerting migration.\n    * InfluxDB: Fix corner case where index is too large in ALIAS field.\n    * NavBar: Order App plugins alphabetically.\n    * NodeGraph: Fix zooming sensitivity on touchpads.\n    * Plugins: Add OAuth pass-through logic to api/ds/query endpoint.\n    * Snapshots: Fix panel inspector for snapshot data.\n    * Tempo: Fix basic auth password reset on adding tag.\n    * ValueMapping: Fixes issue with regex mappings.\n    * TimeSeries: Fix fillBelowTo wrongly affecting fills of unrelated series.\n    * Alerting: Fix a bug where the metric in the evaluation string was not correctly populated.\n    * Alerting: Fix no data behaviour in Legacy Alerting for alert rules using the AND operator.\n    * CloudMonitoring: Ignore min and max aggregation in MQL queries.\n    * Dashboards: \u0027Copy\u0027 is no longer added to new dashboard titles.\n    * DataProxy: Fix overriding response body when response is a WebSocket upgrade.\n    * Elasticsearch: Use field configured in query editor as field for date_histogram aggregations.\n    * Explore: Fix running queries without a datasource property set.\n    * InfluxDB: Fix numeric aliases in queries.\n    * Plugins: Ensure consistent plugin settings list response.\n    * Tempo: Fix validation of float durations.\n    * Tracing: Correct tags for each span are shown.\n    * Alerting: Fix panic when Slack\u0027s API sends unexpected response.\n    * Alerting: The Create Alert button now appears on the dashboard panel when you are working with a default \n      datasource.\n    * Explore: We fixed the problem where the Explore log panel disappears when an Elasticsearch logs query returns no \n      results.\n    * Graph: You can now see annotation descriptions on hover.\n    * Logs: The system now uses the JSON parser only if the line is parsed to an object.\n    * Prometheus: the system did not reuse TCP connections when querying from Grafana alerting.\n    * Prometheus: error when a user created a query with a `$__interval` min step.\n    * RowsToFields: the system was not properly interpreting number values.\n    * Scale: We fixed how the system handles NaN percent when data min = data max.\n    * Table panel: You can now create a filter that includes special characters.\n    * Dashboard: Fix rendering of repeating panels.\n    * Datasources: Fix deletion of data source if plugin is not found.\n    * Packaging: Remove systemcallfilters sections from systemd unit files.\n    * Prometheus: Add Headers to HTTP client options.\n    * CodeEditor: Ensure that we trigger the latest onSave callback provided to the component.\n    * DashboardList/AlertList: Fix for missing All folder value.\n    * Alerting: Fixed an issue where the edit page crashes if you tried to preview an alert without a condition set.\n    * Alerting: Fixed rules migration to keep existing Grafana 8 alert rules.\n    * Alerting: Fixed the silence file content generated during migration.\n    * Analytics: Fixed an issue related to interaction event propagation in Azure Application Insights.\n    * BarGauge: Fixed an issue where the cell color was lit even though there was no data.\n    * BarGauge: Improved handling of streaming data.\n    * CloudMonitoring: Fixed INT64 label unmarshal error.\n    * ConfirmModal: Fixes confirm button focus on modal open.\n    * Dashboard: Add option to generate short URL for variables with values containing spaces.\n    * Explore: No longer hides errors containing refId property.\n    * Fixed an issue that produced State timeline panel tooltip error when data was not in sync.\n    * InfluxDB: InfluxQL query editor is set to always use resultFormat.\n    * Loki: Fixed creating context query for logs with parsed labels.\n    * PageToolbar: Fixed alignment of titles.\n    * Plugins Catalog: Update to the list of available panels after an install, update or uninstall.\n    * TimeSeries: Fixed an issue where the shared cursor was not showing when hovering over in old Graph panel.\n    * Variables: Fixed issues related to change of focus or refresh pages when pressing enter in a text box variable \n      input.\n    * Variables: Panel no longer crash when using the adhoc variable in data links.\n    * Admin: Prevent user from deleting user\u0027s current/active organization.\n    * LibraryPanels: Fix library panel getting saved in the dashboard\u0027s folder.\n    * OAuth: Make generic teams URL and JMES path configurable.\n    * QueryEditor: Fix broken copy-paste for mouse middle-click\n    * Thresholds: Fix undefined color in \u0027Add threshold\u0027.\n    * Timeseries: Add wide-to-long, and fix multi-frame output.\n    * TooltipPlugin: Fix behavior of Shared Crosshair when Tooltip is set to All.\n    * Alerting: Fix alerts with evaluation interval more than 30\n      seconds resolving before notification.\n    * Elasticsearch/Prometheus: Fix usage of proper SigV4 service\n      namespace.\n    * BarChart: Fixes panel error that happens on second refresh.\n    * Alerting: Fix notification channel migration.\n    * Annotations: Fix blank panels for queries with unknown data\n      sources.\n    * BarChart: Fix stale values and x axis labels.\n    * Graph: Make old graph panel thresholds work even if ngalert\n      is enabled.\n    * InfluxDB: Fix regex to identify / as separator.\n    * LibraryPanels: Fix update issues related to library panels in\n      rows.\n    * Variables: Fix variables not updating inside a Panel when the\n      preceding Row uses \u0027Repeat For\u0027.\n    * Alerting: Fix alert flapping in the internal alertmanager.\n    * Alerting: Fix request handler failed to convert dataframe\n      \u0027results\u0027 to plugins.DataTimeSeriesSlice: input frame is not\n      recognized as a time series.\n    * Dashboard: Fix UIDs are not preserved when importing/creating\n      dashboards thru importing .json file.\n    * Dashboard: Forces panel re-render when exiting panel edit.\n    * Dashboard: Prevent folder from changing when navigating to\n      general settings.\n    * Elasticsearch: Fix metric names for alert queries.\n    * Elasticsearch: Limit Histogram field parameter to numeric values.\n    * Elasticsearch: Prevent pipeline aggregations to show up in\n      terms order by options.\n    * LibraryPanels: Prevent duplicate repeated panels from being created.\n    * Loki: Fix ad-hoc filter in dashboard when used with parser.\n    * Plugins: Track signed files + add warn log for plugin assets\n      which are not signed.\n    * Postgres/MySQL/MSSQL: Fix region annotations not displayed correctly.\n    * Prometheus: Fix validate selector in metrics browser.\n    * Alerting: Fix saving LINE contact point.\n    * Annotations: Fix alerting annotation coloring.\n    * Annotations: Alert annotations are now visible in the correct\n      Panel.\n    * Auth: Hide SigV4 config UI and disable middleware when its\n      config flag is disabled.\n    * Dashboard: Prevent incorrect panel layout by comparing window\n      width against theme breakpoints.\n    * Elasticsearch: Fix metric names for alert queries.\n    * Explore: Fix showing of full log context.\n    * PanelEdit: Fix \u0027Actual\u0027 size by passing the correct panel\n      size to Dashboard.\n    * Plugins: Fix TLS datasource settings.\n    * Variables: Fix issue with empty drop downs on navigation.\n    * Variables: Fix URL util converting false into true.\n    * CloudWatch Logs: Fix crash when no region is selected.\n    * Annotations: Correct annotations that are displayed upon page refresh.\n    * Annotations: Fix Enabled button that disappeared from Grafana v8.0.6.\n    * Annotations: Fix data source template variable that was not available for annotations.\n    * AzureMonitor: Fix annotations query editor that does not load.\n    * Geomap: Fix scale calculations.\n    * GraphNG: Fix y-axis autosizing.\n    * Live: Display stream rate and fix duplicate channels in list response.\n    * Loki: Update labels in log browser when time range changes in dashboard.\n    * NGAlert: Send resolve signal to alertmanager on alerting -\u003e Normal.\n    * PasswordField: Prevent a password from being displayed when you click the Enter button.\n    * Renderer: Remove debug.log file when Grafana is stopped.\n    * Docker: Fix builds by delaying go mod verify until all required files are copied over.\n    * Exemplars: Fix disable exemplars only on the query that failed.\n    * SQL: Fix SQL dataframe resampling (fill mode + time intervals).\n    * Alerting: Handle marshaling Inf values.\n    * AzureMonitor: Fix macro resolution for template variables.\n    * AzureMonitor: Fix queries with Microsoft.NetApp/../../volumes\n      resources.\n    * AzureMonitor: Request and concat subsequent resource pages.\n    * Bug: Fix parse duration for day.\n    * Datasources: Improve error handling for error messages.\n    * Explore: Correct the functionality of shift-enter shortcut\n      across all uses.\n    * Explore: Show all dataFrames in data tab in Inspector.\n    * GraphNG: Fix Tooltip mode \u0027All\u0027 for XYChart.\n    * Loki: Fix highlight of logs when using filter expressions\n      with backticks.\n    * Modal: Force modal content to overflow with scroll.\n    * Plugins: Ignore symlinked folders when verifying plugin\n      signature.\n    * Alerting: Fix improper alert by changing the handling of\n      empty labels.\n    * CloudWatch/Logs: Reestablish Cloud Watch alert behavior.\n    * Dashboard: Avoid migration breaking on fieldConfig without\n      defaults field in folded panel.\n    * DashboardList: Fix issue not re-fetching dashboard list after\n      variable change.\n    * Database: Fix incorrect format of isolation level\n      configuration parameter for MySQL.\n    * InfluxDB: Correct tag filtering on InfluxDB data.\n    * Links: Fix links that caused a full page reload.\n    * Live: Fix HTTP error when InfluxDB metrics have an incomplete\n      or asymmetrical field set.\n    * Postgres/MySQL/MSSQL: Change time field to \u0027Time\u0027 for time\n      series queries.\n    * Postgres: Fix the handling of a null return value in query\n      results.\n    * Tempo: Show hex strings instead of uints for IDs.\n    * TimeSeries: Improve tooltip positioning when tooltip\n      overflows.\n    * Transformations: Add \u0027prepare time series\u0027 transformer.\n    * AzureMonitor: Fix issue where resource group name is missing\n      on the resource picker button.\n    * Chore: Fix AWS auth assuming role with workspace IAM.\n    * DashboardQueryRunner: Fixes unrestrained subscriptions being\n      created.\n    * DateFormats: Fix reading correct setting key for\n      use_browser_locale.\n    * Links: Fix links to other apps outside Grafana when under sub\n      path.\n    * Snapshots: Fix snapshot absolute time range issue.\n    * Table: Fix data link color.\n    * Time Series: Fix X-axis time format when tick increment is\n      larger than a year.\n    * Tooltip Plugin: Prevent tooltip render if field is undefined.\n    * Elasticsearch: Allow case sensitive custom options in\n      date_histogram interval.\n    * Elasticsearch: Restore previous field naming strategy when\n      using variables.\n    * Explore: Fix import of queries between SQL data sources.\n    * InfluxDB: InfluxQL query editor: fix retention policy\n      handling.\n    * Loki: Send correct time range in template variable queries.\n    * TimeSeries: Preserve RegExp series overrides when migrating\n      from old graph panel.\n    * Annotations: Fix annotation line and marker colors.\n    * AzureMonitor: Fix KQL template variable queries without\n      default workspace.\n    * CloudWatch/Logs: Fix missing response data for log queries.\n    * Elasticsearch: Restore previous field naming strategy when\n      using variables.\n    * LibraryPanels: Fix crash in library panels list when panel\n      plugin is not found.\n    * LogsPanel: Fix performance drop when moving logs panel in\n      dashboard.\n    * Loki: Parse log levels when ANSI coloring is enabled.\n    * MSSQL: Fix issue with hidden queries still being executed.\n    * PanelEdit: Display the VisualizationPicker that was not\n      displayed if a panel has an unknown panel plugin.\n    * Plugins: Fix loading symbolically linked plugins.\n    * Prometheus: Fix issue where legend name was replaced with\n      name Value in stat and gauge panels.\n    * State Timeline: Fix crash when hovering over panel.\n    * Configuration: Fix changing org preferences in FireFox.\n    * PieChart: Fix legend dimension limits.\n    * Postgres/MySQL/MSSQL: Fix panic in concurrent map writes.\n    * Variables: Hide default data source if missing from regex.\n    * Alerting/SSE: Fix \u0027count_non_null\u0027 reducer validation.\n    * Cloudwatch: Fix duplicated time series.\n    * Cloudwatch: Fix missing defaultRegion.\n    * Dashboard: Fix Dashboard init failed error on dashboards with\n      old singlestat panels in collapsed rows.\n    * Datasource: Fix storing timeout option as numeric.\n    * Postgres/MySQL/MSSQL: Fix annotation parsing for empty\n      responses.\n    * Postgres/MySQL/MSSQL: Numeric/non-string values are now\n      returned from query variables.\n    * Postgres: Fix an error that was thrown when the annotation\n      query did not return any results.\n    * StatPanel: Fix an issue with the appearance of the graph when\n      switching color mode.\n    * Visualizations: Fix an issue in the\n      Stat/BarGauge/Gauge/PieChart panels where all values mode\n      were showing the same name if they had the same value.\n    * AzureMonitor: Fix Azure Resource Graph queries in Azure\n      China.\n    * Checkbox: Fix vertical layout issue with checkboxes due to\n      fixed height.\n    * Dashboard: Fix Table view when editing causes the panel data\n      to not update.\n    * Dashboard: Fix issues where unsaved-changes warning is not\n      displayed.\n    * Login: Fixes Unauthorized message showing when on login page\n      or snapshot page.\n    * NodeGraph: Fix sorting markers in grid view.\n    * Short URL: Include orgId in generated short URLs.\n    * Variables: Support raw values of boolean type.\n    * Admin: Fix infinite loading edit on the profile page.\n    * Color: Fix issues with random colors in string and date\n      fields.\n    * Dashboard: Fix issue with title or folder change has no\n      effect after exiting settings view.\n    * DataLinks: Fix an issue __series.name is not working in data\n      link.\n    * Datasource: Fix dataproxy timeout should always be applied\n      for outgoing data source HTTP requests.\n    * Elasticsearch: Fix NewClient not passing httpClientProvider\n      to client impl.\n    * Explore: Fix Browser title not updated on Navigation to\n      Explore.\n    * GraphNG: Remove fieldName and hideInLegend properties from\n      UPlotSeriesBuilder.\n    * OAuth: Fix fallback to auto_assign_org_role setting for Azure\n      AD OAuth when no role claims exists.\n    * PanelChrome: Fix issue with empty panel after adding a non\n      data panel and coming back from panel edit.\n    * StatPanel: Fix data link tooltip not showing for single\n      value.\n    * Table: Fix sorting for number fields.\n    * Table: Have text underline for datalink, and add support for\n      image datalink.\n    * Time series panel: Position tooltip correctly when window is\n      scrolled or resized.\n    * Transformations: Prevent FilterByValue transform from\n      crashing panel edit.\n    * Annotations panel: Remove subpath from dashboard links.\n    * Content Security Policy: Allow all image sources by default.\n    * Content Security Policy: Relax default template wrt. loading\n      of scripts, due to nonces not working.\n    * Datasource: Fix tracing propagation for alert execution by\n      introducing HTTP client outgoing tracing middleware.\n    * InfluxDB: InfluxQL always apply time interval end.\n    * Library Panels: Fixes \u0027error while loading library panels\u0027.\n    * NewsPanel: Fixes rendering issue in Safari.\n    * PanelChrome: Fix queries being issued again when scrolling in\n      and out of view.\n    * Plugins: Fix Azure token provider cache panic and auth param\n      nil value.\n    * Snapshots: Fix key and deleteKey being ignored when creating\n      an external snapshot.\n    * Table: Fix issue with cell border not showing with colored\n      background cells.\n    * Table: Makes tooltip scrollable for long JSON values.\n    * TimeSeries: Fix for Connected null values threshold toggle\n      during panel editing.\n    * Variables: Fixes inconsistent selected states on dashboard\n      load.\n    * Variables: Refreshes all panels even if panel is full screen.\n    * APIKeys: Fixes issue with adding first api key.\n    * Alerting: Add checks for non supported units - disable\n      defaulting to seconds.\n    * Alerting: Fix issue where Slack notifications won\u0027t link to\n      user IDs.\n    * Alerting: Omit empty message in PagerDuty notifier.\n    * AzureMonitor: Fix migration error from older versions of App\n      Insights queries.\n    * CloudWatch: Fix AWS/Connect dimensions.\n    * CloudWatch: Fix broken AWS/MediaTailor dimension name.\n    * Dashboards: Allow string manipulation as advanced variable\n      format option.\n    * DataLinks: Includes harmless extended characters like\n      Cyrillic characters.\n    * Drawer: Fixes title overflowing its container.\n    * Explore: Fix issue when some query errors were not shown.\n    * Generic OAuth: Prevent adding duplicated users.\n    * Graphite: Handle invalid annotations.\n    * Graphite: Fix autocomplete when tags are not available.\n    * InfluxDB: Fix Cannot read property \u0027length\u0027 of undefined in\n      when parsing response.\n    * Instrumentation: Enable tracing when Jaeger host and port are\n      set.\n    * Instrumentation: Prefix metrics with grafana.\n    * MSSQL: By default let driver choose port.\n    * OAuth: Add optional strict parsing of role_attribute_path.\n    * Panel: Fixes description markdown with inline code being\n      rendered on newlines and full width.\n    * PanelChrome: Ignore data updates \u0026 errors for non data\n      panels.\n    * Permissions: Fix inherited folder permissions can prevent new\n      permissions being added to a dashboard.\n    * Plugins: Remove pre-existing plugin installs when installing\n      with grafana-cli.\n    * Plugins: Support installing to folders with whitespace and\n      fix pluginUrl trailing and leading whitespace failures.\n    * Postgres/MySQL/MSSQL: Don\u0027t return connection failure details\n      to the client.\n    * Postgres: Fix ms precision of interval in time group macro\n      when TimescaleDB is enabled.\n    * Provisioning: Use dashboard checksum field as change\n      indicator.\n    * SQL: Fix so that all captured errors are returned from sql\n      engine.\n    * Shortcuts: Fixes panel shortcuts so they always work.\n    * Table: Fixes so border is visible for cells with links.\n    * Variables: Clear query when data source type changes.\n    * Variables: Filters out builtin variables from unknown list.\n    * Variables: Refreshes all panels even if panel is full screen.\n    * Alerting: Fix NoDataFound for alert rules using AND operator.\n\n- Features and enhancements:\n    * Alerting: Allow configuration of non-ready alertmanagers.\n    * Alerting: Allow customization of Google chat message.\n    * AppPlugins: Support app plugins with only default nav.\n    * InfluxDB: query editor: skip fields in metadata queries.\n    * Postgres/MySQL/MSSQL: Cancel in-flight SQL query if user cancels query in grafana.\n    * Prometheus: Forward oauth tokens after prometheus datasource  migration.\n    * BarChart: Use new data error view component to show actions in panel edit.\n    * CloudMonitor: Iterate over pageToken for resources.\n    * Macaron: Prevent WriteHeader invalid HTTP status code panic\n    * Alerting: Prevent folders from being deleted when they  contain alerts.\n    * Alerting: Show full preview value in tooltip.\n    * BarGauge: Limit title width when name is really long.\n    * CloudMonitoring: Avoid to escape regexps in filters.\n    * CloudWatch: Add support for AWS Metric Insights.\n    * TooltipPlugin: Remove other panels\u0027 shared tooltip in edit panel.\n    * Visualizations: Limit y label width to 40% of visualization width.\n    * Alerting: Create DatasourceError alert if evaluation returns error.\n    * Alerting: Make Unified Alerting enabled by default for those who do not use legacy alerting.\n    * Alerting: Support mute timings configuration through the api for the embedded alert manager.\n    * CloudWatch: Add missing AWS/Events metrics.\n    * Docs: Add easier to find deprecation notices to certain data sources and to the changelog.\n    * Plugins Catalog: Enable install controls based on the pluginAdminEnabled flag.\n    * Table: Add space between values for the DefaultCell and JSONViewCell.\n    * Tracing: Make query editors available in dashboard for Tempo and Zipkin.\n    * Alerting: Add UI for contact point testing with custom annotations and labels.\n    * Alerting: Make alert state indicator in panel header work with Grafana 8 alerts.\n    * Alerting: Option for Discord notifier to use webhook name.\n    * Annotations: Deprecate AnnotationsSrv.\n    * Auth: Omit all base64 paddings in JWT tokens for the JWT auth.\n    * Azure Monitor: Clean up fields when editing Metrics.\n    * AzureMonitor: Add new starter dashboards.\n    * AzureMonitor: Add starter dashboard for app monitoring with Application Insights.\n    * Barchart/Time series: Allow x axis label.\n    * CLI: Improve error handling for installing plugins.\n    * CloudMonitoring: Migrate to use backend plugin SDK contracts.\n    * CloudWatch Logs: Add retry strategy for hitting max concurrent queries.\n    * CloudWatch: Add AWS RoboMaker metrics and dimension.\n    * CloudWatch: Add AWS Transfer metrics and dimension.\n    * Dashboard: replace datasource name with a reference object.\n    * Dashboards: Show logs on time series when hovering.\n    * Elasticsearch: Add support for Elasticsearch 8.0 (Beta).\n    * Elasticsearch: Add time zone setting to Date Histogram aggregation.\n    * Elasticsearch: Enable full range log volume histogram.\n    * Elasticsearch: Full range logs volume.\n    * Explore: Allow changing the graph type.\n    * Explore: Show ANSI colors when highlighting matched words in the logs panel.\n    * Graph(old) panel: Listen to events from Time series panel.\n    * Import: Load gcom dashboards from URL.\n    * LibraryPanels: Improves export and import of library panels between orgs.\n    * OAuth: Support PKCE.\n    * Panel edit: Overrides now highlight correctly when searching.\n    * PanelEdit: Display drag indicators on draggable sections.\n    * Plugins: Refactor Plugin Management.\n    * Prometheus: Add custom query parameters when creating PromLink url.\n    * Prometheus: Remove limits on metrics, labels, and values in Metrics Browser.\n    * StateTimeline: Share cursor with rest of the panels.\n    * Tempo: Add error details when json upload fails.\n    * Tempo: Add filtering for service graph query.\n    * Tempo: Add links to nodes in Service Graph pointing to Prometheus metrics.\n    * Time series/Bar chart panel: Add ability to sort series via legend.\n    * TimeSeries: Allow multiple axes for the same unit.\n    * TraceView: Allow span links defined on dataFrame.\n    * Transformations: Support a rows mode in labels to fields.\n    * ValueMappings: Don\u0027t apply field config defaults to time fields.\n    * Variables: Only update panels that are impacted by variable change.\n    * Annotations: We have improved tag search performance.\n    * Application: You can now configure an error-template title.\n    * AzureMonitor: We removed a restriction from the resource filter query.\n    * Packaging: We removed the ProcSubset option in systemd. This option prevented Grafana from starting in \n      LXC environments.\n    * Prometheus: We removed the autocomplete limit for metrics.\n    * Table: We improved the styling of the type icons to make them more distinct from column / field name.\n    * ValueMappings: You can now use value mapping in stat, gauge, bar gauge, and pie chart visualizations.\n    * AWS: Updated AWS authentication documentation.\n    * Alerting: Added support Alertmanager data source for upstream Prometheus AM implementation.\n    * Alerting: Allows more characters in label names so notifications are sent.\n    * Alerting: Get alert rules for a dashboard or a panel using `/api/v1/rules` endpoints.\n    * Annotations: Improved rendering performance of event markers.\n    * CloudWatch Logs: Skip caching for log queries.\n    * Explore: Added an opt-in configuration for Node Graph in Jaeger, Zipkin, and Tempo.\n    * Packaging: Add stricter systemd unit options.\n    * Prometheus: Metrics browser can now handle label values with special characters.\n    * AccessControl: Document new permissions restricting data source access.\n    * TimePicker: Add fiscal years and search to time picker.\n    * Alerting: Added support for Unified Alerting with Grafana HA.\n    * Alerting: Added support for tune rule evaluation using configuration options.\n    * Alerting: Cleanups alertmanager namespace from key-value store when disabling Grafana 8 alerts.\n    * Alerting: Remove ngalert feature toggle and introduce two new settings for enabling Grafana 8 alerts and \n      disabling them for specific organisations.\n    * CloudWatch: Introduced new math expression where it is necessary to specify the period field.\n    * InfluxDB: Added support for `$__interval` and `$__interval_ms` inFlux queries for alerting.\n    * InfluxDB: Flux queries can use more precise start and end timestamps with nanosecond-precision.\n    * Plugins Catalog: Make the catalog the default way to interact with plugins.\n    * Prometheus: Removed autocomplete limit for metrics.\n    * AccessControl: Introduce new permissions to restrict access for reloading provisioning configuration.\n    * Alerting: Add UI to edit Cortex/Loki namespace, group names, and group evaluation interval.\n    * Alerting: Add a Test button to test contact point.\n    * Alerting: Allow creating/editing recording rules for Loki and Cortex.\n    * Alerting: Metrics should have the label org instead of user.\n    * Alerting: Sort notification channels by name to make them easier to locate.\n    * Alerting: Support org level isolation of notification configuration.\n    * AzureMonitor: Add data links to deep link to Azure Portal Azure Resource Graph.\n    * AzureMonitor: Add support for annotations from Azure Monitor Metrics and Azure Resource Graph services.\n    * AzureMonitor: Show error message when subscriptions request fails in ConfigEditor.\n    * CloudWatch Logs: Add link to X-Ray data source for trace IDs in logs.\n    * CloudWatch Logs: Disable query path using websockets (Live) feature.\n    * CloudWatch/Logs: Don\u0027t group dataframes for non time series queries.\n    * Cloudwatch: Migrate queries that use multiple stats to one query per stat.\n    * Dashboard: Keep live timeseries moving left (v2).\n    * Datasources: Introduce response_limit for datasource responses.\n    * Explore: Add filter by trace or span ID to trace to logs feature.\n    * Explore: Download traces as JSON in Explore Inspector.\n    * Explore: Reuse Dashboard\u0027s QueryRows component.\n    * Explore: Support custom display label for derived fields buttons for Loki datasource.\n    * Grafana UI: Update monaco-related dependencies.\n    * Graphite: Deprecate browser access mode.\n    * InfluxDB: Improve handling of intervals in alerting.\n    * InfluxDB: InfluxQL query editor: Handle unusual characters in tag values better.\n    * Jaeger: Add ability to upload JSON file for trace data.\n    * LibraryElements: Enable specifying UID for new and existing library elements.\n    * LibraryPanels: Remove library panel icon from the panel header so you can no longer tell that a panel is a \n      library panel from the dashboard view.\n    * Logs panel: Scroll to the bottom on page refresh when sorting in ascending order.\n    * Loki: Add fuzzy search to label browser.\n    * Navigation: Implement active state for items in the Sidemenu.\n    * Packaging: Add stricter systemd unit options.\n    * Packaging: Update PID file location from /var/run to /run.\n    * Plugins: Add Hide OAuth Forward config option.\n    * Postgres/MySQL/MSSQL: Add setting to limit the maximum number of rows processed.\n    * Prometheus: Add browser access mode deprecation warning.\n    * Prometheus: Add interpolation for built-in-time variables to backend.\n    * Tempo: Add ability to upload trace data in JSON format.\n    * TimeSeries/XYChart: Allow grid lines visibility control in XYChart and TimeSeries panels.\n    * Transformations: Convert field types to time string number or boolean.\n    * Value mappings: Add regular-expression based value mapping.\n    * Zipkin: Add ability to upload trace JSON.\n    * Explore: Ensure logs volume bar colors match legend colors.\n    * LDAP: Search all DNs for users.\n    * AzureMonitor: Add support for PostgreSQL and MySQL Flexible Servers.\n    * Datasource: Change HTTP status code for failed datasource\n      health check to 400.\n    * Explore: Add span duration to left panel in trace viewer.\n    * Plugins: Use file extension allowlist when serving plugin\n      assets instead of checking for UNIX executable.\n    * Profiling: Add support for binding pprof server to custom\n      network interfaces.\n    * Search: Make search icon keyboard navigable.\n    * Template variables: Keyboard navigation improvements.\n    * Tooltip: Display ms within minute time range.\n    * Alerting: Deduplicate receivers during migration.\n    * ColorPicker: Display colors as RGBA.\n    * Select: Make portalling the menu opt-in, but opt-in everywhere.\n    * TimeRangePicker: Improve accessibility.\n    * Alerting: Support label matcher syntax in alert rule list filter.\n    * IconButton: Put tooltip text as aria-label.\n    * Live: Experimental HA with Redis.\n    * UI: FileDropzone component.\n    * CloudWatch: Add AWS LookoutMetrics.\n    * Alerting: Expand the value string in alert annotations and labels.\n    * Auth: Add Azure HTTP authentication middleware.\n    * Auth: Auth: Pass user role when using the authentication proxy.\n    * Gazetteer: Update countries.json file to allow for linking to 3-letter country codes.\n    * Alerting: Add Alertmanager notifications tab.\n    * Alerting: Add button to deactivate current Alertmanager\n      configuration.\n    * Alerting: Add toggle in Loki/Prometheus data source\n      configuration to opt out of alerting UI.\n    * Alerting: Allow any \u0027evaluate for\u0027 value \u003e=0 in the alert\n      rule form.\n    * Alerting: Load default configuration from status endpoint, if\n      Cortex Alertmanager returns empty user configuration. \n    * Alerting: view to display alert rule and its underlying data.\n    * Annotation panel: Release the annotation panel.\n    * Annotations: Add typeahead support for tags in built-in\n      annotations.\n    * AzureMonitor: Add curated dashboards for Azure services.\n    * AzureMonitor: Add support for deep links to Microsoft Azure\n      portal for Metrics.\n    * AzureMonitor: Remove support for different credentials for\n      Azure Monitor Logs.\n    * AzureMonitor: Support querying any Resource for Logs queries.\n    * Elasticsearch: Add frozen indices search support.\n    * Elasticsearch: Name fields after template variables values\n      instead of their name.\n    * Elasticsearch: add rate aggregation.\n    * Email: Allow configuration of content types for email\n      notifications.\n    * Explore: Add more meta information when line limit is hit.\n    * Explore: UI improvements to trace view.\n    * FieldOverrides: Added support to change display name in an\n      override field and have it be matched by a later rule.\n    * HTTP Client: Introduce dataproxy_max_idle_connections config\n      variable.\n    * InfluxDB: InfluxQL: adds tags to timeseries data.\n    * InfluxDB: InfluxQL: make measurement search case insensitive.\n      Legacy Alerting: Replace simplejson with a struct in webhook\n      notification channel.\n    * Legend: Updates display name for Last (not null) to just\n      Last*.\n    * Logs panel: Add option to show common labels.\n    * Loki: Add $__range variable.\n    * Loki: Add support for \u0027label_values(log stream selector,\n      label)\u0027 in templating.\n    * Loki: Add support for ad-hoc filtering in dashboard.\n    * MySQL Datasource: Add timezone parameter.\n    * NodeGraph: Show gradient fields in legend.\n    * PanelOptions: Don\u0027t mutate panel options/field config object\n      when updating.\n    * PieChart: Make pie gradient more subtle to match other\n      charts.\n    * Prometheus: Update PromQL typeahead and highlighting.\n    * Prometheus: interpolate variable for step field.\n    * Provisioning: Improve validation by validating across all\n      dashboard providers.\n    * SQL Datasources: Allow multiple string/labels columns with\n      time series.\n    * Select: Portal select menu to document.body.\n    * Team Sync: Add group mapping to support team sync in the\n      Generic OAuth provider.\n    * Tooltip: Make active series more noticeable.\n    * Tracing: Add support to configure trace to logs start and end\n      time.\n    * Transformations: Skip merge when there is only a single data\n      frame.\n    * ValueMapping: Added support for mapping text to color,\n      boolean values, NaN and Null. Improved UI for value mapping.\n    * Visualizations: Dynamically set any config (min, max, unit,\n      color, thresholds) from query results.\n    * live: Add support to handle origin without a value for the\n      port when matching with root_url.\n    * Alerting: Add annotation upon alert state change.\n    * Alerting: Allow space in label and annotation names.\n    * InfluxDB: Improve legend labels for InfluxDB query results.\n    * Cloudwatch Logs: Send error down to client.\n    * Folders: Return 409 Conflict status when folder already\n      exists.\n    * TimeSeries: Do not show series in tooltip if it\u0027s hidden in\n      the viz.\n    * Live: Rely on app url for origin check.\n    * PieChart: Sort legend descending, update placeholder.\n    * TimeSeries panel: Do not reinitialize plot when thresholds\n      mode change.\n    * Alerting: Increase alertmanager_conf column if MySQL.\n    * Time series/Bar chart panel: Handle infinite numbers as nulls\n      when converting to plot array.\n    * TimeSeries: Ensure series overrides that contain color are\n      migrated, and migrate the previous fieldConfig when changing\n      the panel type.\n    * ValueMappings: Improve singlestat value mappings migration.\n    * Datasource: Add support for max_conns_per_host in dataproxy\n      settings.\n    * AzureMonitor: Require default subscription for workspaces()\n      template variable query.\n    * AzureMonitor: Use resource type display names in the UI.\n    * Dashboard: Remove support for loading and deleting dashboard\n      by slug.\n    * InfluxDB: Deprecate direct browser access in data source.\n    * VizLegend: Add a read-only property.\n    * API: Support folder UID in dashboards API.\n    * Alerting: Add support for configuring avatar URL for the\n      Discord notifier.\n    * Alerting: Clarify that Threema Gateway Alerts support only\n      Basic IDs.\n    * Azure: Expose Azure settings to external plugins.\n    * AzureMonitor: Deprecate using separate credentials for Azure\n      Monitor Logs.\n    * AzureMonitor: Display variables in resource picker for Azure\n      Monitor Logs.\n    * AzureMonitor: Hide application insights for data sources not\n      using it.\n    * AzureMonitor: Support querying subscriptions and resource\n      groups in Azure Monitor Logs.\n    * AzureMonitor: remove requirement for default subscription.\n    * CloudWatch: Add Lambda@Edge Amazon CloudFront metrics.\n    * CloudWatch: Add missing AWS AppSync metrics.\n    * ConfirmModal: Auto focus delete button.\n    * Explore: Add caching for queries that are run from logs\n      navigation.\n    * Loki: Add formatting for annotations.\n    * Loki: Bring back processed bytes as meta information.\n    * NodeGraph: Display node graph collapsed by default with trace\n      view.\n    * Overrides: Include a manual override option to hide something\n      from visualization.\n    * PieChart: Support row data in pie charts.\n    * Prometheus: Update default HTTP method to POST for existing\n      data sources.\n    * Time series panel: Position tooltip correctly when window is\n      scrolled or resized.\n    * AppPlugins: Expose react-router to apps.\n    * AzureMonitor: Add Azure Resource Graph.\n    * AzureMonitor: Managed Identity configuration UI.\n    * AzureMonitor: Token provider with support for Managed\n      Identities.\n    * AzureMonitor: Update Logs workspace() template variable query\n      to return resource URIs.\n    * BarChart: Value label sizing.\n    * CloudMonitoring: Add support for preprocessing.\n    * CloudWatch: Add AWS/EFS StorageBytes metric.\n    * CloudWatch: Allow use of missing AWS namespaces using custom\n      metrics.\n    * Datasource: Shared HTTP client provider for core backend data\n      sources and any data source using the data source proxy.\n    * InfluxDB: InfluxQL: allow empty tag values in the query\n      editor.\n    * Instrumentation: Instrument incoming HTTP request with\n      histograms by default.\n    * Library Panels: Add name endpoint \u0026 unique name validation to\n      AddLibraryPanelModal.\n    * Logs panel: Support details view.\n    * PieChart: Always show the calculation options dropdown in the\n      editor.\n    * PieChart: Remove beta flag.\n    * Plugins: Enforce signing for all plugins.\n    * Plugins: Remove support for deprecated backend plugin\n      protocol version.\n    * Tempo/Jaeger: Add better display name to legend.\n    * Timeline: Add time range zoom.\n    * Timeline: Adds opacity \u0026 line width option.\n    * Timeline: Value text alignment option.\n    * ValueMappings: Add duplicate action, and disable dismiss on\n      backdrop click.\n    * Zipkin: Add node graph view to trace response.\n    * API: Add org users with pagination.\n    * API: Return 404 when deleting nonexistent API key.\n    * API: Return query results as JSON rather than base64 encoded\n      Arrow.\n    * Alerting: Allow sending notification tags to Opsgenie as\n      extra properties.\n    * Alerts: Replaces all uses of InfoBox \u0026 FeatureInfoBox with\n      Alert.\n    * Auth: Add support for JWT Authentication.\n    * AzureMonitor: Add support for\n      Microsoft.SignalRService/SignalR metrics.\n    * AzureMonitor: Azure settings in Grafana server config.\n    * AzureMonitor: Migrate Metrics query editor to React.\n    * BarChart panel: enable series toggling via legend.\n    * BarChart panel: Adds support for Tooltip in BarChartPanel.\n    * PieChart panel: Change look of highlighted pie slices.\n    * CloudMonitoring: Migrate config editor from angular to react.\n    * CloudWatch: Add Amplify Console metrics and dimensions.\n    * CloudWatch: Add missing Redshift metrics to CloudWatch data\n      source.\n    * CloudWatch: Add metrics for managed RabbitMQ service.\n    * DashboardList: Enable templating on search tag input.\n    * Datasource config: correctly remove single custom http\n      header.\n    * Elasticsearch: Add generic support for template variables.\n    * Elasticsearch: Allow omitting field when metric supports\n      inline script.\n    * Elasticsearch: Allow setting a custom limit for log queries.\n    * Elasticsearch: Guess field type from first non-empty value.\n    * Elasticsearch: Use application/x-ndjson content type for\n      multisearch requests.\n    * Elasticsearch: Use semver strings to identify ES version.\n    * Explore: Add logs navigation to request more logs.\n    * Explore: Map Graphite queries to Loki.\n    * Explore: Scroll split panes in Explore independently.\n    * Explore: Wrap each panel in separate error boundary.\n    * FieldDisplay: Smarter naming of stat values when visualising\n      row values (all values) in stat panels.\n    * Graphite: Expand metric names for variables.\n    * Graphite: Handle unknown Graphite functions without breaking\n      the visual editor.\n    * Graphite: Show graphite functions descriptions.\n    * Graphite: Support request cancellation properly (Uses new\n      backendSrv.fetch Observable request API).\n    * InfluxDB: Flux: Improve handling of complex\n      response-structures.\n    * InfluxDB: Support region annotations.\n    * Inspector: Download logs for manual processing.\n    * Jaeger: Add node graph view for trace.\n    * Jaeger: Search traces.\n    * Loki: Use data source settings for alerting queries.\n    * NodeGraph: Exploration mode.\n    * OAuth: Add support for empty scopes.\n    * PanelChrome: New logic-less emotion based component with no\n      dependency on PanelModel or DashboardModel.\n    * PanelEdit: Adds a table view toggle to quickly view data in\n      table form.\n    * PanelEdit: Highlight matched words when searching options.\n    * PanelEdit: UX improvements.\n    * Plugins: PanelRenderer and simplified QueryRunner to be used\n      from plugins.\n    * Plugins: AuthType in route configuration and params\n      interpolation.\n    * Plugins: Enable plugin runtime install/uninstall\n      capabilities.\n    * Plugins: Support set body content in plugin routes.\n    * Plugins: Introduce marketplace app.\n    * Plugins: Moving the DataSourcePicker to grafana/runtime so it\n      can be reused in plugins.\n    * Prometheus: Add custom query params for alert and exemplars\n      queries.\n    * Prometheus: Use fuzzy string matching to autocomplete metric\n      names and label.\n    * Routing: Replace Angular routing with react-router.\n    * Slack: Use chat.postMessage API by default.\n    * Tempo: Search for Traces by querying Loki directly from\n      Tempo.\n    * Tempo: Show graph view of the trace.\n    * Themes: Switch theme without reload using global shortcut.\n    * TimeSeries panel: Add support for shared cursor.\n    * TimeSeries panel: Do not crash the panel if there is no time\n      series data in the response.\n    * Variables: Do not save repeated panels, rows and scopedVars.\n    * Variables: Removes experimental Tags feature.\n    * Variables: Removes the never refresh option.\n    * Visualizations: Unify tooltip options across visualizations.\n    * Visualizations: Refactor and unify option creation between\n      new visualizations.\n    * Visualizations: Remove singlestat panel.\n\n- Plugin development fixes \u0026 changes:\n    * Toolkit: Revert build config so tslib is bundled with plugins to prevent plugins from crashing.\n    * Select: Select menus now properly scroll during keyboard navigation.\n    * grafana/ui: Enable slider marks display.\n    * Plugins: Create a mock icon component to prevent console errors.\n    * Grafana UI: Fix TS error property css is missing in type.\n    * Toolkit: Fix matchMedia not found error.\n    * Toolkit: Improve error messages when tasks fail.\n    * Toolkit: Resolve external fonts when Grafana is served from a\n      sub path.\n    * QueryField: Remove carriage return character from pasted text.\n    * Button: Introduce buttonStyle prop.\n    * DataQueryRequest: Remove deprecated props showingGraph and showingTabel and exploreMode.\n    * grafana/ui: Update React Hook Form to v7.\n    * IconButton: Introduce variant for red and blue icon buttons.\n    * Plugins: Expose the getTimeZone function to be able to get the current selected timeZone.\n    * TagsInput: Add className to TagsInput.\n    * VizLegend: Move onSeriesColorChanged to PanelContext (breaking change).\n\n- Other changes:\n\n    * Update to Go 1.17.\n    * Add build-time dependency on `wire`.\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "SUSE-2022-1419,openSUSE-SLE-15.3-2022-1419,openSUSE-SLE-15.4-2022-1419",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/suse-fu-2022_1419-1.json"
      },
      {
        "category": "self",
        "summary": "URL for SUSE-FU-2022:1419-1",
        "url": "https://www.suse.com/support/update/announcement//suse-fu-20221419-1/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for SUSE-FU-2022:1419-1",
        "url": "https://lists.suse.com/pipermail/sle-updates/2022-April/022823.html"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1194873",
        "url": "https://bugzilla.suse.com/1194873"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1195726",
        "url": "https://bugzilla.suse.com/1195726"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1195727",
        "url": "https://bugzilla.suse.com/1195727"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1195728",
        "url": "https://bugzilla.suse.com/1195728"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2021-36222 page",
        "url": "https://www.suse.com/security/cve/CVE-2021-36222/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2021-3711 page",
        "url": "https://www.suse.com/security/cve/CVE-2021-3711/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2021-39226 page",
        "url": "https://www.suse.com/security/cve/CVE-2021-39226/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2021-41174 page",
        "url": "https://www.suse.com/security/cve/CVE-2021-41174/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2021-41244 page",
        "url": "https://www.suse.com/security/cve/CVE-2021-41244/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2021-43798 page",
        "url": "https://www.suse.com/security/cve/CVE-2021-43798/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2021-43813 page",
        "url": "https://www.suse.com/security/cve/CVE-2021-43813/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2021-43815 page",
        "url": "https://www.suse.com/security/cve/CVE-2021-43815/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2022-21673 page",
        "url": "https://www.suse.com/security/cve/CVE-2022-21673/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2022-21702 page",
        "url": "https://www.suse.com/security/cve/CVE-2022-21702/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2022-21703 page",
        "url": "https://www.suse.com/security/cve/CVE-2022-21703/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2022-21713 page",
        "url": "https://www.suse.com/security/cve/CVE-2022-21713/"
      }
    ],
    "title": "Feature update for grafana",
    "tracking": {
      "current_release_date": "2022-04-27T07:20:15Z",
      "generator": {
        "date": "2022-04-27T07:20:15Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "SUSE-FU-2022:1419-1",
      "initial_release_date": "2022-04-27T07:20:15Z",
      "revision_history": [
        {
          "date": "2022-04-27T07:20:15Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "grafana-8.3.5-150200.3.21.1.aarch64",
                "product": {
                  "name": "grafana-8.3.5-150200.3.21.1.aarch64",
                  "product_id": "grafana-8.3.5-150200.3.21.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "grafana-8.3.5-150200.3.21.1.i586",
                "product": {
                  "name": "grafana-8.3.5-150200.3.21.1.i586",
                  "product_id": "grafana-8.3.5-150200.3.21.1.i586"
                }
              }
            ],
            "category": "architecture",
            "name": "i586"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "grafana-8.3.5-150200.3.21.1.ppc64le",
                "product": {
                  "name": "grafana-8.3.5-150200.3.21.1.ppc64le",
                  "product_id": "grafana-8.3.5-150200.3.21.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "grafana-8.3.5-150200.3.21.1.s390x",
                "product": {
                  "name": "grafana-8.3.5-150200.3.21.1.s390x",
                  "product_id": "grafana-8.3.5-150200.3.21.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "grafana-8.3.5-150200.3.21.1.x86_64",
                "product": {
                  "name": "grafana-8.3.5-150200.3.21.1.x86_64",
                  "product_id": "grafana-8.3.5-150200.3.21.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Leap 15.3",
                "product": {
                  "name": "openSUSE Leap 15.3",
                  "product_id": "openSUSE Leap 15.3",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:leap:15.3"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "openSUSE Leap 15.4",
                "product": {
                  "name": "openSUSE Leap 15.4",
                  "product_id": "openSUSE Leap 15.4",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:leap:15.4"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "grafana-8.3.5-150200.3.21.1.aarch64 as component of openSUSE Leap 15.3",
          "product_id": "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.aarch64"
        },
        "product_reference": "grafana-8.3.5-150200.3.21.1.aarch64",
        "relates_to_product_reference": "openSUSE Leap 15.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "grafana-8.3.5-150200.3.21.1.ppc64le as component of openSUSE Leap 15.3",
          "product_id": "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.ppc64le"
        },
        "product_reference": "grafana-8.3.5-150200.3.21.1.ppc64le",
        "relates_to_product_reference": "openSUSE Leap 15.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "grafana-8.3.5-150200.3.21.1.s390x as component of openSUSE Leap 15.3",
          "product_id": "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.s390x"
        },
        "product_reference": "grafana-8.3.5-150200.3.21.1.s390x",
        "relates_to_product_reference": "openSUSE Leap 15.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "grafana-8.3.5-150200.3.21.1.x86_64 as component of openSUSE Leap 15.3",
          "product_id": "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.x86_64"
        },
        "product_reference": "grafana-8.3.5-150200.3.21.1.x86_64",
        "relates_to_product_reference": "openSUSE Leap 15.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "grafana-8.3.5-150200.3.21.1.aarch64 as component of openSUSE Leap 15.4",
          "product_id": "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.aarch64"
        },
        "product_reference": "grafana-8.3.5-150200.3.21.1.aarch64",
        "relates_to_product_reference": "openSUSE Leap 15.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "grafana-8.3.5-150200.3.21.1.ppc64le as component of openSUSE Leap 15.4",
          "product_id": "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.ppc64le"
        },
        "product_reference": "grafana-8.3.5-150200.3.21.1.ppc64le",
        "relates_to_product_reference": "openSUSE Leap 15.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "grafana-8.3.5-150200.3.21.1.s390x as component of openSUSE Leap 15.4",
          "product_id": "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.s390x"
        },
        "product_reference": "grafana-8.3.5-150200.3.21.1.s390x",
        "relates_to_product_reference": "openSUSE Leap 15.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "grafana-8.3.5-150200.3.21.1.x86_64 as component of openSUSE Leap 15.4",
          "product_id": "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.x86_64"
        },
        "product_reference": "grafana-8.3.5-150200.3.21.1.x86_64",
        "relates_to_product_reference": "openSUSE Leap 15.4"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2021-36222",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2021-36222"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "ec_verify in kdc/kdc_preauth_ec.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.18.4 and 1.19.x before 1.19.2 allows remote attackers to cause a NULL pointer dereference and daemon crash. This occurs because a return value is not properly managed in a certain situation.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.aarch64",
          "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.ppc64le",
          "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.s390x",
          "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.x86_64",
          "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.aarch64",
          "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.ppc64le",
          "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.s390x",
          "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2021-36222",
          "url": "https://www.suse.com/security/cve/CVE-2021-36222"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1188571 for CVE-2021-36222",
          "url": "https://bugzilla.suse.com/1188571"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.aarch64",
            "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.ppc64le",
            "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.s390x",
            "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.x86_64",
            "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.aarch64",
            "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.ppc64le",
            "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.s390x",
            "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.aarch64",
            "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.ppc64le",
            "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.s390x",
            "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.x86_64",
            "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.aarch64",
            "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.ppc64le",
            "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.s390x",
            "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2022-04-27T07:20:15Z",
          "details": "important"
        }
      ],
      "title": "CVE-2021-36222"
    },
    {
      "cve": "CVE-2021-3711",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2021-3711"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the \"out\" parameter can be NULL and, on exit, the \"outlen\" parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the \"out\" parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.aarch64",
          "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.ppc64le",
          "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.s390x",
          "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.x86_64",
          "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.aarch64",
          "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.ppc64le",
          "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.s390x",
          "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2021-3711",
          "url": "https://www.suse.com/security/cve/CVE-2021-3711"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1189520 for CVE-2021-3711",
          "url": "https://bugzilla.suse.com/1189520"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1190129 for CVE-2021-3711",
          "url": "https://bugzilla.suse.com/1190129"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1192100 for CVE-2021-3711",
          "url": "https://bugzilla.suse.com/1192100"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1205663 for CVE-2021-3711",
          "url": "https://bugzilla.suse.com/1205663"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1225628 for CVE-2021-3711",
          "url": "https://bugzilla.suse.com/1225628"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.aarch64",
            "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.ppc64le",
            "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.s390x",
            "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.x86_64",
            "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.aarch64",
            "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.ppc64le",
            "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.s390x",
            "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.aarch64",
            "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.ppc64le",
            "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.s390x",
            "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.x86_64",
            "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.aarch64",
            "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.ppc64le",
            "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.s390x",
            "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2022-04-27T07:20:15Z",
          "details": "critical"
        }
      ],
      "title": "CVE-2021-3711"
    },
    {
      "cve": "CVE-2021-39226",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2021-39226"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Grafana is an open source data visualization platform. In affected versions unauthenticated and authenticated users are able to view the snapshot with the lowest database key by accessing the literal paths: /dashboard/snapshot/:key, or /api/snapshots/:key. If the snapshot \"public_mode\" configuration setting is set to true (vs default of false), unauthenticated users are able to delete the snapshot with the lowest database key by accessing the literal path: /api/snapshots-delete/:deleteKey. Regardless of the snapshot \"public_mode\" setting, authenticated users are able to delete the snapshot with the lowest database key by accessing the literal paths: /api/snapshots/:key, or /api/snapshots-delete/:deleteKey. The combination of deletion and viewing enables a complete walk through all snapshot data while resulting in complete snapshot data loss. This issue has been resolved in versions 8.1.6 and 7.5.11. If for some reason you cannot upgrade you can use a reverse proxy or similar to block access to the literal paths: /api/snapshots/:key, /api/snapshots-delete/:deleteKey, /dashboard/snapshot/:key, and /api/snapshots/:key. They have no normal function and can be disabled without side effects.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.aarch64",
          "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.ppc64le",
          "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.s390x",
          "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.x86_64",
          "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.aarch64",
          "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.ppc64le",
          "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.s390x",
          "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2021-39226",
          "url": "https://www.suse.com/security/cve/CVE-2021-39226"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1191454 for CVE-2021-39226",
          "url": "https://bugzilla.suse.com/1191454"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.aarch64",
            "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.ppc64le",
            "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.s390x",
            "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.x86_64",
            "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.aarch64",
            "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.ppc64le",
            "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.s390x",
            "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          },
          "products": [
            "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.aarch64",
            "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.ppc64le",
            "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.s390x",
            "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.x86_64",
            "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.aarch64",
            "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.ppc64le",
            "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.s390x",
            "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2022-04-27T07:20:15Z",
          "details": "important"
        }
      ],
      "title": "CVE-2021-39226"
    },
    {
      "cve": "CVE-2021-41174",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2021-41174"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Grafana is an open-source platform for monitoring and observability. In affected versions if an attacker is able to convince a victim to visit a URL referencing a vulnerable page, arbitrary JavaScript content may be executed within the context of the victim\u0027s browser. The user visiting the malicious link must be unauthenticated and the link must be for a page that contains the login button in the menu bar. The url has to be crafted to exploit AngularJS rendering and contain the interpolation binding for AngularJS expressions. AngularJS uses double curly braces for interpolation binding: {{ }} ex: {{constructor.constructor(\u0027alert(1)\u0027)()}}. When the user follows the link and the page renders, the login button will contain the original link with a query parameter to force a redirect to the login page. The URL is not validated and the AngularJS rendering engine will execute the JavaScript expression contained in the URL. Users are advised to upgrade as soon as possible. If for some reason you cannot upgrade, you can use a reverse proxy or similar to block access to block the literal string {{ in the path.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.aarch64",
          "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.ppc64le",
          "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.s390x",
          "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.x86_64",
          "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.aarch64",
          "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.ppc64le",
          "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.s390x",
          "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2021-41174",
          "url": "https://www.suse.com/security/cve/CVE-2021-41174"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1192383 for CVE-2021-41174",
          "url": "https://bugzilla.suse.com/1192383"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.aarch64",
            "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.ppc64le",
            "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.s390x",
            "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.x86_64",
            "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.aarch64",
            "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.ppc64le",
            "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.s390x",
            "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.aarch64",
            "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.ppc64le",
            "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.s390x",
            "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.x86_64",
            "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.aarch64",
            "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.ppc64le",
            "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.s390x",
            "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2022-04-27T07:20:15Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2021-41174"
    },
    {
      "cve": "CVE-2021-41244",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2021-41244"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Grafana is an open-source platform for monitoring and observability. In affected versions when the fine-grained access control beta feature is enabled and there is more than one organization in the Grafana instance admins are able to access users from other organizations. Grafana 8.0 introduced a mechanism which allowed users with the Organization Admin role to list, add, remove, and update users\u0027 roles in other organizations in which they are not an admin. With fine-grained access control enabled, organization admins can list, add, remove and update users\u0027 roles in another organization, where they do not have organization admin role. All installations between v8.0 and v8.2.3 that have fine-grained access control beta enabled and more than one organization should be upgraded as soon as possible. If you cannot upgrade, you should turn off the fine-grained access control using a feature flag.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.aarch64",
          "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.ppc64le",
          "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.s390x",
          "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.x86_64",
          "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.aarch64",
          "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.ppc64le",
          "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.s390x",
          "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2021-41244",
          "url": "https://www.suse.com/security/cve/CVE-2021-41244"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1192763 for CVE-2021-41244",
          "url": "https://bugzilla.suse.com/1192763"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.aarch64",
            "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.ppc64le",
            "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.s390x",
            "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.x86_64",
            "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.aarch64",
            "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.ppc64le",
            "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.s390x",
            "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.aarch64",
            "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.ppc64le",
            "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.s390x",
            "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.x86_64",
            "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.aarch64",
            "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.ppc64le",
            "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.s390x",
            "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2022-04-27T07:20:15Z",
          "details": "critical"
        }
      ],
      "title": "CVE-2021-41244"
    },
    {
      "cve": "CVE-2021-43798",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2021-43798"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Grafana is an open-source platform for monitoring and observability. Grafana versions 8.0.0-beta1 through 8.3.0 (except for patched versions) iss vulnerable to directory traversal, allowing access to local files. The vulnerable URL path is: `\u003cgrafana_host_url\u003e/public/plugins//`, where is the plugin ID for any installed plugin. At no time has Grafana Cloud been vulnerable. Users are advised to upgrade to patched versions 8.0.7, 8.1.8, 8.2.7, or 8.3.1. The GitHub Security Advisory contains more information about vulnerable URL paths, mitigation, and the disclosure timeline.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.aarch64",
          "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.ppc64le",
          "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.s390x",
          "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.x86_64",
          "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.aarch64",
          "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.ppc64le",
          "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.s390x",
          "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2021-43798",
          "url": "https://www.suse.com/security/cve/CVE-2021-43798"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1193492 for CVE-2021-43798",
          "url": "https://bugzilla.suse.com/1193492"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.aarch64",
            "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.ppc64le",
            "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.s390x",
            "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.x86_64",
            "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.aarch64",
            "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.ppc64le",
            "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.s390x",
            "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.aarch64",
            "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.ppc64le",
            "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.s390x",
            "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.x86_64",
            "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.aarch64",
            "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.ppc64le",
            "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.s390x",
            "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2022-04-27T07:20:15Z",
          "details": "important"
        }
      ],
      "title": "CVE-2021-43798"
    },
    {
      "cve": "CVE-2021-43813",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2021-43813"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Grafana is an open-source platform for monitoring and observability. Grafana prior to versions 8.3.2 and 7.5.12 contains a directory traversal vulnerability for fully lowercase or fully uppercase .md files. The vulnerability is limited in scope, and only allows access to files with the extension .md to authenticated users only. Grafana Cloud instances have not been affected by the vulnerability. Users should upgrade to patched versions 8.3.2 or 7.5.12. For users who cannot upgrade, running a reverse proxy in front of Grafana that normalizes the PATH of the request will mitigate the vulnerability. The proxy will have to also be able to handle url encoded paths. Alternatively, for fully lowercase or fully uppercase .md files, users can block /api/plugins/.*/markdown/.* without losing any functionality beyond inlined plugin help text.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.aarch64",
          "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.ppc64le",
          "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.s390x",
          "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.x86_64",
          "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.aarch64",
          "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.ppc64le",
          "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.s390x",
          "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2021-43813",
          "url": "https://www.suse.com/security/cve/CVE-2021-43813"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1193686 for CVE-2021-43813",
          "url": "https://bugzilla.suse.com/1193686"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1193688 for CVE-2021-43813",
          "url": "https://bugzilla.suse.com/1193688"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.aarch64",
            "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.ppc64le",
            "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.s390x",
            "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.x86_64",
            "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.aarch64",
            "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.ppc64le",
            "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.s390x",
            "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.aarch64",
            "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.ppc64le",
            "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.s390x",
            "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.x86_64",
            "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.aarch64",
            "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.ppc64le",
            "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.s390x",
            "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2022-04-27T07:20:15Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2021-43813"
    },
    {
      "cve": "CVE-2021-43815",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2021-43815"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Grafana is an open-source platform for monitoring and observability. Grafana prior to versions 8.3.2 and 7.5.12 has a directory traversal for arbitrary .csv files. It only affects instances that have the developer testing tool called TestData DB data source enabled and configured. The vulnerability is limited in scope, and only allows access to files with the extension .csv to authenticated users only. Grafana Cloud instances have not been affected by the vulnerability. Versions 8.3.2 and 7.5.12 contain a patch for this issue. There is a workaround available for users who cannot upgrade. Running a reverse proxy in front of Grafana that normalizes the PATH of the request will mitigate the vulnerability. The proxy will have to also be able to handle url encoded paths.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.aarch64",
          "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.ppc64le",
          "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.s390x",
          "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.x86_64",
          "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.aarch64",
          "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.ppc64le",
          "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.s390x",
          "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2021-43815",
          "url": "https://www.suse.com/security/cve/CVE-2021-43815"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1193686 for CVE-2021-43815",
          "url": "https://bugzilla.suse.com/1193686"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.aarch64",
            "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.ppc64le",
            "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.s390x",
            "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.x86_64",
            "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.aarch64",
            "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.ppc64le",
            "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.s390x",
            "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.aarch64",
            "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.ppc64le",
            "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.s390x",
            "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.x86_64",
            "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.aarch64",
            "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.ppc64le",
            "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.s390x",
            "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2022-04-27T07:20:15Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2021-43815"
    },
    {
      "cve": "CVE-2022-21673",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2022-21673"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Grafana is an open-source platform for monitoring and observability. In affected versions when a data source has the Forward OAuth Identity feature enabled, sending a query to that datasource with an API token (and no other user credentials) will forward the OAuth Identity of the most recently logged-in user. This can allow API token holders to retrieve data for which they may not have intended access. This attack relies on the Grafana instance having data sources that support the Forward OAuth Identity feature, the Grafana instance having a data source with the Forward OAuth Identity feature toggled on, the Grafana instance having OAuth enabled, and the Grafana instance having usable API keys. This issue has been patched in versions 7.5.13 and 8.3.4.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.aarch64",
          "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.ppc64le",
          "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.s390x",
          "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.x86_64",
          "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.aarch64",
          "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.ppc64le",
          "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.s390x",
          "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2022-21673",
          "url": "https://www.suse.com/security/cve/CVE-2022-21673"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1194873 for CVE-2022-21673",
          "url": "https://bugzilla.suse.com/1194873"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.aarch64",
            "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.ppc64le",
            "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.s390x",
            "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.x86_64",
            "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.aarch64",
            "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.ppc64le",
            "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.s390x",
            "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.aarch64",
            "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.ppc64le",
            "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.s390x",
            "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.x86_64",
            "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.aarch64",
            "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.ppc64le",
            "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.s390x",
            "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2022-04-27T07:20:15Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2022-21673"
    },
    {
      "cve": "CVE-2022-21702",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2022-21702"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Grafana is an open-source platform for monitoring and observability. In affected versions an attacker could serve HTML content thru the Grafana datasource or plugin proxy and trick a user to visit this HTML page using a specially crafted link and execute a Cross-site Scripting (XSS) attack. The attacker could either compromise an existing datasource for a specific Grafana instance or either set up its own public service and instruct anyone to set it up in their Grafana instance. To be impacted, all of the following must be applicable. For the data source proxy: A Grafana HTTP-based datasource configured with Server as Access Mode and a URL set, the attacker has to be in control of the HTTP server serving the URL of above datasource, and a specially crafted link pointing at the attacker controlled data source must be clicked on by an authenticated user. For the plugin proxy: A Grafana HTTP-based app plugin configured and enabled with a URL set, the attacker has to be in control of the HTTP server serving the URL of above app, and a specially crafted link pointing at the attacker controlled plugin must be clocked on by an authenticated user. For the backend plugin resource: An attacker must be able to navigate an authenticated user to a compromised plugin through a crafted link. Users are advised to update to a patched version. There are no known workarounds for this vulnerability.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.aarch64",
          "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.ppc64le",
          "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.s390x",
          "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.x86_64",
          "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.aarch64",
          "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.ppc64le",
          "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.s390x",
          "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2022-21702",
          "url": "https://www.suse.com/security/cve/CVE-2022-21702"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1195726 for CVE-2022-21702",
          "url": "https://bugzilla.suse.com/1195726"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.aarch64",
            "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.ppc64le",
            "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.s390x",
            "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.x86_64",
            "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.aarch64",
            "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.ppc64le",
            "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.s390x",
            "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.8,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.aarch64",
            "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.ppc64le",
            "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.s390x",
            "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.x86_64",
            "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.aarch64",
            "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.ppc64le",
            "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.s390x",
            "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2022-04-27T07:20:15Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2022-21702"
    },
    {
      "cve": "CVE-2022-21703",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2022-21703"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Grafana is an open-source platform for monitoring and observability. Affected versions are subject to a cross site request forgery vulnerability which allows attackers to elevate their privileges by mounting cross-origin attacks against authenticated high-privilege Grafana users (for example, Editors or Admins). An attacker can exploit this vulnerability for privilege escalation by tricking an authenticated user into inviting the attacker as a new user with high privileges. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.aarch64",
          "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.ppc64le",
          "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.s390x",
          "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.x86_64",
          "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.aarch64",
          "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.ppc64le",
          "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.s390x",
          "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2022-21703",
          "url": "https://www.suse.com/security/cve/CVE-2022-21703"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1195727 for CVE-2022-21703",
          "url": "https://bugzilla.suse.com/1195727"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.aarch64",
            "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.ppc64le",
            "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.s390x",
            "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.x86_64",
            "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.aarch64",
            "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.ppc64le",
            "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.s390x",
            "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.8,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.aarch64",
            "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.ppc64le",
            "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.s390x",
            "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.x86_64",
            "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.aarch64",
            "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.ppc64le",
            "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.s390x",
            "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2022-04-27T07:20:15Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2022-21703"
    },
    {
      "cve": "CVE-2022-21713",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2022-21713"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Grafana is an open-source platform for monitoring and observability. Affected versions of Grafana expose multiple API endpoints which do not properly handle user authorization. `/teams/:teamId` will allow an authenticated attacker to view unintended data by querying for the specific team ID, `/teams/:search` will allow an authenticated attacker to search for teams and see the total number of available teams, including for those teams that the user does not have access to, and `/teams/:teamId/members` when editors_can_admin flag is enabled, an authenticated attacker can see unintended data by querying for the specific team ID. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.aarch64",
          "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.ppc64le",
          "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.s390x",
          "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.x86_64",
          "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.aarch64",
          "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.ppc64le",
          "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.s390x",
          "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2022-21713",
          "url": "https://www.suse.com/security/cve/CVE-2022-21713"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1195728 for CVE-2022-21713",
          "url": "https://bugzilla.suse.com/1195728"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.aarch64",
            "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.ppc64le",
            "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.s390x",
            "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.x86_64",
            "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.aarch64",
            "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.ppc64le",
            "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.s390x",
            "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.aarch64",
            "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.ppc64le",
            "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.s390x",
            "openSUSE Leap 15.3:grafana-8.3.5-150200.3.21.1.x86_64",
            "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.aarch64",
            "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.ppc64le",
            "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.s390x",
            "openSUSE Leap 15.4:grafana-8.3.5-150200.3.21.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2022-04-27T07:20:15Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2022-21713"
    }
  ]
}