Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2022-23552 (GCVE-0-2022-23552)
Vulnerability from cvelistv5 – Published: 2023-01-27 22:59 – Updated: 2026-01-28 04:55
VLAI?
EPSS
Title
Grafana stored XSS in FileUploader component
Summary
Grafana is an open-source platform for monitoring and observability. Starting with the 8.1 branch and prior to versions 8.5.16, 9.2.10, and 9.3.4, Grafana had a stored XSS vulnerability affecting the core plugin GeoMap. The stored XSS vulnerability was possible because SVG files weren't properly sanitized and allowed arbitrary JavaScript to be executed in the context of the currently authorized user of the Grafana instance.
An attacker needs to have the Editor role in order to change a panel to include either an external URL to a SVG-file containing JavaScript, or use the `data:` scheme to load an inline SVG-file containing JavaScript. This means that vertical privilege escalation is possible, where a user with Editor role can change to a known password for a user having Admin role if the user with Admin role executes malicious JavaScript viewing a dashboard.
Users may upgrade to version 8.5.16, 9.2.10, or 9.3.4 to receive a fix.
Severity ?
7.3 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/grafana/grafana/security/advis… | x_refsource_CONFIRM |
| https://github.com/grafana/grafana/pull/62143 | x_refsource_MISC |
| https://github.com/grafana/grafana/commit/1c8a50b… | x_refsource_MISC |
| https://github.com/grafana/grafana/commit/8b574e2… | x_refsource_MISC |
| https://github.com/grafana/grafana/commit/c022534… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:43:46.570Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://security.netapp.com/advisory/ntap-20230302-0008/"
},
{
"name": "https://github.com/grafana/grafana/security/advisories/GHSA-8xmm-x63g-f6xv",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-8xmm-x63g-f6xv"
},
{
"name": "https://github.com/grafana/grafana/pull/62143",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/grafana/grafana/pull/62143"
},
{
"name": "https://github.com/grafana/grafana/commit/1c8a50b36973bd59a1cc5f34c30de8a9a6a431f0",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/grafana/grafana/commit/1c8a50b36973bd59a1cc5f34c30de8a9a6a431f0"
},
{
"name": "https://github.com/grafana/grafana/commit/8b574e22b53aa4c5a35032a58844fd4aaaa12f5f",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/grafana/grafana/commit/8b574e22b53aa4c5a35032a58844fd4aaaa12f5f"
},
{
"name": "https://github.com/grafana/grafana/commit/c022534e3848a5d45c0b3face23b43aa44e4400a",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/grafana/grafana/commit/c022534e3848a5d45c0b3face23b43aa44e4400a"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-23552",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-27T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T04:55:35.339Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "grafana",
"vendor": "grafana",
"versions": [
{
"status": "affected",
"version": "\u003e= 9.0, \u003c 9.2.10"
},
{
"status": "affected",
"version": "\u003e= 9.3, \u003c 9.3.4"
},
{
"status": "affected",
"version": "\u003e= 8.1, \u003c 8.5.16"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Grafana is an open-source platform for monitoring and observability. Starting with the 8.1 branch and prior to versions 8.5.16, 9.2.10, and 9.3.4, Grafana had a stored XSS vulnerability affecting the core plugin GeoMap. The stored XSS vulnerability was possible because SVG files weren\u0027t properly sanitized and allowed arbitrary JavaScript to be executed in the context of the currently authorized user of the Grafana instance. \n\nAn attacker needs to have the Editor role in order to change a panel to include either an external URL to a SVG-file containing JavaScript, or use the `data:` scheme to load an inline SVG-file containing JavaScript. This means that vertical privilege escalation is possible, where a user with Editor role can change to a known password for a user having Admin role if the user with Admin role executes malicious JavaScript viewing a dashboard. \n\nUsers may upgrade to version 8.5.16, 9.2.10, or 9.3.4 to receive a fix."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-27T22:59:16.675Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/grafana/grafana/security/advisories/GHSA-8xmm-x63g-f6xv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-8xmm-x63g-f6xv"
},
{
"name": "https://github.com/grafana/grafana/pull/62143",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/grafana/grafana/pull/62143"
},
{
"name": "https://github.com/grafana/grafana/commit/1c8a50b36973bd59a1cc5f34c30de8a9a6a431f0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/grafana/grafana/commit/1c8a50b36973bd59a1cc5f34c30de8a9a6a431f0"
},
{
"name": "https://github.com/grafana/grafana/commit/8b574e22b53aa4c5a35032a58844fd4aaaa12f5f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/grafana/grafana/commit/8b574e22b53aa4c5a35032a58844fd4aaaa12f5f"
},
{
"name": "https://github.com/grafana/grafana/commit/c022534e3848a5d45c0b3face23b43aa44e4400a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/grafana/grafana/commit/c022534e3848a5d45c0b3face23b43aa44e4400a"
}
],
"source": {
"advisory": "GHSA-8xmm-x63g-f6xv",
"discovery": "UNKNOWN"
},
"title": "Grafana stored XSS in FileUploader component "
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-23552",
"datePublished": "2023-01-27T22:59:16.675Z",
"dateReserved": "2022-01-19T21:23:53.801Z",
"dateUpdated": "2026-01-28T04:55:35.339Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2022-23552",
"date": "2026-05-19",
"epss": "0.00343",
"percentile": "0.57019"
},
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"8.1.0\", \"versionEndExcluding\": \"8.5.16\", \"matchCriteriaId\": \"5BD0E7E3-A021-4B47-82B2-761FEBA27EFC\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"9.0.0\", \"versionEndExcluding\": \"9.2.10\", \"matchCriteriaId\": \"7CAA5402-01AD-4FF5-AABE-B227C035F1F4\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"9.3.0\", \"versionEndExcluding\": \"9.3.4\", \"matchCriteriaId\": \"E8642012-7942-4810-8DB0-1894D3BF4662\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"Grafana is an open-source platform for monitoring and observability. Starting with the 8.1 branch and prior to versions 8.5.16, 9.2.10, and 9.3.4, Grafana had a stored XSS vulnerability affecting the core plugin GeoMap. The stored XSS vulnerability was possible because SVG files weren\u0027t properly sanitized and allowed arbitrary JavaScript to be executed in the context of the currently authorized user of the Grafana instance. \\n\\nAn attacker needs to have the Editor role in order to change a panel to include either an external URL to a SVG-file containing JavaScript, or use the `data:` scheme to load an inline SVG-file containing JavaScript. This means that vertical privilege escalation is possible, where a user with Editor role can change to a known password for a user having Admin role if the user with Admin role executes malicious JavaScript viewing a dashboard. \\n\\nUsers may upgrade to version 8.5.16, 9.2.10, or 9.3.4 to receive a fix.\"}, {\"lang\": \"es\", \"value\": \"Grafana es una plataforma de c\\u00f3digo abierto para monitoreo y observabilidad. A partir de la rama 8.1 y antes de las versiones 8.5.16, 9.2.10 y 9.3.4, Grafana ten\\u00eda una vulnerabilidad XSS almacenada que afectaba al complemento principal GeoMap. La vulnerabilidad XSS almacenada fue posible porque los archivos SVG no se desinfectaron adecuadamente y permitieron la ejecuci\\u00f3n de JavaScript arbitrario en el contexto del usuario actualmente autorizado de la instancia de Grafana. Un atacante debe tener la funci\\u00f3n de Editor para cambiar un panel para incluir una URL externa a un archivo SVG que contenga JavaScript o usar el esquema `datos:` para cargar un archivo SVG en l\\u00ednea que contenga JavaScript. Esto significa que es posible una escalada de privilegios vertical, donde un usuario con rol de editor puede cambiar a una contrase\\u00f1a conocida para un usuario que tiene rol de administrador si el usuario con rol de administrador ejecuta JavaScript malicioso al ver un panel. Los usuarios pueden actualizar a la versi\\u00f3n 8.5.16, 9.2.10 o 9.3.4 para recibir una soluci\\u00f3n.\"}]",
"id": "CVE-2022-23552",
"lastModified": "2024-11-21T06:48:47.867",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N\", \"baseScore\": 7.3, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.1, \"impactScore\": 5.2}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\", \"baseScore\": 5.4, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.3, \"impactScore\": 2.7}]}",
"published": "2023-01-27T23:15:08.597",
"references": "[{\"url\": \"https://github.com/grafana/grafana/commit/1c8a50b36973bd59a1cc5f34c30de8a9a6a431f0\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/grafana/grafana/commit/8b574e22b53aa4c5a35032a58844fd4aaaa12f5f\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/grafana/grafana/commit/c022534e3848a5d45c0b3face23b43aa44e4400a\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/grafana/grafana/pull/62143\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/grafana/grafana/security/advisories/GHSA-8xmm-x63g-f6xv\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://github.com/grafana/grafana/commit/1c8a50b36973bd59a1cc5f34c30de8a9a6a431f0\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/grafana/grafana/commit/8b574e22b53aa4c5a35032a58844fd4aaaa12f5f\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/grafana/grafana/commit/c022534e3848a5d45c0b3face23b43aa44e4400a\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/grafana/grafana/pull/62143\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/grafana/grafana/security/advisories/GHSA-8xmm-x63g-f6xv\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://security.netapp.com/advisory/ntap-20230302-0008/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-79\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2022-23552\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2023-01-27T23:15:08.597\",\"lastModified\":\"2024-11-21T06:48:47.867\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Grafana is an open-source platform for monitoring and observability. Starting with the 8.1 branch and prior to versions 8.5.16, 9.2.10, and 9.3.4, Grafana had a stored XSS vulnerability affecting the core plugin GeoMap. The stored XSS vulnerability was possible because SVG files weren\u0027t properly sanitized and allowed arbitrary JavaScript to be executed in the context of the currently authorized user of the Grafana instance. \\n\\nAn attacker needs to have the Editor role in order to change a panel to include either an external URL to a SVG-file containing JavaScript, or use the `data:` scheme to load an inline SVG-file containing JavaScript. This means that vertical privilege escalation is possible, where a user with Editor role can change to a known password for a user having Admin role if the user with Admin role executes malicious JavaScript viewing a dashboard. \\n\\nUsers may upgrade to version 8.5.16, 9.2.10, or 9.3.4 to receive a fix.\"},{\"lang\":\"es\",\"value\":\"Grafana es una plataforma de c\u00f3digo abierto para monitoreo y observabilidad. A partir de la rama 8.1 y antes de las versiones 8.5.16, 9.2.10 y 9.3.4, Grafana ten\u00eda una vulnerabilidad XSS almacenada que afectaba al complemento principal GeoMap. La vulnerabilidad XSS almacenada fue posible porque los archivos SVG no se desinfectaron adecuadamente y permitieron la ejecuci\u00f3n de JavaScript arbitrario en el contexto del usuario actualmente autorizado de la instancia de Grafana. Un atacante debe tener la funci\u00f3n de Editor para cambiar un panel para incluir una URL externa a un archivo SVG que contenga JavaScript o usar el esquema `datos:` para cargar un archivo SVG en l\u00ednea que contenga JavaScript. Esto significa que es posible una escalada de privilegios vertical, donde un usuario con rol de editor puede cambiar a una contrase\u00f1a conocida para un usuario que tiene rol de administrador si el usuario con rol de administrador ejecuta JavaScript malicioso al ver un panel. Los usuarios pueden actualizar a la versi\u00f3n 8.5.16, 9.2.10 o 9.3.4 para recibir una soluci\u00f3n.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N\",\"baseScore\":7.3,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.1,\"impactScore\":5.2},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.3,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"8.1.0\",\"versionEndExcluding\":\"8.5.16\",\"matchCriteriaId\":\"5BD0E7E3-A021-4B47-82B2-761FEBA27EFC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"9.0.0\",\"versionEndExcluding\":\"9.2.10\",\"matchCriteriaId\":\"7CAA5402-01AD-4FF5-AABE-B227C035F1F4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"9.3.0\",\"versionEndExcluding\":\"9.3.4\",\"matchCriteriaId\":\"E8642012-7942-4810-8DB0-1894D3BF4662\"}]}]}],\"references\":[{\"url\":\"https://github.com/grafana/grafana/commit/1c8a50b36973bd59a1cc5f34c30de8a9a6a431f0\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/grafana/grafana/commit/8b574e22b53aa4c5a35032a58844fd4aaaa12f5f\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/grafana/grafana/commit/c022534e3848a5d45c0b3face23b43aa44e4400a\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/grafana/grafana/pull/62143\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/grafana/grafana/security/advisories/GHSA-8xmm-x63g-f6xv\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/grafana/grafana/commit/1c8a50b36973bd59a1cc5f34c30de8a9a6a431f0\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/grafana/grafana/commit/8b574e22b53aa4c5a35032a58844fd4aaaa12f5f\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/grafana/grafana/commit/c022534e3848a5d45c0b3face23b43aa44e4400a\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/grafana/grafana/pull/62143\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/grafana/grafana/security/advisories/GHSA-8xmm-x63g-f6xv\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://security.netapp.com/advisory/ntap-20230302-0008/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://security.netapp.com/advisory/ntap-20230302-0008/\"}, {\"url\": \"https://github.com/grafana/grafana/security/advisories/GHSA-8xmm-x63g-f6xv\", \"name\": \"https://github.com/grafana/grafana/security/advisories/GHSA-8xmm-x63g-f6xv\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/grafana/grafana/pull/62143\", \"name\": \"https://github.com/grafana/grafana/pull/62143\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/grafana/grafana/commit/1c8a50b36973bd59a1cc5f34c30de8a9a6a431f0\", \"name\": \"https://github.com/grafana/grafana/commit/1c8a50b36973bd59a1cc5f34c30de8a9a6a431f0\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/grafana/grafana/commit/8b574e22b53aa4c5a35032a58844fd4aaaa12f5f\", \"name\": \"https://github.com/grafana/grafana/commit/8b574e22b53aa4c5a35032a58844fd4aaaa12f5f\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/grafana/grafana/commit/c022534e3848a5d45c0b3face23b43aa44e4400a\", \"name\": \"https://github.com/grafana/grafana/commit/c022534e3848a5d45c0b3face23b43aa44e4400a\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T03:43:46.570Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-23552\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-08-01T14:04:19.237399Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-08-01T14:04:23.937Z\"}}], \"cna\": {\"title\": \"Grafana stored XSS in FileUploader component \", \"source\": {\"advisory\": \"GHSA-8xmm-x63g-f6xv\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"grafana\", \"product\": \"grafana\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 9.0, \u003c 9.2.10\"}, {\"status\": \"affected\", \"version\": \"\u003e= 9.3, \u003c 9.3.4\"}, {\"status\": \"affected\", \"version\": \"\u003e= 8.1, \u003c 8.5.16\"}]}], \"references\": [{\"url\": \"https://github.com/grafana/grafana/security/advisories/GHSA-8xmm-x63g-f6xv\", \"name\": \"https://github.com/grafana/grafana/security/advisories/GHSA-8xmm-x63g-f6xv\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/grafana/grafana/pull/62143\", \"name\": \"https://github.com/grafana/grafana/pull/62143\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/grafana/grafana/commit/1c8a50b36973bd59a1cc5f34c30de8a9a6a431f0\", \"name\": \"https://github.com/grafana/grafana/commit/1c8a50b36973bd59a1cc5f34c30de8a9a6a431f0\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/grafana/grafana/commit/8b574e22b53aa4c5a35032a58844fd4aaaa12f5f\", \"name\": \"https://github.com/grafana/grafana/commit/8b574e22b53aa4c5a35032a58844fd4aaaa12f5f\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/grafana/grafana/commit/c022534e3848a5d45c0b3face23b43aa44e4400a\", \"name\": \"https://github.com/grafana/grafana/commit/c022534e3848a5d45c0b3face23b43aa44e4400a\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Grafana is an open-source platform for monitoring and observability. Starting with the 8.1 branch and prior to versions 8.5.16, 9.2.10, and 9.3.4, Grafana had a stored XSS vulnerability affecting the core plugin GeoMap. The stored XSS vulnerability was possible because SVG files weren\u0027t properly sanitized and allowed arbitrary JavaScript to be executed in the context of the currently authorized user of the Grafana instance. \\n\\nAn attacker needs to have the Editor role in order to change a panel to include either an external URL to a SVG-file containing JavaScript, or use the `data:` scheme to load an inline SVG-file containing JavaScript. This means that vertical privilege escalation is possible, where a user with Editor role can change to a known password for a user having Admin role if the user with Admin role executes malicious JavaScript viewing a dashboard. \\n\\nUsers may upgrade to version 8.5.16, 9.2.10, or 9.3.4 to receive a fix.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2023-01-27T22:59:16.675Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2022-23552\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-01-28T04:55:35.339Z\", \"dateReserved\": \"2022-01-19T21:23:53.801Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2023-01-27T22:59:16.675Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
alsa-2023:6420
Vulnerability from osv_almalinux
Published
2023-11-07 00:00
Modified
2023-11-14 12:05
Summary
Moderate: grafana security and enhancement update
Details
Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB.
Security Fix(es):
- grafana: persistent xss in grafana core plugins (CVE-2022-23552)
- grafana: plugin signature bypass (CVE-2022-31123)
- grafana: data source and plugin proxy endpoints leaking authentication tokens to some destination plugins (CVE-2022-31130)
- grafana: Data source and plugin proxy endpoints could leak the authentication cookie to some destination plugins (CVE-2022-39201)
- grafana: email addresses and usernames cannot be trusted (CVE-2022-39306)
- grafana: User enumeration via forget password (CVE-2022-39307)
- grafana: Spoofing of the originalUrl parameter of snapshots (CVE-2022-39324)
- golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717)
- golang: net/http, net/textproto: denial of service from excessive memory allocation (CVE-2023-24534)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.
References
{
"affected": [
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "grafana"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.2.10-7.el9_3.alma.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"details": "Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB \u0026 OpenTSDB. \n\nSecurity Fix(es):\n\n* grafana: persistent xss in grafana core plugins (CVE-2022-23552)\n* grafana: plugin signature bypass (CVE-2022-31123)\n* grafana: data source and plugin proxy endpoints leaking authentication tokens to some destination plugins (CVE-2022-31130)\n* grafana: Data source and plugin proxy endpoints could leak the authentication cookie to some destination plugins (CVE-2022-39201)\n* grafana: email addresses and usernames cannot be trusted (CVE-2022-39306)\n* grafana: User enumeration via forget password (CVE-2022-39307)\n* grafana: Spoofing of the originalUrl parameter of snapshots (CVE-2022-39324)\n* golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717)\n* golang: net/http, net/textproto: denial of service from excessive memory allocation (CVE-2023-24534)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.",
"id": "ALSA-2023:6420",
"modified": "2023-11-14T12:05:09Z",
"published": "2023-11-07T00:00:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://access.redhat.com/errata/RHSA-2023:6420"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-23552"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-31123"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-31130"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-39201"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-39306"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-39307"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-39324"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-41717"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2023-24534"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2131146"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2131147"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2131148"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2138014"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2138015"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2148252"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2158420"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2161274"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2184483"
},
{
"type": "ADVISORY",
"url": "https://errata.almalinux.org/9/ALSA-2023-6420.html"
}
],
"related": [
"CVE-2022-23552",
"CVE-2022-31123",
"CVE-2022-31130",
"CVE-2022-39201",
"CVE-2022-39306",
"CVE-2022-39307",
"CVE-2022-39324",
"CVE-2022-41717",
"CVE-2023-24534"
],
"summary": "Moderate: grafana security and enhancement update"
}
BDU:2024-02615
Vulnerability from fstec - Published: 27.01.2023
VLAI Severity ?
Title
Уязвимость платформы для мониторинга и наблюдения Grafana, связанная с неправильной нейтрализацией ввода во время создания веб-страницы, позволяющая нарушителю осуществлять межсайтовые сценарные атаки (XSS)
Description
Уязвимость платформы для мониторинга и наблюдения Grafana связана с наличием файлов SVG, которые не были должным образом очищены и позволяли выполнять произвольный JavaScript в контексте текущего авторизованного пользователя экземпляра Grafana. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, осуществлять межсайтовые сценарные атаки (XSS)
Severity ?
Vendor
ООО «Ред Софт», Grafana Labs
Software Name
РЕД ОС (запись в едином реестре российских программ №3751), Grafana
Software Version
7.3 (РЕД ОС), от 9.3.0 до 9.3.4 (Grafana), от 8.1.0 до 8.5.16 (Grafana), от 9.0.0 до 9.2.10 (Grafana)
Possible Mitigations
Для grafana:
https://github.com/grafana/grafana/commit/1c8a50b36973bd59a1cc5f34c30de8a9a6a431f0
https://github.com/grafana/grafana/commit/8b574e22b53aa4c5a35032a58844fd4aaaa12f5f
https://github.com/grafana/grafana/commit/c022534e3848a5d45c0b3face23b43aa44e4400a
https://github.com/grafana/grafana/pull/62143
https://github.com/grafana/grafana/security/advisories/GHSA-8xmm-x63g-f6xv
Для РедОС: http://repo.red-soft.ru/redos/7.3c/x86_64/updates/
Reference
https://github.com/grafana/grafana/commit/1c8a50b36973bd59a1cc5f34c30de8a9a6a431f0
https://github.com/grafana/grafana/commit/8b574e22b53aa4c5a35032a58844fd4aaaa12f5f
https://github.com/grafana/grafana/commit/c022534e3848a5d45c0b3face23b43aa44e4400a
https://github.com/grafana/grafana/pull/62143
https://github.com/grafana/grafana/security/advisories/GHSA-8xmm-x63g-f6xv
https://redos.red-soft.ru/support/secure/
CWE
CWE-79
{
"CVSS 2.0": "AV:N/AC:L/Au:S/C:P/I:P/A:N",
"CVSS 3.0": "AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"CVSS 4.0": null,
"remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
"remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
"\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "\u041e\u041e\u041e \u00ab\u0420\u0435\u0434 \u0421\u043e\u0444\u0442\u00bb, Grafana Labs",
"\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "7.3 (\u0420\u0415\u0414 \u041e\u0421), \u043e\u0442 9.3.0 \u0434\u043e 9.3.4 (Grafana), \u043e\u0442 8.1.0 \u0434\u043e 8.5.16 (Grafana), \u043e\u0442 9.0.0 \u0434\u043e 9.2.10 (Grafana)",
"\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0414\u043b\u044f grafana:\nhttps://github.com/grafana/grafana/commit/1c8a50b36973bd59a1cc5f34c30de8a9a6a431f0 \nhttps://github.com/grafana/grafana/commit/8b574e22b53aa4c5a35032a58844fd4aaaa12f5f \nhttps://github.com/grafana/grafana/commit/c022534e3848a5d45c0b3face23b43aa44e4400a\nhttps://github.com/grafana/grafana/pull/62143\nhttps://github.com/grafana/grafana/security/advisories/GHSA-8xmm-x63g-f6xv\n\n\u0414\u043b\u044f \u0420\u0435\u0434\u041e\u0421: http://repo.red-soft.ru/redos/7.3c/x86_64/updates/",
"\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "27.01.2023",
"\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "05.04.2024",
"\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "05.04.2024",
"\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2024-02615",
"\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2022-23552",
"\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
"\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u0434\u0430",
"\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "\u0420\u0415\u0414 \u041e\u0421 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21163751), Grafana",
"\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": "\u041e\u041e\u041e \u00ab\u0420\u0435\u0434 \u0421\u043e\u0444\u0442\u00bb \u0420\u0415\u0414 \u041e\u0421 7.3 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21163751)",
"\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b \u0434\u043b\u044f \u043c\u043e\u043d\u0438\u0442\u043e\u0440\u0438\u043d\u0433\u0430 \u0438 \u043d\u0430\u0431\u043b\u044e\u0434\u0435\u043d\u0438\u044f Grafana, \u0441\u0432\u044f\u0437\u0430\u043d\u043d\u0430\u044f \u0441 \u043d\u0435\u043f\u0440\u0430\u0432\u0438\u043b\u044c\u043d\u043e\u0439 \u043d\u0435\u0439\u0442\u0440\u0430\u043b\u0438\u0437\u0430\u0446\u0438\u0435\u0439 \u0432\u0432\u043e\u0434\u0430 \u0432\u043e \u0432\u0440\u0435\u043c\u044f \u0441\u043e\u0437\u0434\u0430\u043d\u0438\u044f \u0432\u0435\u0431-\u0441\u0442\u0440\u0430\u043d\u0438\u0446\u044b, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u043e\u0441\u0443\u0449\u0435\u0441\u0442\u0432\u043b\u044f\u0442\u044c \u043c\u0435\u0436\u0441\u0430\u0439\u0442\u043e\u0432\u044b\u0435 \u0441\u0446\u0435\u043d\u0430\u0440\u043d\u044b\u0435 \u0430\u0442\u0430\u043a\u0438 (XSS)",
"\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
"\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u041d\u0435\u043f\u0440\u0438\u043d\u044f\u0442\u0438\u0435 \u043c\u0435\u0440 \u043f\u043e \u0437\u0430\u0449\u0438\u0442\u0435 \u0441\u0442\u0440\u0443\u043a\u0442\u0443\u0440\u044b \u0432\u0435\u0431-\u0441\u0442\u0440\u0430\u043d\u0438\u0446\u044b (\u0438\u043b\u0438 \\\u00ab\u041c\u0435\u0436\u0441\u0430\u0439\u0442\u043e\u0432\u0430\u044f \u0441\u0446\u0435\u043d\u0430\u0440\u043d\u0430\u044f \u0430\u0442\u0430\u043a\u0430\\\u00bb) (CWE-79)",
"\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b \u0434\u043b\u044f \u043c\u043e\u043d\u0438\u0442\u043e\u0440\u0438\u043d\u0433\u0430 \u0438 \u043d\u0430\u0431\u043b\u044e\u0434\u0435\u043d\u0438\u044f Grafana \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043d\u0430\u043b\u0438\u0447\u0438\u0435\u043c \u0444\u0430\u0439\u043b\u043e\u0432 SVG, \u043a\u043e\u0442\u043e\u0440\u044b\u0435 \u043d\u0435 \u0431\u044b\u043b\u0438 \u0434\u043e\u043b\u0436\u043d\u044b\u043c \u043e\u0431\u0440\u0430\u0437\u043e\u043c \u043e\u0447\u0438\u0449\u0435\u043d\u044b \u0438 \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u043b\u0438 \u0432\u044b\u043f\u043e\u043b\u043d\u044f\u0442\u044c \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u0439 JavaScript \u0432 \u043a\u043e\u043d\u0442\u0435\u043a\u0441\u0442\u0435 \u0442\u0435\u043a\u0443\u0449\u0435\u0433\u043e \u0430\u0432\u0442\u043e\u0440\u0438\u0437\u043e\u0432\u0430\u043d\u043d\u043e\u0433\u043e \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f \u044d\u043a\u0437\u0435\u043c\u043f\u043b\u044f\u0440\u0430 Grafana. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e, \u043e\u0441\u0443\u0449\u0435\u0441\u0442\u0432\u043b\u044f\u0442\u044c \u043c\u0435\u0436\u0441\u0430\u0439\u0442\u043e\u0432\u044b\u0435 \u0441\u0446\u0435\u043d\u0430\u0440\u043d\u044b\u0435 \u0430\u0442\u0430\u043a\u0438 (XSS)",
"\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
"\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
"\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
"\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
"\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
"\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u0418\u043d\u044a\u0435\u043a\u0446\u0438\u044f",
"\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://github.com/grafana/grafana/commit/1c8a50b36973bd59a1cc5f34c30de8a9a6a431f0\nhttps://github.com/grafana/grafana/commit/8b574e22b53aa4c5a35032a58844fd4aaaa12f5f\nhttps://github.com/grafana/grafana/commit/c022534e3848a5d45c0b3face23b43aa44e4400a\nhttps://github.com/grafana/grafana/pull/62143\nhttps://github.com/grafana/grafana/security/advisories/GHSA-8xmm-x63g-f6xv\nhttps://redos.red-soft.ru/support/secure/",
"\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
"\u0422\u0438\u043f \u041f\u041e": "\u041e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u0430\u044f \u0441\u0438\u0441\u0442\u0435\u043c\u0430, \u041f\u0440\u0438\u043a\u043b\u0430\u0434\u043d\u043e\u0435 \u041f\u041e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c",
"\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-79",
"\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0421\u0440\u0435\u0434\u043d\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 5,5)\n\u0421\u0440\u0435\u0434\u043d\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 5,4)"
}
bit-grafana-2022-23552
Vulnerability from bitnami_vulndb
Published
2024-03-06 10:57
Modified
2025-05-20 10:02
Summary
Grafana stored XSS in FileUploader component
Details
Grafana is an open-source platform for monitoring and observability. Starting with the 8.1 branch and prior to versions 8.5.16, 9.2.10, and 9.3.4, Grafana had a stored XSS vulnerability affecting the core plugin GeoMap. The stored XSS vulnerability was possible because SVG files weren't properly sanitized and allowed arbitrary JavaScript to be executed in the context of the currently authorized user of the Grafana instance.
An attacker needs to have the Editor role in order to change a panel to include either an external URL to a SVG-file containing JavaScript, or use the data: scheme to load an inline SVG-file containing JavaScript. This means that vertical privilege escalation is possible, where a user with Editor role can change to a known password for a user having Admin role if the user with Admin role executes malicious JavaScript viewing a dashboard.
Users may upgrade to version 8.5.16, 9.2.10, or 9.3.4 to receive a fix.
{
"affected": [
{
"package": {
"ecosystem": "Bitnami",
"name": "grafana",
"purl": "pkg:bitnami/grafana"
},
"ranges": [
{
"events": [
{
"introduced": "8.1.0"
},
{
"fixed": "8.5.16"
},
{
"introduced": "9.0.0"
},
{
"fixed": "9.2.10"
},
{
"introduced": "9.3.0"
},
{
"fixed": "9.3.4"
}
],
"type": "SEMVER"
}
],
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
],
"aliases": [
"CVE-2022-23552"
],
"database_specific": {
"cpes": [
"cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*"
],
"severity": "Medium"
},
"details": "Grafana is an open-source platform for monitoring and observability. Starting with the 8.1 branch and prior to versions 8.5.16, 9.2.10, and 9.3.4, Grafana had a stored XSS vulnerability affecting the core plugin GeoMap. The stored XSS vulnerability was possible because SVG files weren\u0027t properly sanitized and allowed arbitrary JavaScript to be executed in the context of the currently authorized user of the Grafana instance. \n\nAn attacker needs to have the Editor role in order to change a panel to include either an external URL to a SVG-file containing JavaScript, or use the `data:` scheme to load an inline SVG-file containing JavaScript. This means that vertical privilege escalation is possible, where a user with Editor role can change to a known password for a user having Admin role if the user with Admin role executes malicious JavaScript viewing a dashboard. \n\nUsers may upgrade to version 8.5.16, 9.2.10, or 9.3.4 to receive a fix.",
"id": "BIT-grafana-2022-23552",
"modified": "2025-05-20T10:02:07.006Z",
"published": "2024-03-06T10:57:42.704Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/grafana/grafana/commit/1c8a50b36973bd59a1cc5f34c30de8a9a6a431f0"
},
{
"type": "WEB",
"url": "https://github.com/grafana/grafana/commit/8b574e22b53aa4c5a35032a58844fd4aaaa12f5f"
},
{
"type": "WEB",
"url": "https://github.com/grafana/grafana/commit/c022534e3848a5d45c0b3face23b43aa44e4400a"
},
{
"type": "WEB",
"url": "https://github.com/grafana/grafana/pull/62143"
},
{
"type": "WEB",
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-8xmm-x63g-f6xv"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20230302-0008/"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23552"
}
],
"schema_version": "1.5.0",
"summary": "Grafana stored XSS in FileUploader component "
}
FKIE_CVE-2022-23552
Vulnerability from fkie_nvd - Published: 2023-01-27 23:15 - Updated: 2024-11-21 06:48
Severity ?
7.3 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
Grafana is an open-source platform for monitoring and observability. Starting with the 8.1 branch and prior to versions 8.5.16, 9.2.10, and 9.3.4, Grafana had a stored XSS vulnerability affecting the core plugin GeoMap. The stored XSS vulnerability was possible because SVG files weren't properly sanitized and allowed arbitrary JavaScript to be executed in the context of the currently authorized user of the Grafana instance.
An attacker needs to have the Editor role in order to change a panel to include either an external URL to a SVG-file containing JavaScript, or use the `data:` scheme to load an inline SVG-file containing JavaScript. This means that vertical privilege escalation is possible, where a user with Editor role can change to a known password for a user having Admin role if the user with Admin role executes malicious JavaScript viewing a dashboard.
Users may upgrade to version 8.5.16, 9.2.10, or 9.3.4 to receive a fix.
References
| URL | Tags | ||
|---|---|---|---|
| security-advisories@github.com | https://github.com/grafana/grafana/commit/1c8a50b36973bd59a1cc5f34c30de8a9a6a431f0 | Patch, Third Party Advisory | |
| security-advisories@github.com | https://github.com/grafana/grafana/commit/8b574e22b53aa4c5a35032a58844fd4aaaa12f5f | Patch, Third Party Advisory | |
| security-advisories@github.com | https://github.com/grafana/grafana/commit/c022534e3848a5d45c0b3face23b43aa44e4400a | Patch, Third Party Advisory | |
| security-advisories@github.com | https://github.com/grafana/grafana/pull/62143 | Patch, Third Party Advisory | |
| security-advisories@github.com | https://github.com/grafana/grafana/security/advisories/GHSA-8xmm-x63g-f6xv | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/grafana/grafana/commit/1c8a50b36973bd59a1cc5f34c30de8a9a6a431f0 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/grafana/grafana/commit/8b574e22b53aa4c5a35032a58844fd4aaaa12f5f | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/grafana/grafana/commit/c022534e3848a5d45c0b3face23b43aa44e4400a | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/grafana/grafana/pull/62143 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/grafana/grafana/security/advisories/GHSA-8xmm-x63g-f6xv | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security.netapp.com/advisory/ntap-20230302-0008/ |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5BD0E7E3-A021-4B47-82B2-761FEBA27EFC",
"versionEndExcluding": "8.5.16",
"versionStartIncluding": "8.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7CAA5402-01AD-4FF5-AABE-B227C035F1F4",
"versionEndExcluding": "9.2.10",
"versionStartIncluding": "9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E8642012-7942-4810-8DB0-1894D3BF4662",
"versionEndExcluding": "9.3.4",
"versionStartIncluding": "9.3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Grafana is an open-source platform for monitoring and observability. Starting with the 8.1 branch and prior to versions 8.5.16, 9.2.10, and 9.3.4, Grafana had a stored XSS vulnerability affecting the core plugin GeoMap. The stored XSS vulnerability was possible because SVG files weren\u0027t properly sanitized and allowed arbitrary JavaScript to be executed in the context of the currently authorized user of the Grafana instance. \n\nAn attacker needs to have the Editor role in order to change a panel to include either an external URL to a SVG-file containing JavaScript, or use the `data:` scheme to load an inline SVG-file containing JavaScript. This means that vertical privilege escalation is possible, where a user with Editor role can change to a known password for a user having Admin role if the user with Admin role executes malicious JavaScript viewing a dashboard. \n\nUsers may upgrade to version 8.5.16, 9.2.10, or 9.3.4 to receive a fix."
},
{
"lang": "es",
"value": "Grafana es una plataforma de c\u00f3digo abierto para monitoreo y observabilidad. A partir de la rama 8.1 y antes de las versiones 8.5.16, 9.2.10 y 9.3.4, Grafana ten\u00eda una vulnerabilidad XSS almacenada que afectaba al complemento principal GeoMap. La vulnerabilidad XSS almacenada fue posible porque los archivos SVG no se desinfectaron adecuadamente y permitieron la ejecuci\u00f3n de JavaScript arbitrario en el contexto del usuario actualmente autorizado de la instancia de Grafana. Un atacante debe tener la funci\u00f3n de Editor para cambiar un panel para incluir una URL externa a un archivo SVG que contenga JavaScript o usar el esquema `datos:` para cargar un archivo SVG en l\u00ednea que contenga JavaScript. Esto significa que es posible una escalada de privilegios vertical, donde un usuario con rol de editor puede cambiar a una contrase\u00f1a conocida para un usuario que tiene rol de administrador si el usuario con rol de administrador ejecuta JavaScript malicioso al ver un panel. Los usuarios pueden actualizar a la versi\u00f3n 8.5.16, 9.2.10 o 9.3.4 para recibir una soluci\u00f3n."
}
],
"id": "CVE-2022-23552",
"lastModified": "2024-11-21T06:48:47.867",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 5.2,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-01-27T23:15:08.597",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/grafana/grafana/commit/1c8a50b36973bd59a1cc5f34c30de8a9a6a431f0"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/grafana/grafana/commit/8b574e22b53aa4c5a35032a58844fd4aaaa12f5f"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/grafana/grafana/commit/c022534e3848a5d45c0b3face23b43aa44e4400a"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/grafana/grafana/pull/62143"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-8xmm-x63g-f6xv"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/grafana/grafana/commit/1c8a50b36973bd59a1cc5f34c30de8a9a6a431f0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/grafana/grafana/commit/8b574e22b53aa4c5a35032a58844fd4aaaa12f5f"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/grafana/grafana/commit/c022534e3848a5d45c0b3face23b43aa44e4400a"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/grafana/grafana/pull/62143"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-8xmm-x63g-f6xv"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://security.netapp.com/advisory/ntap-20230302-0008/"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
GSD-2022-23552
Vulnerability from gsd - Updated: 2023-12-13 01:19Details
Grafana is an open-source platform for monitoring and observability. Starting with the 8.1 branch and prior to versions 8.5.16, 9.2.10, and 9.3.4, Grafana had a stored XSS vulnerability affecting the core plugin GeoMap. The stored XSS vulnerability was possible because SVG files weren't properly sanitized and allowed arbitrary JavaScript to be executed in the context of the currently authorized user of the Grafana instance. An attacker needs to have the Editor role in order to change a panel to include either an external URL to a SVG-file containing JavaScript, or use the `data:` scheme to load an inline SVG-file containing JavaScript. This means that vertical privilege escalation is possible, where a user with Editor role can change to a known password for a user having Admin role if the user with Admin role executes malicious JavaScript viewing a dashboard. Users may upgrade to version 8.5.16, 9.2.10, or 9.3.4 to receive a fix.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2022-23552",
"id": "GSD-2022-23552",
"references": [
"https://www.suse.com/security/cve/CVE-2022-23552.html"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2022-23552"
],
"details": "Grafana is an open-source platform for monitoring and observability. Starting with the 8.1 branch and prior to versions 8.5.16, 9.2.10, and 9.3.4, Grafana had a stored XSS vulnerability affecting the core plugin GeoMap. The stored XSS vulnerability was possible because SVG files weren\u0027t properly sanitized and allowed arbitrary JavaScript to be executed in the context of the currently authorized user of the Grafana instance. An attacker needs to have the Editor role in order to change a panel to include either an external URL to a SVG-file containing JavaScript, or use the `data:` scheme to load an inline SVG-file containing JavaScript. This means that vertical privilege escalation is possible, where a user with Editor role can change to a known password for a user having Admin role if the user with Admin role executes malicious JavaScript viewing a dashboard. Users may upgrade to version 8.5.16, 9.2.10, or 9.3.4 to receive a fix.",
"id": "GSD-2022-23552",
"modified": "2023-12-13T01:19:34.875623Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-23552",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "grafana",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "\u003e= 9.0, \u003c 9.2.10"
},
{
"version_affected": "=",
"version_value": "\u003e= 9.3, \u003c 9.3.4"
},
{
"version_affected": "=",
"version_value": "\u003e= 8.1, \u003c 8.5.16"
}
]
}
}
]
},
"vendor_name": "grafana"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Grafana is an open-source platform for monitoring and observability. Starting with the 8.1 branch and prior to versions 8.5.16, 9.2.10, and 9.3.4, Grafana had a stored XSS vulnerability affecting the core plugin GeoMap. The stored XSS vulnerability was possible because SVG files weren\u0027t properly sanitized and allowed arbitrary JavaScript to be executed in the context of the currently authorized user of the Grafana instance. An attacker needs to have the Editor role in order to change a panel to include either an external URL to a SVG-file containing JavaScript, or use the `data:` scheme to load an inline SVG-file containing JavaScript. This means that vertical privilege escalation is possible, where a user with Editor role can change to a known password for a user having Admin role if the user with Admin role executes malicious JavaScript viewing a dashboard. Users may upgrade to version 8.5.16, 9.2.10, or 9.3.4 to receive a fix."
}
]
},
"impact": {
"cvss": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"cweId": "CWE-79",
"lang": "eng",
"value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/grafana/grafana/security/advisories/GHSA-8xmm-x63g-f6xv",
"refsource": "MISC",
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-8xmm-x63g-f6xv"
},
{
"name": "https://github.com/grafana/grafana/pull/62143",
"refsource": "MISC",
"url": "https://github.com/grafana/grafana/pull/62143"
},
{
"name": "https://github.com/grafana/grafana/commit/1c8a50b36973bd59a1cc5f34c30de8a9a6a431f0",
"refsource": "MISC",
"url": "https://github.com/grafana/grafana/commit/1c8a50b36973bd59a1cc5f34c30de8a9a6a431f0"
},
{
"name": "https://github.com/grafana/grafana/commit/8b574e22b53aa4c5a35032a58844fd4aaaa12f5f",
"refsource": "MISC",
"url": "https://github.com/grafana/grafana/commit/8b574e22b53aa4c5a35032a58844fd4aaaa12f5f"
},
{
"name": "https://github.com/grafana/grafana/commit/c022534e3848a5d45c0b3face23b43aa44e4400a",
"refsource": "MISC",
"url": "https://github.com/grafana/grafana/commit/c022534e3848a5d45c0b3face23b43aa44e4400a"
}
]
},
"source": {
"advisory": "GHSA-8xmm-x63g-f6xv",
"discovery": "UNKNOWN"
}
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "8.5.16",
"versionStartIncluding": "8.1.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "9.2.10",
"versionStartIncluding": "9.0.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "9.3.4",
"versionStartIncluding": "9.3.0",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-23552"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "Grafana is an open-source platform for monitoring and observability. Starting with the 8.1 branch and prior to versions 8.5.16, 9.2.10, and 9.3.4, Grafana had a stored XSS vulnerability affecting the core plugin GeoMap. The stored XSS vulnerability was possible because SVG files weren\u0027t properly sanitized and allowed arbitrary JavaScript to be executed in the context of the currently authorized user of the Grafana instance. An attacker needs to have the Editor role in order to change a panel to include either an external URL to a SVG-file containing JavaScript, or use the `data:` scheme to load an inline SVG-file containing JavaScript. This means that vertical privilege escalation is possible, where a user with Editor role can change to a known password for a user having Admin role if the user with Admin role executes malicious JavaScript viewing a dashboard. Users may upgrade to version 8.5.16, 9.2.10, or 9.3.4 to receive a fix."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/grafana/grafana/commit/1c8a50b36973bd59a1cc5f34c30de8a9a6a431f0",
"refsource": "MISC",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/grafana/grafana/commit/1c8a50b36973bd59a1cc5f34c30de8a9a6a431f0"
},
{
"name": "https://github.com/grafana/grafana/security/advisories/GHSA-8xmm-x63g-f6xv",
"refsource": "MISC",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-8xmm-x63g-f6xv"
},
{
"name": "https://github.com/grafana/grafana/commit/8b574e22b53aa4c5a35032a58844fd4aaaa12f5f",
"refsource": "MISC",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/grafana/grafana/commit/8b574e22b53aa4c5a35032a58844fd4aaaa12f5f"
},
{
"name": "https://github.com/grafana/grafana/commit/c022534e3848a5d45c0b3face23b43aa44e4400a",
"refsource": "MISC",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/grafana/grafana/commit/c022534e3848a5d45c0b3face23b43aa44e4400a"
},
{
"name": "https://github.com/grafana/grafana/pull/62143",
"refsource": "MISC",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/grafana/grafana/pull/62143"
}
]
}
},
"impact": {
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7
}
},
"lastModifiedDate": "2023-02-07T19:57Z",
"publishedDate": "2023-01-27T23:15Z"
}
}
}
OPENSUSE-SU-2024:12659-1
Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00Summary
grafana-8.5.20-1.1 on GA media
Severity
Moderate
Notes
Title of the patch: grafana-8.5.20-1.1 on GA media
Description of the patch: These are all security issues fixed in the grafana-8.5.20-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2024-12659
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.3 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:grafana-8.5.20-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-8.5.20-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-8.5.20-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-8.5.20-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
6.7 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:grafana-8.5.20-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-8.5.20-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-8.5.20-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-8.5.20-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
8 references
| URL | Category |
|---|---|
| https://www.suse.com/support/security/rating/ | external |
| https://ftp.suse.com/pub/projects/security/csaf/o… | self |
| https://www.suse.com/security/cve/CVE-2022-23552/ | self |
| https://www.suse.com/security/cve/CVE-2022-39324/ | self |
| https://www.suse.com/security/cve/CVE-2022-23552 | external |
| https://bugzilla.suse.com/1207749 | external |
| https://www.suse.com/security/cve/CVE-2022-39324 | external |
| https://bugzilla.suse.com/1207750 | external |
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "grafana-8.5.20-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the grafana-8.5.20-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-12659",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_12659-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-23552 page",
"url": "https://www.suse.com/security/cve/CVE-2022-23552/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-39324 page",
"url": "https://www.suse.com/security/cve/CVE-2022-39324/"
}
],
"title": "grafana-8.5.20-1.1 on GA media",
"tracking": {
"current_release_date": "2024-06-15T00:00:00Z",
"generator": {
"date": "2024-06-15T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:12659-1",
"initial_release_date": "2024-06-15T00:00:00Z",
"revision_history": [
{
"date": "2024-06-15T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "grafana-8.5.20-1.1.aarch64",
"product": {
"name": "grafana-8.5.20-1.1.aarch64",
"product_id": "grafana-8.5.20-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-8.5.20-1.1.ppc64le",
"product": {
"name": "grafana-8.5.20-1.1.ppc64le",
"product_id": "grafana-8.5.20-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-8.5.20-1.1.s390x",
"product": {
"name": "grafana-8.5.20-1.1.s390x",
"product_id": "grafana-8.5.20-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-8.5.20-1.1.x86_64",
"product": {
"name": "grafana-8.5.20-1.1.x86_64",
"product_id": "grafana-8.5.20-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-8.5.20-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:grafana-8.5.20-1.1.aarch64"
},
"product_reference": "grafana-8.5.20-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-8.5.20-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:grafana-8.5.20-1.1.ppc64le"
},
"product_reference": "grafana-8.5.20-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-8.5.20-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:grafana-8.5.20-1.1.s390x"
},
"product_reference": "grafana-8.5.20-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-8.5.20-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:grafana-8.5.20-1.1.x86_64"
},
"product_reference": "grafana-8.5.20-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-23552",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-23552"
}
],
"notes": [
{
"category": "general",
"text": "Grafana is an open-source platform for monitoring and observability. Starting with the 8.1 branch and prior to versions 8.5.16, 9.2.10, and 9.3.4, Grafana had a stored XSS vulnerability affecting the core plugin GeoMap. The stored XSS vulnerability was possible because SVG files weren\u0027t properly sanitized and allowed arbitrary JavaScript to be executed in the context of the currently authorized user of the Grafana instance. An attacker needs to have the Editor role in order to change a panel to include either an external URL to a SVG-file containing JavaScript, or use the `data:` scheme to load an inline SVG-file containing JavaScript. This means that vertical privilege escalation is possible, where a user with Editor role can change to a known password for a user having Admin role if the user with Admin role executes malicious JavaScript viewing a dashboard. Users may upgrade to version 8.5.16, 9.2.10, or 9.3.4 to receive a fix.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:grafana-8.5.20-1.1.aarch64",
"openSUSE Tumbleweed:grafana-8.5.20-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-8.5.20-1.1.s390x",
"openSUSE Tumbleweed:grafana-8.5.20-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-23552",
"url": "https://www.suse.com/security/cve/CVE-2022-23552"
},
{
"category": "external",
"summary": "SUSE Bug 1207749 for CVE-2022-23552",
"url": "https://bugzilla.suse.com/1207749"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:grafana-8.5.20-1.1.aarch64",
"openSUSE Tumbleweed:grafana-8.5.20-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-8.5.20-1.1.s390x",
"openSUSE Tumbleweed:grafana-8.5.20-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:grafana-8.5.20-1.1.aarch64",
"openSUSE Tumbleweed:grafana-8.5.20-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-8.5.20-1.1.s390x",
"openSUSE Tumbleweed:grafana-8.5.20-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2022-23552"
},
{
"cve": "CVE-2022-39324",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-39324"
}
],
"notes": [
{
"category": "general",
"text": "Grafana is an open-source platform for monitoring and observability. Prior to versions 8.5.16 and 9.2.8, malicious user can create a snapshot and arbitrarily choose the `originalUrl` parameter by editing the query, thanks to a web proxy. When another user opens the URL of the snapshot, they will be presented with the regular web interface delivered by the trusted Grafana server. The `Open original dashboard` button no longer points to the to the real original dashboard but to the attacker\u0027s injected URL. This issue is fixed in versions 8.5.16 and 9.2.8.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:grafana-8.5.20-1.1.aarch64",
"openSUSE Tumbleweed:grafana-8.5.20-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-8.5.20-1.1.s390x",
"openSUSE Tumbleweed:grafana-8.5.20-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-39324",
"url": "https://www.suse.com/security/cve/CVE-2022-39324"
},
{
"category": "external",
"summary": "SUSE Bug 1207750 for CVE-2022-39324",
"url": "https://bugzilla.suse.com/1207750"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:grafana-8.5.20-1.1.aarch64",
"openSUSE Tumbleweed:grafana-8.5.20-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-8.5.20-1.1.s390x",
"openSUSE Tumbleweed:grafana-8.5.20-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:grafana-8.5.20-1.1.aarch64",
"openSUSE Tumbleweed:grafana-8.5.20-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-8.5.20-1.1.s390x",
"openSUSE Tumbleweed:grafana-8.5.20-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2022-39324"
}
]
}
RHSA-2023:6420
Vulnerability from csaf_redhat - Published: 2023-11-07 08:59 - Updated: 2026-05-13 21:29Summary
Red Hat Security Advisory: grafana security and enhancement update
Severity
Moderate
Notes
Topic: An update for grafana is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB.
Security Fix(es):
* grafana: persistent xss in grafana core plugins (CVE-2022-23552)
* grafana: plugin signature bypass (CVE-2022-31123)
* grafana: data source and plugin proxy endpoints leaking authentication tokens to some destination plugins (CVE-2022-31130)
* grafana: Data source and plugin proxy endpoints could leak the authentication cookie to some destination plugins (CVE-2022-39201)
* grafana: email addresses and usernames cannot be trusted (CVE-2022-39306)
* grafana: User enumeration via forget password (CVE-2022-39307)
* grafana: Spoofing of the originalUrl parameter of snapshots (CVE-2022-39324)
* golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717)
* golang: net/http, net/textproto: denial of service from excessive memory allocation (CVE-2023-24534)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.3 Release Notes linked from the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in The GeoMap and Canvas plugins of Grafana. The GeoMap and Canvas plugins are core plugins in Grafana, which means that all Grafana instances have GeoMap and Canvas installed. These two plugins are vulnerable to Cross-site scripting, where an attacker with an Editor role can add an SVG file containing malicious JavaScript code. The Javascript is executed when a user with an admin role later edits the GeoMap/Canvas panel.
6.5 (Medium)
Affected products
Fixed
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in the Grafana web application, where it is possible to install plugins which are not digitally signed. An admin could install unsigned plugins, which may contain malicious code.
6.1 (Medium)
Affected products
Fixed
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in Grafana's use of the GitLab data source plugin, leaking the API key to gitlab. This can result in the destination plugin receiving a Grafana user's authentication token, which could be used by an attacker.
7.5 (High)
Affected products
Fixed
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A prototype pollution vulnerability was found in the parseQuery function in parseQuery.js in the webpack loader-utils via the name variable in parseQuery.js. This flaw can lead to a denial of service or remote code execution.
8.1 (High)
Affected products
Fixed
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in Grafana. The vulnerability impacts data source and plugin proxy endpoints under certain conditions. Grafana could leak the authentication cookie of users to plugins, which could result in an impact to confidentiality, integrity, and availability.
6.8 (Medium)
Affected products
Fixed
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
An authentication bypass flaw was discovered in Grafana. This issue could allow a remote unauthenticated attacker to create an account and provide access to a certain organization, which can be exploited by gaining access to the signup link. The highest impacts to the system are confidentiality and integrity.
8.1 (High)
Affected products
Fixed
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
An information leak was discovered in Grafana. Remote unauthenticated users could exploit the forget password feature to discover which user accounts exist.
5.3 (Medium)
Affected products
Fixed
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in the grafana package. While creating a snapshot, an attacker may manipulate a hidden HTTP parameter to inject a malicious URL in the "Open original dashboard" button.
6.7 (Medium)
Affected products
Fixed
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in the net/http library of the golang package. This flaw allows an attacker to cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.
5.3 (Medium)
Affected products
Fixed
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in Grafana, which validates Azure AD accounts based on the email claim. On Azure AD, the profile email field is not unique across Azure AD tenants, which enables Grafana account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant AzureAD OAuth application. This may allow an attacker to gain complete control of the user's account, including access to private customer data and sensitive information.
9.8 (Critical)
Affected products
Fixed
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Golang Go, where it is vulnerable to a denial of service caused by memory exhaustion in the common function in HTTP and MIME header parsing. By sending a specially crafted request, a remote attacker can cause a denial of service.
7.5 (High)
Affected products
Fixed
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
References
71 references
| URL | Category |
|---|---|
| https://access.redhat.com/errata/RHSA-2023:6420 | self |
| https://access.redhat.com/security/updates/classi… | external |
| https://access.redhat.com/documentation/en-us/red… | external |
| https://bugzilla.redhat.com/show_bug.cgi?id=2131146 | external |
| https://bugzilla.redhat.com/show_bug.cgi?id=2131147 | external |
| https://bugzilla.redhat.com/show_bug.cgi?id=2131148 | external |
| https://bugzilla.redhat.com/show_bug.cgi?id=2138014 | external |
| https://bugzilla.redhat.com/show_bug.cgi?id=2138015 | external |
| https://bugzilla.redhat.com/show_bug.cgi?id=2148252 | external |
| https://bugzilla.redhat.com/show_bug.cgi?id=2158420 | external |
| https://bugzilla.redhat.com/show_bug.cgi?id=2161274 | external |
| https://bugzilla.redhat.com/show_bug.cgi?id=2184483 | external |
| https://bugzilla.redhat.com/show_bug.cgi?id=2188193 | external |
| https://bugzilla.redhat.com/show_bug.cgi?id=2193018 | external |
| https://security.access.redhat.com/data/csaf/v2/a… | self |
| https://access.redhat.com/security/cve/CVE-2022-23552 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2158420 | external |
| https://www.cve.org/CVERecord?id=CVE-2022-23552 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2022-23552 | external |
| https://grafana.com/blog/2023/01/25/grafana-secur… | external |
| https://access.redhat.com/security/cve/CVE-2022-31123 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2131147 | external |
| https://www.cve.org/CVERecord?id=CVE-2022-31123 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2022-31123 | external |
| https://github.com/grafana/grafana/security/advis… | external |
| https://access.redhat.com/security/cve/CVE-2022-31130 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2131146 | external |
| https://www.cve.org/CVERecord?id=CVE-2022-31130 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2022-31130 | external |
| https://access.redhat.com/security/cve/CVE-2022-37601 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2134876 | external |
| https://www.cve.org/CVERecord?id=CVE-2022-37601 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2022-37601 | external |
| https://github.com/webpack/loader-utils/issues/212 | external |
| https://access.redhat.com/security/cve/CVE-2022-39201 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2131148 | external |
| https://www.cve.org/CVERecord?id=CVE-2022-39201 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2022-39201 | external |
| https://access.redhat.com/security/cve/CVE-2022-39306 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2138014 | external |
| https://www.cve.org/CVERecord?id=CVE-2022-39306 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2022-39306 | external |
| https://grafana.com/blog/2022/11/08/security-rele… | external |
| https://access.redhat.com/security/cve/CVE-2022-39307 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2138015 | external |
| https://www.cve.org/CVERecord?id=CVE-2022-39307 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2022-39307 | external |
| https://access.redhat.com/security/cve/CVE-2022-39324 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2148252 | external |
| https://www.cve.org/CVERecord?id=CVE-2022-39324 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2022-39324 | external |
| https://access.redhat.com/security/cve/CVE-2022-41717 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2161274 | external |
| https://www.cve.org/CVERecord?id=CVE-2022-41717 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2022-41717 | external |
| https://go.dev/cl/455635 | external |
| https://go.dev/cl/455717 | external |
| https://go.dev/issue/56350 | external |
| https://groups.google.com/g/golang-announce/c/L_3… | external |
| https://pkg.go.dev/vuln/GO-2022-1144 | external |
| https://access.redhat.com/security/cve/CVE-2023-3128 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2213626 | external |
| https://www.cve.org/CVERecord?id=CVE-2023-3128 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2023-3128 | external |
| https://grafana.com/blog/2023/06/22/grafana-secur… | external |
| https://access.redhat.com/security/cve/CVE-2023-24534 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2184483 | external |
| https://www.cve.org/CVERecord?id=CVE-2023-24534 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2023-24534 | external |
| https://go.dev/issue/58975 | external |
| https://groups.google.com/g/golang-announce/c/Xdv… | external |
Acknowledgments
Grafana Security Team
Grafana Team
Grafana Team
Grafana Security Team
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for grafana is now available for Red Hat Enterprise Linux 9.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB \u0026 OpenTSDB. \n\nSecurity Fix(es):\n\n* grafana: persistent xss in grafana core plugins (CVE-2022-23552)\n\n* grafana: plugin signature bypass (CVE-2022-31123)\n\n* grafana: data source and plugin proxy endpoints leaking authentication tokens to some destination plugins (CVE-2022-31130)\n\n* grafana: Data source and plugin proxy endpoints could leak the authentication cookie to some destination plugins (CVE-2022-39201)\n\n* grafana: email addresses and usernames cannot be trusted (CVE-2022-39306)\n\n* grafana: User enumeration via forget password (CVE-2022-39307)\n\n* grafana: Spoofing of the originalUrl parameter of snapshots (CVE-2022-39324)\n\n* golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717)\n\n* golang: net/http, net/textproto: denial of service from excessive memory allocation (CVE-2023-24534)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 9.3 Release Notes linked from the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2023:6420",
"url": "https://access.redhat.com/errata/RHSA-2023:6420"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.3_release_notes/index",
"url": "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.3_release_notes/index"
},
{
"category": "external",
"summary": "2131146",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2131146"
},
{
"category": "external",
"summary": "2131147",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2131147"
},
{
"category": "external",
"summary": "2131148",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2131148"
},
{
"category": "external",
"summary": "2138014",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2138014"
},
{
"category": "external",
"summary": "2138015",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2138015"
},
{
"category": "external",
"summary": "2148252",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2148252"
},
{
"category": "external",
"summary": "2158420",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2158420"
},
{
"category": "external",
"summary": "2161274",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2161274"
},
{
"category": "external",
"summary": "2184483",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2184483"
},
{
"category": "external",
"summary": "2188193",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2188193"
},
{
"category": "external",
"summary": "2193018",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2193018"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_6420.json"
}
],
"title": "Red Hat Security Advisory: grafana security and enhancement update",
"tracking": {
"current_release_date": "2026-05-13T21:29:10+00:00",
"generator": {
"date": "2026-05-13T21:29:10+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.9"
}
},
"id": "RHSA-2023:6420",
"initial_release_date": "2023-11-07T08:59:06+00:00",
"revision_history": [
{
"date": "2023-11-07T08:59:06+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2023-11-07T08:59:06+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-13T21:29:10+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream (v. 9)",
"product": {
"name": "Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.3.0.GA",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:enterprise_linux:9::appstream"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-0:9.2.10-7.el9_3.src",
"product": {
"name": "grafana-0:9.2.10-7.el9_3.src",
"product_id": "grafana-0:9.2.10-7.el9_3.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana@9.2.10-7.el9_3?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-0:9.2.10-7.el9_3.aarch64",
"product": {
"name": "grafana-0:9.2.10-7.el9_3.aarch64",
"product_id": "grafana-0:9.2.10-7.el9_3.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana@9.2.10-7.el9_3?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "grafana-debugsource-0:9.2.10-7.el9_3.aarch64",
"product": {
"name": "grafana-debugsource-0:9.2.10-7.el9_3.aarch64",
"product_id": "grafana-debugsource-0:9.2.10-7.el9_3.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debugsource@9.2.10-7.el9_3?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "grafana-debuginfo-0:9.2.10-7.el9_3.aarch64",
"product": {
"name": "grafana-debuginfo-0:9.2.10-7.el9_3.aarch64",
"product_id": "grafana-debuginfo-0:9.2.10-7.el9_3.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debuginfo@9.2.10-7.el9_3?arch=aarch64"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-0:9.2.10-7.el9_3.ppc64le",
"product": {
"name": "grafana-0:9.2.10-7.el9_3.ppc64le",
"product_id": "grafana-0:9.2.10-7.el9_3.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana@9.2.10-7.el9_3?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "grafana-debugsource-0:9.2.10-7.el9_3.ppc64le",
"product": {
"name": "grafana-debugsource-0:9.2.10-7.el9_3.ppc64le",
"product_id": "grafana-debugsource-0:9.2.10-7.el9_3.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debugsource@9.2.10-7.el9_3?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le",
"product": {
"name": "grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le",
"product_id": "grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debuginfo@9.2.10-7.el9_3?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-0:9.2.10-7.el9_3.x86_64",
"product": {
"name": "grafana-0:9.2.10-7.el9_3.x86_64",
"product_id": "grafana-0:9.2.10-7.el9_3.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana@9.2.10-7.el9_3?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "grafana-debugsource-0:9.2.10-7.el9_3.x86_64",
"product": {
"name": "grafana-debugsource-0:9.2.10-7.el9_3.x86_64",
"product_id": "grafana-debugsource-0:9.2.10-7.el9_3.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debugsource@9.2.10-7.el9_3?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "grafana-debuginfo-0:9.2.10-7.el9_3.x86_64",
"product": {
"name": "grafana-debuginfo-0:9.2.10-7.el9_3.x86_64",
"product_id": "grafana-debuginfo-0:9.2.10-7.el9_3.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debuginfo@9.2.10-7.el9_3?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-0:9.2.10-7.el9_3.s390x",
"product": {
"name": "grafana-0:9.2.10-7.el9_3.s390x",
"product_id": "grafana-0:9.2.10-7.el9_3.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana@9.2.10-7.el9_3?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "grafana-debugsource-0:9.2.10-7.el9_3.s390x",
"product": {
"name": "grafana-debugsource-0:9.2.10-7.el9_3.s390x",
"product_id": "grafana-debugsource-0:9.2.10-7.el9_3.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debugsource@9.2.10-7.el9_3?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "grafana-debuginfo-0:9.2.10-7.el9_3.s390x",
"product": {
"name": "grafana-debuginfo-0:9.2.10-7.el9_3.s390x",
"product_id": "grafana-debuginfo-0:9.2.10-7.el9_3.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debuginfo@9.2.10-7.el9_3?arch=s390x"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-0:9.2.10-7.el9_3.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64"
},
"product_reference": "grafana-0:9.2.10-7.el9_3.aarch64",
"relates_to_product_reference": "AppStream-9.3.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-0:9.2.10-7.el9_3.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le"
},
"product_reference": "grafana-0:9.2.10-7.el9_3.ppc64le",
"relates_to_product_reference": "AppStream-9.3.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-0:9.2.10-7.el9_3.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x"
},
"product_reference": "grafana-0:9.2.10-7.el9_3.s390x",
"relates_to_product_reference": "AppStream-9.3.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-0:9.2.10-7.el9_3.src as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src"
},
"product_reference": "grafana-0:9.2.10-7.el9_3.src",
"relates_to_product_reference": "AppStream-9.3.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-0:9.2.10-7.el9_3.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64"
},
"product_reference": "grafana-0:9.2.10-7.el9_3.x86_64",
"relates_to_product_reference": "AppStream-9.3.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debuginfo-0:9.2.10-7.el9_3.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64"
},
"product_reference": "grafana-debuginfo-0:9.2.10-7.el9_3.aarch64",
"relates_to_product_reference": "AppStream-9.3.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le"
},
"product_reference": "grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le",
"relates_to_product_reference": "AppStream-9.3.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debuginfo-0:9.2.10-7.el9_3.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x"
},
"product_reference": "grafana-debuginfo-0:9.2.10-7.el9_3.s390x",
"relates_to_product_reference": "AppStream-9.3.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debuginfo-0:9.2.10-7.el9_3.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64"
},
"product_reference": "grafana-debuginfo-0:9.2.10-7.el9_3.x86_64",
"relates_to_product_reference": "AppStream-9.3.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debugsource-0:9.2.10-7.el9_3.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64"
},
"product_reference": "grafana-debugsource-0:9.2.10-7.el9_3.aarch64",
"relates_to_product_reference": "AppStream-9.3.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debugsource-0:9.2.10-7.el9_3.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le"
},
"product_reference": "grafana-debugsource-0:9.2.10-7.el9_3.ppc64le",
"relates_to_product_reference": "AppStream-9.3.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debugsource-0:9.2.10-7.el9_3.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x"
},
"product_reference": "grafana-debugsource-0:9.2.10-7.el9_3.s390x",
"relates_to_product_reference": "AppStream-9.3.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debugsource-0:9.2.10-7.el9_3.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64"
},
"product_reference": "grafana-debugsource-0:9.2.10-7.el9_3.x86_64",
"relates_to_product_reference": "AppStream-9.3.0.GA"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Grafana Security Team"
]
}
],
"cve": "CVE-2022-23552",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2023-01-05T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2158420"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in The GeoMap and Canvas plugins of Grafana. The GeoMap and Canvas plugins are core plugins in Grafana, which means that all Grafana instances have GeoMap and Canvas installed. These two plugins are vulnerable to Cross-site scripting, where an attacker with an Editor role can add an SVG file containing malicious JavaScript code. The Javascript is executed when a user with an admin role later edits the GeoMap/Canvas panel.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "grafana: persistent xss in grafana core plugins",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-23552"
},
{
"category": "external",
"summary": "RHBZ#2158420",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2158420"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-23552",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-23552"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23552",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23552"
},
{
"category": "external",
"summary": "https://grafana.com/blog/2023/01/25/grafana-security-releases-new-versions-with-fixes-for-cve-2022-23552-cve-2022-41912-and-cve-2022-39324/",
"url": "https://grafana.com/blog/2023/01/25/grafana-security-releases-new-versions-with-fixes-for-cve-2022-23552-cve-2022-41912-and-cve-2022-39324/"
}
],
"release_date": "2023-01-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-11-07T08:59:06+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:6420"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "grafana: persistent xss in grafana core plugins"
},
{
"cve": "CVE-2022-31123",
"discovery_date": "2022-09-30T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2131147"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Grafana web application, where it is possible to install plugins which are not digitally signed. An admin could install unsigned plugins, which may contain malicious code.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "grafana: plugin signature bypass",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-31123"
},
{
"category": "external",
"summary": "RHBZ#2131147",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2131147"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-31123",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-31123"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-31123",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31123"
},
{
"category": "external",
"summary": "https://github.com/grafana/grafana/security/advisories/GHSA-rhxj-gh46-jvw8",
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-rhxj-gh46-jvw8"
}
],
"release_date": "2022-10-14T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-11-07T08:59:06+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:6420"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"products": [
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "grafana: plugin signature bypass"
},
{
"cve": "CVE-2022-31130",
"discovery_date": "2022-09-30T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2131146"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Grafana\u0027s use of the GitLab data source plugin, leaking the API key to gitlab. This can result in the destination plugin receiving a Grafana user\u0027s authentication token, which could be used by an attacker.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "grafana: data source and plugin proxy endpoints leaking authentication tokens to some destination plugins",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-31130"
},
{
"category": "external",
"summary": "RHBZ#2131146",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2131146"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-31130",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-31130"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-31130",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31130"
}
],
"release_date": "2022-10-14T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-11-07T08:59:06+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:6420"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "grafana: data source and plugin proxy endpoints leaking authentication tokens to some destination plugins"
},
{
"cve": "CVE-2022-37601",
"cwe": {
"id": "CWE-1321",
"name": "Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)"
},
"discovery_date": "2022-10-14T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2134876"
}
],
"notes": [
{
"category": "description",
"text": "A prototype pollution vulnerability was found in the parseQuery function in parseQuery.js in the webpack loader-utils via the name variable in parseQuery.js. This flaw can lead to a denial of service or remote code execution.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "loader-utils: prototype pollution in function parseQuery in parseQuery.js",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Packages shipped in Red Hat Enterprise Linux use \u0027loader-utils\u0027 as a transitive dependency. Thus, reducing the impact to Moderate.\n\nIn Red Hat containerized products like OCP and ODF, the vulnerable loader-utils NodeJS module is bundled as a transitive dependency, hence the direct impact is reduced to Moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-37601"
},
{
"category": "external",
"summary": "RHBZ#2134876",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2134876"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-37601",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-37601"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-37601",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37601"
},
{
"category": "external",
"summary": "https://github.com/webpack/loader-utils/issues/212",
"url": "https://github.com/webpack/loader-utils/issues/212"
}
],
"release_date": "2022-10-14T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-11-07T08:59:06+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:6420"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "loader-utils: prototype pollution in function parseQuery in parseQuery.js"
},
{
"cve": "CVE-2022-39201",
"discovery_date": "2022-09-30T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2131148"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Grafana. The vulnerability impacts data source and plugin proxy endpoints under certain conditions. Grafana could leak the authentication cookie of users to plugins, which could result in an impact to confidentiality, integrity, and availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "grafana: Data source and plugin proxy endpoints could leak the authentication cookie to some destination plugins",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-39201"
},
{
"category": "external",
"summary": "RHBZ#2131148",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2131148"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-39201",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-39201"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-39201",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39201"
}
],
"release_date": "2022-10-14T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-11-07T08:59:06+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:6420"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "grafana: Data source and plugin proxy endpoints could leak the authentication cookie to some destination plugins"
},
{
"acknowledgments": [
{
"names": [
"Grafana Team"
],
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2022-39306",
"cwe": {
"id": "CWE-303",
"name": "Incorrect Implementation of Authentication Algorithm"
},
"discovery_date": "2022-10-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2138014"
}
],
"notes": [
{
"category": "description",
"text": "An authentication bypass flaw was discovered in Grafana. This issue could allow a remote unauthenticated attacker to create an account and provide access to a certain organization, which can be exploited by gaining access to the signup link. The highest impacts to the system are confidentiality and integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "grafana: email addresses and usernames cannot be trusted",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-39306"
},
{
"category": "external",
"summary": "RHBZ#2138014",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2138014"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-39306",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-39306"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-39306",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39306"
},
{
"category": "external",
"summary": "https://grafana.com/blog/2022/11/08/security-release-new-versions-of-grafana-with-critical-and-moderate-fixes-for-cve-2022-39328-cve-2022-39307-and-cve-2022-39306/",
"url": "https://grafana.com/blog/2022/11/08/security-release-new-versions-of-grafana-with-critical-and-moderate-fixes-for-cve-2022-39328-cve-2022-39307-and-cve-2022-39306/"
}
],
"release_date": "2022-11-08T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-11-07T08:59:06+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:6420"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "grafana: email addresses and usernames cannot be trusted"
},
{
"acknowledgments": [
{
"names": [
"Grafana Team"
]
}
],
"cve": "CVE-2022-39307",
"cwe": {
"id": "CWE-209",
"name": "Generation of Error Message Containing Sensitive Information"
},
"discovery_date": "2022-10-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2138015"
}
],
"notes": [
{
"category": "description",
"text": "An information leak was discovered in Grafana. Remote unauthenticated users could exploit the forget password feature to discover which user accounts exist.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "grafana: User enumeration via forget password",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-39307"
},
{
"category": "external",
"summary": "RHBZ#2138015",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2138015"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-39307",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-39307"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-39307",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39307"
},
{
"category": "external",
"summary": "https://grafana.com/blog/2022/11/08/security-release-new-versions-of-grafana-with-critical-and-moderate-fixes-for-cve-2022-39328-cve-2022-39307-and-cve-2022-39306/",
"url": "https://grafana.com/blog/2022/11/08/security-release-new-versions-of-grafana-with-critical-and-moderate-fixes-for-cve-2022-39328-cve-2022-39307-and-cve-2022-39306/"
}
],
"release_date": "2022-11-08T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-11-07T08:59:06+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:6420"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "grafana: User enumeration via forget password"
},
{
"acknowledgments": [
{
"names": [
"Grafana Security Team"
],
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2022-39324",
"cwe": {
"id": "CWE-472",
"name": "External Control of Assumed-Immutable Web Parameter"
},
"discovery_date": "2022-11-24T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2148252"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the grafana package. While creating a snapshot, an attacker may manipulate a hidden HTTP parameter to inject a malicious URL in the \"Open original dashboard\" button.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "grafana: Spoofing of the originalUrl parameter of snapshots",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "OpenShift Service Mesh containers include the Grafana RPM from RHEL and consume CVE fixes for Grafana from RHEL channels. The servicemesh-grafana RPM shipped in early versions of OpenShift Service Mesh 2.1 is no longer maintained.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-39324"
},
{
"category": "external",
"summary": "RHBZ#2148252",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2148252"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-39324",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-39324"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-39324",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39324"
},
{
"category": "external",
"summary": "https://grafana.com/blog/2023/01/25/grafana-security-releases-new-versions-with-fixes-for-cve-2022-23552-cve-2022-41912-and-cve-2022-39324/",
"url": "https://grafana.com/blog/2023/01/25/grafana-security-releases-new-versions-with-fixes-for-cve-2022-23552-cve-2022-41912-and-cve-2022-39324/"
}
],
"release_date": "2023-01-30T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-11-07T08:59:06+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:6420"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"products": [
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "grafana: Spoofing of the originalUrl parameter of snapshots"
},
{
"cve": "CVE-2022-41717",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2023-01-16T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2161274"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the net/http library of the golang package. This flaw allows an attacker to cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Within Red Hat OpenShift Container Platform, the grafana container is listed as will not fix. Since OCP 4.10, Grafana itself is not shipped and the Grafana web server is protected behind an OAuth proxy server.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-41717"
},
{
"category": "external",
"summary": "RHBZ#2161274",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2161274"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-41717",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41717"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-41717",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41717"
},
{
"category": "external",
"summary": "https://go.dev/cl/455635",
"url": "https://go.dev/cl/455635"
},
{
"category": "external",
"summary": "https://go.dev/cl/455717",
"url": "https://go.dev/cl/455717"
},
{
"category": "external",
"summary": "https://go.dev/issue/56350",
"url": "https://go.dev/issue/56350"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ",
"url": "https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2022-1144",
"url": "https://pkg.go.dev/vuln/GO-2022-1144"
}
],
"release_date": "2022-11-30T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-11-07T08:59:06+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:6420"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests"
},
{
"cve": "CVE-2023-3128",
"cwe": {
"id": "CWE-305",
"name": "Authentication Bypass by Primary Weakness"
},
"discovery_date": "2023-06-08T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2213626"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Grafana, which validates Azure AD accounts based on the email claim. On Azure AD, the profile email field is not unique across Azure AD tenants, which enables Grafana account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant AzureAD OAuth application.\u00a0This may allow an attacker to gain complete control of the user\u0027s account, including access to private customer data and sensitive information.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "grafana: account takeover possible when using Azure AD OAuth",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The vulnerability affecting Red Hat Enterprise Linux 8 and 9 has been categorized as moderate, primarily because Azure Active Directory access is not supported by default in Grafana configurations. Specifically, it remains disabled in the Grafana configuration file located at /etc/grafana/grafana.ini within the Azure AD section. Even if someone were to enable Azure Active Directory access, they retain the option to easily revert it back to the default state, ensuring it remains disabled.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-3128"
},
{
"category": "external",
"summary": "RHBZ#2213626",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2213626"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-3128",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-3128"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-3128",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3128"
},
{
"category": "external",
"summary": "https://grafana.com/blog/2023/06/22/grafana-security-release-for-cve-2023-3128/",
"url": "https://grafana.com/blog/2023/06/22/grafana-security-release-for-cve-2023-3128/"
}
],
"release_date": "2023-06-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-11-07T08:59:06+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:6420"
},
{
"category": "workaround",
"details": "We recommend disabling Active Directory in the Grafana configuration file until a fix is provided.",
"product_ids": [
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "grafana: account takeover possible when using Azure AD OAuth"
},
{
"cve": "CVE-2023-24534",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2023-04-04T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2184483"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Golang Go, where it is vulnerable to a denial of service caused by memory exhaustion in the common function in HTTP and MIME header parsing. By sending a specially crafted request, a remote attacker can cause a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: net/http, net/textproto: denial of service from excessive memory allocation",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-24534"
},
{
"category": "external",
"summary": "RHBZ#2184483",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2184483"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-24534",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-24534"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-24534",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24534"
},
{
"category": "external",
"summary": "https://go.dev/issue/58975",
"url": "https://go.dev/issue/58975"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8",
"url": "https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8"
}
],
"release_date": "2023-04-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-11-07T08:59:06+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:6420"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: net/http, net/textproto: denial of service from excessive memory allocation"
}
]
}
RHSA-2023_6420
Vulnerability from csaf_redhat - Published: 2023-11-07 08:59 - Updated: 2024-12-17 22:26Summary
Red Hat Security Advisory: grafana security and enhancement update
Severity
Moderate
Notes
Topic: An update for grafana is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB.
Security Fix(es):
* grafana: persistent xss in grafana core plugins (CVE-2022-23552)
* grafana: plugin signature bypass (CVE-2022-31123)
* grafana: data source and plugin proxy endpoints leaking authentication tokens to some destination plugins (CVE-2022-31130)
* grafana: Data source and plugin proxy endpoints could leak the authentication cookie to some destination plugins (CVE-2022-39201)
* grafana: email addresses and usernames cannot be trusted (CVE-2022-39306)
* grafana: User enumeration via forget password (CVE-2022-39307)
* grafana: Spoofing of the originalUrl parameter of snapshots (CVE-2022-39324)
* golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717)
* golang: net/http, net/textproto: denial of service from excessive memory allocation (CVE-2023-24534)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.3 Release Notes linked from the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in The GeoMap and Canvas plugins of Grafana. The GeoMap and Canvas plugins are core plugins in Grafana, which means that all Grafana instances have GeoMap and Canvas installed. These two plugins are vulnerable to Cross-site scripting, where an attacker with an Editor role can add an SVG file containing malicious JavaScript code. The Javascript is executed when a user with an admin role later edits the GeoMap/Canvas panel.
6.5 (Medium)
Affected products
Fixed
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in the Grafana web application, where it is possible to install plugins which are not digitally signed. An admin could install unsigned plugins, which may contain malicious code.
6.1 (Medium)
Affected products
Fixed
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in Grafana's use of the GitLab data source plugin, leaking the API key to gitlab. This can result in the destination plugin receiving a Grafana user's authentication token, which could be used by an attacker.
7.5 (High)
Affected products
Fixed
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in Grafana. The vulnerability impacts data source and plugin proxy endpoints under certain conditions. Grafana could leak the authentication cookie of users to plugins, which could result in an impact to confidentiality, integrity, and availability.
6.8 (Medium)
Affected products
Fixed
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
An authentication bypass flaw was discovered in Grafana. This issue could allow a remote unauthenticated attacker to create an account and provide access to a certain organization, which can be exploited by gaining access to the signup link. The highest impacts to the system are confidentiality and integrity.
8.1 (High)
Affected products
Fixed
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
An information leak was discovered in Grafana. Remote unauthenticated users could exploit the forget password feature to discover which user accounts exist.
5.3 (Medium)
Affected products
Fixed
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in the grafana package. While creating a snapshot, an attacker may manipulate a hidden HTTP parameter to inject a malicious URL in the "Open original dashboard" button.
6.7 (Medium)
Affected products
Fixed
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in the net/http library of the golang package. This flaw allows an attacker to cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.
5.3 (Medium)
Affected products
Fixed
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in Golang Go, where it is vulnerable to a denial of service caused by memory exhaustion in the common function in HTTP and MIME header parsing. By sending a specially crafted request, a remote attacker can cause a denial of service.
7.5 (High)
Affected products
Fixed
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
References
61 references
| URL | Category |
|---|---|
| https://access.redhat.com/errata/RHSA-2023:6420 | self |
| https://access.redhat.com/security/updates/classi… | external |
| https://access.redhat.com/documentation/en-us/red… | external |
| https://bugzilla.redhat.com/show_bug.cgi?id=2131146 | external |
| https://bugzilla.redhat.com/show_bug.cgi?id=2131147 | external |
| https://bugzilla.redhat.com/show_bug.cgi?id=2131148 | external |
| https://bugzilla.redhat.com/show_bug.cgi?id=2138014 | external |
| https://bugzilla.redhat.com/show_bug.cgi?id=2138015 | external |
| https://bugzilla.redhat.com/show_bug.cgi?id=2148252 | external |
| https://bugzilla.redhat.com/show_bug.cgi?id=2158420 | external |
| https://bugzilla.redhat.com/show_bug.cgi?id=2161274 | external |
| https://bugzilla.redhat.com/show_bug.cgi?id=2184483 | external |
| https://bugzilla.redhat.com/show_bug.cgi?id=2188193 | external |
| https://bugzilla.redhat.com/show_bug.cgi?id=2193018 | external |
| https://security.access.redhat.com/data/csaf/v2/a… | self |
| https://access.redhat.com/security/cve/CVE-2022-23552 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2158420 | external |
| https://www.cve.org/CVERecord?id=CVE-2022-23552 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2022-23552 | external |
| https://grafana.com/blog/2023/01/25/grafana-secur… | external |
| https://access.redhat.com/security/cve/CVE-2022-31123 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2131147 | external |
| https://www.cve.org/CVERecord?id=CVE-2022-31123 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2022-31123 | external |
| https://github.com/grafana/grafana/security/advis… | external |
| https://access.redhat.com/security/cve/CVE-2022-31130 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2131146 | external |
| https://www.cve.org/CVERecord?id=CVE-2022-31130 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2022-31130 | external |
| https://access.redhat.com/security/cve/CVE-2022-39201 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2131148 | external |
| https://www.cve.org/CVERecord?id=CVE-2022-39201 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2022-39201 | external |
| https://access.redhat.com/security/cve/CVE-2022-39306 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2138014 | external |
| https://www.cve.org/CVERecord?id=CVE-2022-39306 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2022-39306 | external |
| https://grafana.com/blog/2022/11/08/security-rele… | external |
| https://access.redhat.com/security/cve/CVE-2022-39307 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2138015 | external |
| https://www.cve.org/CVERecord?id=CVE-2022-39307 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2022-39307 | external |
| https://access.redhat.com/security/cve/CVE-2022-39324 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2148252 | external |
| https://www.cve.org/CVERecord?id=CVE-2022-39324 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2022-39324 | external |
| https://access.redhat.com/security/cve/CVE-2022-41717 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2161274 | external |
| https://www.cve.org/CVERecord?id=CVE-2022-41717 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2022-41717 | external |
| https://go.dev/cl/455635 | external |
| https://go.dev/cl/455717 | external |
| https://go.dev/issue/56350 | external |
| https://groups.google.com/g/golang-announce/c/L_3… | external |
| https://pkg.go.dev/vuln/GO-2022-1144 | external |
| https://access.redhat.com/security/cve/CVE-2023-24534 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2184483 | external |
| https://www.cve.org/CVERecord?id=CVE-2023-24534 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2023-24534 | external |
| https://go.dev/issue/58975 | external |
| https://groups.google.com/g/golang-announce/c/Xdv… | external |
Acknowledgments
Grafana Security Team
Grafana Team
Grafana Team
Grafana Security Team
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for grafana is now available for Red Hat Enterprise Linux 9.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB \u0026 OpenTSDB. \n\nSecurity Fix(es):\n\n* grafana: persistent xss in grafana core plugins (CVE-2022-23552)\n\n* grafana: plugin signature bypass (CVE-2022-31123)\n\n* grafana: data source and plugin proxy endpoints leaking authentication tokens to some destination plugins (CVE-2022-31130)\n\n* grafana: Data source and plugin proxy endpoints could leak the authentication cookie to some destination plugins (CVE-2022-39201)\n\n* grafana: email addresses and usernames cannot be trusted (CVE-2022-39306)\n\n* grafana: User enumeration via forget password (CVE-2022-39307)\n\n* grafana: Spoofing of the originalUrl parameter of snapshots (CVE-2022-39324)\n\n* golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717)\n\n* golang: net/http, net/textproto: denial of service from excessive memory allocation (CVE-2023-24534)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 9.3 Release Notes linked from the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2023:6420",
"url": "https://access.redhat.com/errata/RHSA-2023:6420"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.3_release_notes/index",
"url": "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.3_release_notes/index"
},
{
"category": "external",
"summary": "2131146",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2131146"
},
{
"category": "external",
"summary": "2131147",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2131147"
},
{
"category": "external",
"summary": "2131148",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2131148"
},
{
"category": "external",
"summary": "2138014",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2138014"
},
{
"category": "external",
"summary": "2138015",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2138015"
},
{
"category": "external",
"summary": "2148252",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2148252"
},
{
"category": "external",
"summary": "2158420",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2158420"
},
{
"category": "external",
"summary": "2161274",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2161274"
},
{
"category": "external",
"summary": "2184483",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2184483"
},
{
"category": "external",
"summary": "2188193",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2188193"
},
{
"category": "external",
"summary": "2193018",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2193018"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_6420.json"
}
],
"title": "Red Hat Security Advisory: grafana security and enhancement update",
"tracking": {
"current_release_date": "2024-12-17T22:26:37+00:00",
"generator": {
"date": "2024-12-17T22:26:37+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.3"
}
},
"id": "RHSA-2023:6420",
"initial_release_date": "2023-11-07T08:59:06+00:00",
"revision_history": [
{
"date": "2023-11-07T08:59:06+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2023-11-07T08:59:06+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-12-17T22:26:37+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream (v. 9)",
"product": {
"name": "Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.3.0.GA",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:enterprise_linux:9::appstream"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-0:9.2.10-7.el9_3.src",
"product": {
"name": "grafana-0:9.2.10-7.el9_3.src",
"product_id": "grafana-0:9.2.10-7.el9_3.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana@9.2.10-7.el9_3?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-0:9.2.10-7.el9_3.aarch64",
"product": {
"name": "grafana-0:9.2.10-7.el9_3.aarch64",
"product_id": "grafana-0:9.2.10-7.el9_3.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana@9.2.10-7.el9_3?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "grafana-debugsource-0:9.2.10-7.el9_3.aarch64",
"product": {
"name": "grafana-debugsource-0:9.2.10-7.el9_3.aarch64",
"product_id": "grafana-debugsource-0:9.2.10-7.el9_3.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debugsource@9.2.10-7.el9_3?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "grafana-debuginfo-0:9.2.10-7.el9_3.aarch64",
"product": {
"name": "grafana-debuginfo-0:9.2.10-7.el9_3.aarch64",
"product_id": "grafana-debuginfo-0:9.2.10-7.el9_3.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debuginfo@9.2.10-7.el9_3?arch=aarch64"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-0:9.2.10-7.el9_3.ppc64le",
"product": {
"name": "grafana-0:9.2.10-7.el9_3.ppc64le",
"product_id": "grafana-0:9.2.10-7.el9_3.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana@9.2.10-7.el9_3?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "grafana-debugsource-0:9.2.10-7.el9_3.ppc64le",
"product": {
"name": "grafana-debugsource-0:9.2.10-7.el9_3.ppc64le",
"product_id": "grafana-debugsource-0:9.2.10-7.el9_3.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debugsource@9.2.10-7.el9_3?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le",
"product": {
"name": "grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le",
"product_id": "grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debuginfo@9.2.10-7.el9_3?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-0:9.2.10-7.el9_3.x86_64",
"product": {
"name": "grafana-0:9.2.10-7.el9_3.x86_64",
"product_id": "grafana-0:9.2.10-7.el9_3.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana@9.2.10-7.el9_3?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "grafana-debugsource-0:9.2.10-7.el9_3.x86_64",
"product": {
"name": "grafana-debugsource-0:9.2.10-7.el9_3.x86_64",
"product_id": "grafana-debugsource-0:9.2.10-7.el9_3.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debugsource@9.2.10-7.el9_3?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "grafana-debuginfo-0:9.2.10-7.el9_3.x86_64",
"product": {
"name": "grafana-debuginfo-0:9.2.10-7.el9_3.x86_64",
"product_id": "grafana-debuginfo-0:9.2.10-7.el9_3.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debuginfo@9.2.10-7.el9_3?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-0:9.2.10-7.el9_3.s390x",
"product": {
"name": "grafana-0:9.2.10-7.el9_3.s390x",
"product_id": "grafana-0:9.2.10-7.el9_3.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana@9.2.10-7.el9_3?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "grafana-debugsource-0:9.2.10-7.el9_3.s390x",
"product": {
"name": "grafana-debugsource-0:9.2.10-7.el9_3.s390x",
"product_id": "grafana-debugsource-0:9.2.10-7.el9_3.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debugsource@9.2.10-7.el9_3?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "grafana-debuginfo-0:9.2.10-7.el9_3.s390x",
"product": {
"name": "grafana-debuginfo-0:9.2.10-7.el9_3.s390x",
"product_id": "grafana-debuginfo-0:9.2.10-7.el9_3.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debuginfo@9.2.10-7.el9_3?arch=s390x"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-0:9.2.10-7.el9_3.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64"
},
"product_reference": "grafana-0:9.2.10-7.el9_3.aarch64",
"relates_to_product_reference": "AppStream-9.3.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-0:9.2.10-7.el9_3.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le"
},
"product_reference": "grafana-0:9.2.10-7.el9_3.ppc64le",
"relates_to_product_reference": "AppStream-9.3.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-0:9.2.10-7.el9_3.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x"
},
"product_reference": "grafana-0:9.2.10-7.el9_3.s390x",
"relates_to_product_reference": "AppStream-9.3.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-0:9.2.10-7.el9_3.src as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src"
},
"product_reference": "grafana-0:9.2.10-7.el9_3.src",
"relates_to_product_reference": "AppStream-9.3.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-0:9.2.10-7.el9_3.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64"
},
"product_reference": "grafana-0:9.2.10-7.el9_3.x86_64",
"relates_to_product_reference": "AppStream-9.3.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debuginfo-0:9.2.10-7.el9_3.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64"
},
"product_reference": "grafana-debuginfo-0:9.2.10-7.el9_3.aarch64",
"relates_to_product_reference": "AppStream-9.3.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le"
},
"product_reference": "grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le",
"relates_to_product_reference": "AppStream-9.3.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debuginfo-0:9.2.10-7.el9_3.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x"
},
"product_reference": "grafana-debuginfo-0:9.2.10-7.el9_3.s390x",
"relates_to_product_reference": "AppStream-9.3.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debuginfo-0:9.2.10-7.el9_3.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64"
},
"product_reference": "grafana-debuginfo-0:9.2.10-7.el9_3.x86_64",
"relates_to_product_reference": "AppStream-9.3.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debugsource-0:9.2.10-7.el9_3.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64"
},
"product_reference": "grafana-debugsource-0:9.2.10-7.el9_3.aarch64",
"relates_to_product_reference": "AppStream-9.3.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debugsource-0:9.2.10-7.el9_3.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le"
},
"product_reference": "grafana-debugsource-0:9.2.10-7.el9_3.ppc64le",
"relates_to_product_reference": "AppStream-9.3.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debugsource-0:9.2.10-7.el9_3.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x"
},
"product_reference": "grafana-debugsource-0:9.2.10-7.el9_3.s390x",
"relates_to_product_reference": "AppStream-9.3.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debugsource-0:9.2.10-7.el9_3.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64"
},
"product_reference": "grafana-debugsource-0:9.2.10-7.el9_3.x86_64",
"relates_to_product_reference": "AppStream-9.3.0.GA"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Grafana Security Team"
]
}
],
"cve": "CVE-2022-23552",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2023-01-05T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2158420"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in The GeoMap and Canvas plugins of Grafana. The GeoMap and Canvas plugins are core plugins in Grafana, which means that all Grafana instances have GeoMap and Canvas installed. These two plugins are vulnerable to Cross-site scripting, where an attacker with an Editor role can add an SVG file containing malicious JavaScript code. The Javascript is executed when a user with an admin role later edits the GeoMap/Canvas panel.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "grafana: persistent xss in grafana core plugins",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-23552"
},
{
"category": "external",
"summary": "RHBZ#2158420",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2158420"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-23552",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-23552"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23552",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23552"
},
{
"category": "external",
"summary": "https://grafana.com/blog/2023/01/25/grafana-security-releases-new-versions-with-fixes-for-cve-2022-23552-cve-2022-41912-and-cve-2022-39324/",
"url": "https://grafana.com/blog/2023/01/25/grafana-security-releases-new-versions-with-fixes-for-cve-2022-23552-cve-2022-41912-and-cve-2022-39324/"
}
],
"release_date": "2023-01-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-11-07T08:59:06+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:6420"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "grafana: persistent xss in grafana core plugins"
},
{
"cve": "CVE-2022-31123",
"discovery_date": "2022-09-30T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2131147"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Grafana web application, where it is possible to install plugins which are not digitally signed. An admin could install unsigned plugins, which may contain malicious code.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "grafana: plugin signature bypass",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-31123"
},
{
"category": "external",
"summary": "RHBZ#2131147",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2131147"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-31123",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-31123"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-31123",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31123"
},
{
"category": "external",
"summary": "https://github.com/grafana/grafana/security/advisories/GHSA-rhxj-gh46-jvw8",
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-rhxj-gh46-jvw8"
}
],
"release_date": "2022-10-14T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-11-07T08:59:06+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:6420"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"products": [
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "grafana: plugin signature bypass"
},
{
"cve": "CVE-2022-31130",
"discovery_date": "2022-09-30T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2131146"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Grafana\u0027s use of the GitLab data source plugin, leaking the API key to gitlab. This can result in the destination plugin receiving a Grafana user\u0027s authentication token, which could be used by an attacker.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "grafana: data source and plugin proxy endpoints leaking authentication tokens to some destination plugins",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-31130"
},
{
"category": "external",
"summary": "RHBZ#2131146",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2131146"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-31130",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-31130"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-31130",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31130"
}
],
"release_date": "2022-10-14T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-11-07T08:59:06+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:6420"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "grafana: data source and plugin proxy endpoints leaking authentication tokens to some destination plugins"
},
{
"cve": "CVE-2022-39201",
"discovery_date": "2022-09-30T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2131148"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Grafana. The vulnerability impacts data source and plugin proxy endpoints under certain conditions. Grafana could leak the authentication cookie of users to plugins, which could result in an impact to confidentiality, integrity, and availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "grafana: Data source and plugin proxy endpoints could leak the authentication cookie to some destination plugins",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-39201"
},
{
"category": "external",
"summary": "RHBZ#2131148",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2131148"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-39201",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-39201"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-39201",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39201"
}
],
"release_date": "2022-10-14T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-11-07T08:59:06+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:6420"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "grafana: Data source and plugin proxy endpoints could leak the authentication cookie to some destination plugins"
},
{
"acknowledgments": [
{
"names": [
"Grafana Team"
],
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2022-39306",
"cwe": {
"id": "CWE-303",
"name": "Incorrect Implementation of Authentication Algorithm"
},
"discovery_date": "2022-10-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2138014"
}
],
"notes": [
{
"category": "description",
"text": "An authentication bypass flaw was discovered in Grafana. This issue could allow a remote unauthenticated attacker to create an account and provide access to a certain organization, which can be exploited by gaining access to the signup link. The highest impacts to the system are confidentiality and integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "grafana: email addresses and usernames cannot be trusted",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-39306"
},
{
"category": "external",
"summary": "RHBZ#2138014",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2138014"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-39306",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-39306"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-39306",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39306"
},
{
"category": "external",
"summary": "https://grafana.com/blog/2022/11/08/security-release-new-versions-of-grafana-with-critical-and-moderate-fixes-for-cve-2022-39328-cve-2022-39307-and-cve-2022-39306/",
"url": "https://grafana.com/blog/2022/11/08/security-release-new-versions-of-grafana-with-critical-and-moderate-fixes-for-cve-2022-39328-cve-2022-39307-and-cve-2022-39306/"
}
],
"release_date": "2022-11-08T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-11-07T08:59:06+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:6420"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "grafana: email addresses and usernames cannot be trusted"
},
{
"acknowledgments": [
{
"names": [
"Grafana Team"
]
}
],
"cve": "CVE-2022-39307",
"cwe": {
"id": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor"
},
"discovery_date": "2022-10-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2138015"
}
],
"notes": [
{
"category": "description",
"text": "An information leak was discovered in Grafana. Remote unauthenticated users could exploit the forget password feature to discover which user accounts exist.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "grafana: User enumeration via forget password",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-39307"
},
{
"category": "external",
"summary": "RHBZ#2138015",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2138015"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-39307",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-39307"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-39307",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39307"
},
{
"category": "external",
"summary": "https://grafana.com/blog/2022/11/08/security-release-new-versions-of-grafana-with-critical-and-moderate-fixes-for-cve-2022-39328-cve-2022-39307-and-cve-2022-39306/",
"url": "https://grafana.com/blog/2022/11/08/security-release-new-versions-of-grafana-with-critical-and-moderate-fixes-for-cve-2022-39328-cve-2022-39307-and-cve-2022-39306/"
}
],
"release_date": "2022-11-08T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-11-07T08:59:06+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:6420"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "grafana: User enumeration via forget password"
},
{
"acknowledgments": [
{
"names": [
"Grafana Security Team"
],
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2022-39324",
"cwe": {
"id": "CWE-472",
"name": "External Control of Assumed-Immutable Web Parameter"
},
"discovery_date": "2022-11-24T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2148252"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the grafana package. While creating a snapshot, an attacker may manipulate a hidden HTTP parameter to inject a malicious URL in the \"Open original dashboard\" button.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "grafana: Spoofing of the originalUrl parameter of snapshots",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "OpenShift Service Mesh containers include the Grafana RPM from RHEL and consume CVE fixes for Grafana from RHEL channels. The servicemesh-grafana RPM shipped in early versions of OpenShift Service Mesh 2.1 is no longer maintained.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-39324"
},
{
"category": "external",
"summary": "RHBZ#2148252",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2148252"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-39324",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-39324"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-39324",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39324"
},
{
"category": "external",
"summary": "https://grafana.com/blog/2023/01/25/grafana-security-releases-new-versions-with-fixes-for-cve-2022-23552-cve-2022-41912-and-cve-2022-39324/",
"url": "https://grafana.com/blog/2023/01/25/grafana-security-releases-new-versions-with-fixes-for-cve-2022-23552-cve-2022-41912-and-cve-2022-39324/"
}
],
"release_date": "2023-01-30T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-11-07T08:59:06+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:6420"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"products": [
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "grafana: Spoofing of the originalUrl parameter of snapshots"
},
{
"cve": "CVE-2022-41717",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2023-01-16T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2161274"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the net/http library of the golang package. This flaw allows an attacker to cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Within Red Hat OpenShift Container Platform, the grafana container is listed as will not fix. Since OCP 4.10, Grafana itself is not shipped and the Grafana web server is protected behind an OAuth proxy server.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-41717"
},
{
"category": "external",
"summary": "RHBZ#2161274",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2161274"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-41717",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41717"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-41717",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41717"
},
{
"category": "external",
"summary": "https://go.dev/cl/455635",
"url": "https://go.dev/cl/455635"
},
{
"category": "external",
"summary": "https://go.dev/cl/455717",
"url": "https://go.dev/cl/455717"
},
{
"category": "external",
"summary": "https://go.dev/issue/56350",
"url": "https://go.dev/issue/56350"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ",
"url": "https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2022-1144",
"url": "https://pkg.go.dev/vuln/GO-2022-1144"
}
],
"release_date": "2022-11-30T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-11-07T08:59:06+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:6420"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests"
},
{
"cve": "CVE-2023-24534",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2023-04-04T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2184483"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Golang Go, where it is vulnerable to a denial of service caused by memory exhaustion in the common function in HTTP and MIME header parsing. By sending a specially crafted request, a remote attacker can cause a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: net/http, net/textproto: denial of service from excessive memory allocation",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-24534"
},
{
"category": "external",
"summary": "RHBZ#2184483",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2184483"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-24534",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-24534"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-24534",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24534"
},
{
"category": "external",
"summary": "https://go.dev/issue/58975",
"url": "https://go.dev/issue/58975"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8",
"url": "https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8"
}
],
"release_date": "2023-04-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-11-07T08:59:06+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:6420"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src",
"AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x",
"AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: net/http, net/textproto: denial of service from excessive memory allocation"
}
]
}
SUSE-SU-2023:0811-1
Vulnerability from csaf_suse - Published: 2023-03-20 15:29 - Updated: 2023-03-20 15:29Summary
Security update for SUSE Manager Client Tools
Severity
Important
Notes
Title of the patch: Security update for SUSE Manager Client Tools
Description of the patch:
This update fixes the following issues:
grafana:
- CVE-2022-46146: Fix basic authentication bypass by updating the exporter
toolkit to version 0.7.3 (bsc#1208065)
- CVE-2022-41723: Require Go 1.19 or newer (bsc#1208293)
- Update to version 8.5.20:
* CVE-2022-23552: Security: SVG: Add dompurify preprocessor step (bsc#1207749)
* CVE-2022-39324: Security: Snapshots: Fix originalUrl spoof security issue
(bsc#1207750)
* Security: Omit error from http response
* Bug fix: Email and username trimming and invitation validation
spacecmd:
- Version 4.3.19-1
* Fix spacecmd not showing any output for softwarechannel_diff
and softwarechannel_errata_diff (bsc#1207352)
* Prevent string api parameters to be parsed as dates if not in
ISO-8601 format (bsc#1205759)
spacewalk-client-tools:
- Version 4.3.15-1
* Update translation strings
Patchnames: SUSE-2023-811,SUSE-SLE-Manager-Tools-12-2023-811
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.3 (High)
Affected products
Recommended
11 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Manager Client Tools 12:grafana-8.5.20-1.42.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Manager Client Tools 12:grafana-8.5.20-1.42.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Manager Client Tools 12:grafana-8.5.20-1.42.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Manager Client Tools 12:grafana-8.5.20-1.42.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Manager Client Tools 12:python2-spacewalk-check-4.3.15-52.86.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Manager Client Tools 12:python2-spacewalk-client-setup-4.3.15-52.86.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Manager Client Tools 12:python2-spacewalk-client-tools-4.3.15-52.86.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Manager Client Tools 12:spacecmd-4.3.19-38.118.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Manager Client Tools 12:spacewalk-check-4.3.15-52.86.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Manager Client Tools 12:spacewalk-client-setup-4.3.15-52.86.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Manager Client Tools 12:spacewalk-client-tools-4.3.15-52.86.1.noarch | — |
Vendor Fix
|
Threats
Impact
important
6.7 (Medium)
Affected products
Recommended
11 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Manager Client Tools 12:grafana-8.5.20-1.42.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Manager Client Tools 12:grafana-8.5.20-1.42.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Manager Client Tools 12:grafana-8.5.20-1.42.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Manager Client Tools 12:grafana-8.5.20-1.42.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Manager Client Tools 12:python2-spacewalk-check-4.3.15-52.86.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Manager Client Tools 12:python2-spacewalk-client-setup-4.3.15-52.86.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Manager Client Tools 12:python2-spacewalk-client-tools-4.3.15-52.86.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Manager Client Tools 12:spacecmd-4.3.19-38.118.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Manager Client Tools 12:spacewalk-check-4.3.15-52.86.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Manager Client Tools 12:spacewalk-client-setup-4.3.15-52.86.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Manager Client Tools 12:spacewalk-client-tools-4.3.15-52.86.1.noarch | — |
Vendor Fix
|
Threats
Impact
moderate
7.5 (High)
Affected products
Recommended
11 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Manager Client Tools 12:grafana-8.5.20-1.42.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Manager Client Tools 12:grafana-8.5.20-1.42.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Manager Client Tools 12:grafana-8.5.20-1.42.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Manager Client Tools 12:grafana-8.5.20-1.42.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Manager Client Tools 12:python2-spacewalk-check-4.3.15-52.86.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Manager Client Tools 12:python2-spacewalk-client-setup-4.3.15-52.86.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Manager Client Tools 12:python2-spacewalk-client-tools-4.3.15-52.86.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Manager Client Tools 12:spacecmd-4.3.19-38.118.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Manager Client Tools 12:spacewalk-check-4.3.15-52.86.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Manager Client Tools 12:spacewalk-client-setup-4.3.15-52.86.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Manager Client Tools 12:spacewalk-client-tools-4.3.15-52.86.1.noarch | — |
Vendor Fix
|
Threats
Impact
important
8.8 (High)
Affected products
Recommended
11 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Manager Client Tools 12:grafana-8.5.20-1.42.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Manager Client Tools 12:grafana-8.5.20-1.42.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Manager Client Tools 12:grafana-8.5.20-1.42.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Manager Client Tools 12:grafana-8.5.20-1.42.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Manager Client Tools 12:python2-spacewalk-check-4.3.15-52.86.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Manager Client Tools 12:python2-spacewalk-client-setup-4.3.15-52.86.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Manager Client Tools 12:python2-spacewalk-client-tools-4.3.15-52.86.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Manager Client Tools 12:spacecmd-4.3.19-38.118.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Manager Client Tools 12:spacewalk-check-4.3.15-52.86.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Manager Client Tools 12:spacewalk-client-setup-4.3.15-52.86.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Manager Client Tools 12:spacewalk-client-tools-4.3.15-52.86.1.noarch | — |
Vendor Fix
|
Threats
Impact
important
References
23 references
| URL | Category |
|---|---|
| https://www.suse.com/support/security/rating/ | external |
| https://ftp.suse.com/pub/projects/security/csaf/s… | self |
| https://www.suse.com/support/update/announcement/… | self |
| https://lists.suse.com/pipermail/sle-security-upd… | self |
| https://bugzilla.suse.com/1205759 | self |
| https://bugzilla.suse.com/1207352 | self |
| https://bugzilla.suse.com/1207749 | self |
| https://bugzilla.suse.com/1207750 | self |
| https://bugzilla.suse.com/1208065 | self |
| https://bugzilla.suse.com/1208293 | self |
| https://www.suse.com/security/cve/CVE-2022-23552/ | self |
| https://www.suse.com/security/cve/CVE-2022-39324/ | self |
| https://www.suse.com/security/cve/CVE-2022-41723/ | self |
| https://www.suse.com/security/cve/CVE-2022-46146/ | self |
| https://www.suse.com/security/cve/CVE-2022-23552 | external |
| https://bugzilla.suse.com/1207749 | external |
| https://www.suse.com/security/cve/CVE-2022-39324 | external |
| https://bugzilla.suse.com/1207750 | external |
| https://www.suse.com/security/cve/CVE-2022-41723 | external |
| https://bugzilla.suse.com/1208270 | external |
| https://bugzilla.suse.com/1215588 | external |
| https://www.suse.com/security/cve/CVE-2022-46146 | external |
| https://bugzilla.suse.com/1208046 | external |
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for SUSE Manager Client Tools",
"title": "Title of the patch"
},
{
"category": "description",
"text": "\nThis update fixes the following issues:\n\ngrafana:\n\n- CVE-2022-46146: Fix basic authentication bypass by updating the exporter\n toolkit to version 0.7.3 (bsc#1208065)\n- CVE-2022-41723: Require Go 1.19 or newer (bsc#1208293)\n- Update to version 8.5.20:\n * CVE-2022-23552: Security: SVG: Add dompurify preprocessor step (bsc#1207749)\n * CVE-2022-39324: Security: Snapshots: Fix originalUrl spoof security issue\n (bsc#1207750)\n * Security: Omit error from http response \n * Bug fix: Email and username trimming and invitation validation\n\nspacecmd:\n\n- Version 4.3.19-1\n * Fix spacecmd not showing any output for softwarechannel_diff\n and softwarechannel_errata_diff (bsc#1207352)\n * Prevent string api parameters to be parsed as dates if not in\n ISO-8601 format (bsc#1205759)\n\nspacewalk-client-tools:\n\n- Version 4.3.15-1\n * Update translation strings\n\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2023-811,SUSE-SLE-Manager-Tools-12-2023-811",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2023_0811-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2023:0811-1",
"url": "https://www.suse.com/support/update/announcement/2023/suse-su-20230811-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2023:0811-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2023-March/014099.html"
},
{
"category": "self",
"summary": "SUSE Bug 1205759",
"url": "https://bugzilla.suse.com/1205759"
},
{
"category": "self",
"summary": "SUSE Bug 1207352",
"url": "https://bugzilla.suse.com/1207352"
},
{
"category": "self",
"summary": "SUSE Bug 1207749",
"url": "https://bugzilla.suse.com/1207749"
},
{
"category": "self",
"summary": "SUSE Bug 1207750",
"url": "https://bugzilla.suse.com/1207750"
},
{
"category": "self",
"summary": "SUSE Bug 1208065",
"url": "https://bugzilla.suse.com/1208065"
},
{
"category": "self",
"summary": "SUSE Bug 1208293",
"url": "https://bugzilla.suse.com/1208293"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-23552 page",
"url": "https://www.suse.com/security/cve/CVE-2022-23552/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-39324 page",
"url": "https://www.suse.com/security/cve/CVE-2022-39324/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-41723 page",
"url": "https://www.suse.com/security/cve/CVE-2022-41723/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-46146 page",
"url": "https://www.suse.com/security/cve/CVE-2022-46146/"
}
],
"title": "Security update for SUSE Manager Client Tools",
"tracking": {
"current_release_date": "2023-03-20T15:29:15Z",
"generator": {
"date": "2023-03-20T15:29:15Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2023:0811-1",
"initial_release_date": "2023-03-20T15:29:15Z",
"revision_history": [
{
"date": "2023-03-20T15:29:15Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "grafana-8.5.20-1.42.1.aarch64",
"product": {
"name": "grafana-8.5.20-1.42.1.aarch64",
"product_id": "grafana-8.5.20-1.42.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-8.5.20-1.42.1.i586",
"product": {
"name": "grafana-8.5.20-1.42.1.i586",
"product_id": "grafana-8.5.20-1.42.1.i586"
}
}
],
"category": "architecture",
"name": "i586"
},
{
"branches": [
{
"category": "product_version",
"name": "python2-spacewalk-check-4.3.15-52.86.1.noarch",
"product": {
"name": "python2-spacewalk-check-4.3.15-52.86.1.noarch",
"product_id": "python2-spacewalk-check-4.3.15-52.86.1.noarch"
}
},
{
"category": "product_version",
"name": "python2-spacewalk-client-setup-4.3.15-52.86.1.noarch",
"product": {
"name": "python2-spacewalk-client-setup-4.3.15-52.86.1.noarch",
"product_id": "python2-spacewalk-client-setup-4.3.15-52.86.1.noarch"
}
},
{
"category": "product_version",
"name": "python2-spacewalk-client-tools-4.3.15-52.86.1.noarch",
"product": {
"name": "python2-spacewalk-client-tools-4.3.15-52.86.1.noarch",
"product_id": "python2-spacewalk-client-tools-4.3.15-52.86.1.noarch"
}
},
{
"category": "product_version",
"name": "spacecmd-4.3.19-38.118.1.noarch",
"product": {
"name": "spacecmd-4.3.19-38.118.1.noarch",
"product_id": "spacecmd-4.3.19-38.118.1.noarch"
}
},
{
"category": "product_version",
"name": "spacewalk-check-4.3.15-52.86.1.noarch",
"product": {
"name": "spacewalk-check-4.3.15-52.86.1.noarch",
"product_id": "spacewalk-check-4.3.15-52.86.1.noarch"
}
},
{
"category": "product_version",
"name": "spacewalk-client-setup-4.3.15-52.86.1.noarch",
"product": {
"name": "spacewalk-client-setup-4.3.15-52.86.1.noarch",
"product_id": "spacewalk-client-setup-4.3.15-52.86.1.noarch"
}
},
{
"category": "product_version",
"name": "spacewalk-client-tools-4.3.15-52.86.1.noarch",
"product": {
"name": "spacewalk-client-tools-4.3.15-52.86.1.noarch",
"product_id": "spacewalk-client-tools-4.3.15-52.86.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-8.5.20-1.42.1.ppc64le",
"product": {
"name": "grafana-8.5.20-1.42.1.ppc64le",
"product_id": "grafana-8.5.20-1.42.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-8.5.20-1.42.1.s390x",
"product": {
"name": "grafana-8.5.20-1.42.1.s390x",
"product_id": "grafana-8.5.20-1.42.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-8.5.20-1.42.1.x86_64",
"product": {
"name": "grafana-8.5.20-1.42.1.x86_64",
"product_id": "grafana-8.5.20-1.42.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Manager Client Tools 12",
"product": {
"name": "SUSE Manager Client Tools 12",
"product_id": "SUSE Manager Client Tools 12"
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-8.5.20-1.42.1.aarch64 as component of SUSE Manager Client Tools 12",
"product_id": "SUSE Manager Client Tools 12:grafana-8.5.20-1.42.1.aarch64"
},
"product_reference": "grafana-8.5.20-1.42.1.aarch64",
"relates_to_product_reference": "SUSE Manager Client Tools 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-8.5.20-1.42.1.ppc64le as component of SUSE Manager Client Tools 12",
"product_id": "SUSE Manager Client Tools 12:grafana-8.5.20-1.42.1.ppc64le"
},
"product_reference": "grafana-8.5.20-1.42.1.ppc64le",
"relates_to_product_reference": "SUSE Manager Client Tools 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-8.5.20-1.42.1.s390x as component of SUSE Manager Client Tools 12",
"product_id": "SUSE Manager Client Tools 12:grafana-8.5.20-1.42.1.s390x"
},
"product_reference": "grafana-8.5.20-1.42.1.s390x",
"relates_to_product_reference": "SUSE Manager Client Tools 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-8.5.20-1.42.1.x86_64 as component of SUSE Manager Client Tools 12",
"product_id": "SUSE Manager Client Tools 12:grafana-8.5.20-1.42.1.x86_64"
},
"product_reference": "grafana-8.5.20-1.42.1.x86_64",
"relates_to_product_reference": "SUSE Manager Client Tools 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python2-spacewalk-check-4.3.15-52.86.1.noarch as component of SUSE Manager Client Tools 12",
"product_id": "SUSE Manager Client Tools 12:python2-spacewalk-check-4.3.15-52.86.1.noarch"
},
"product_reference": "python2-spacewalk-check-4.3.15-52.86.1.noarch",
"relates_to_product_reference": "SUSE Manager Client Tools 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python2-spacewalk-client-setup-4.3.15-52.86.1.noarch as component of SUSE Manager Client Tools 12",
"product_id": "SUSE Manager Client Tools 12:python2-spacewalk-client-setup-4.3.15-52.86.1.noarch"
},
"product_reference": "python2-spacewalk-client-setup-4.3.15-52.86.1.noarch",
"relates_to_product_reference": "SUSE Manager Client Tools 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python2-spacewalk-client-tools-4.3.15-52.86.1.noarch as component of SUSE Manager Client Tools 12",
"product_id": "SUSE Manager Client Tools 12:python2-spacewalk-client-tools-4.3.15-52.86.1.noarch"
},
"product_reference": "python2-spacewalk-client-tools-4.3.15-52.86.1.noarch",
"relates_to_product_reference": "SUSE Manager Client Tools 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "spacecmd-4.3.19-38.118.1.noarch as component of SUSE Manager Client Tools 12",
"product_id": "SUSE Manager Client Tools 12:spacecmd-4.3.19-38.118.1.noarch"
},
"product_reference": "spacecmd-4.3.19-38.118.1.noarch",
"relates_to_product_reference": "SUSE Manager Client Tools 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "spacewalk-check-4.3.15-52.86.1.noarch as component of SUSE Manager Client Tools 12",
"product_id": "SUSE Manager Client Tools 12:spacewalk-check-4.3.15-52.86.1.noarch"
},
"product_reference": "spacewalk-check-4.3.15-52.86.1.noarch",
"relates_to_product_reference": "SUSE Manager Client Tools 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "spacewalk-client-setup-4.3.15-52.86.1.noarch as component of SUSE Manager Client Tools 12",
"product_id": "SUSE Manager Client Tools 12:spacewalk-client-setup-4.3.15-52.86.1.noarch"
},
"product_reference": "spacewalk-client-setup-4.3.15-52.86.1.noarch",
"relates_to_product_reference": "SUSE Manager Client Tools 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "spacewalk-client-tools-4.3.15-52.86.1.noarch as component of SUSE Manager Client Tools 12",
"product_id": "SUSE Manager Client Tools 12:spacewalk-client-tools-4.3.15-52.86.1.noarch"
},
"product_reference": "spacewalk-client-tools-4.3.15-52.86.1.noarch",
"relates_to_product_reference": "SUSE Manager Client Tools 12"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-23552",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-23552"
}
],
"notes": [
{
"category": "general",
"text": "Grafana is an open-source platform for monitoring and observability. Starting with the 8.1 branch and prior to versions 8.5.16, 9.2.10, and 9.3.4, Grafana had a stored XSS vulnerability affecting the core plugin GeoMap. The stored XSS vulnerability was possible because SVG files weren\u0027t properly sanitized and allowed arbitrary JavaScript to be executed in the context of the currently authorized user of the Grafana instance. \n\nAn attacker needs to have the Editor role in order to change a panel to include either an external URL to a SVG-file containing JavaScript, or use the `data:` scheme to load an inline SVG-file containing JavaScript. This means that vertical privilege escalation is possible, where a user with Editor role can change to a known password for a user having Admin role if the user with Admin role executes malicious JavaScript viewing a dashboard. \n\nUsers may upgrade to version 8.5.16, 9.2.10, or 9.3.4 to receive a fix.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Manager Client Tools 12:grafana-8.5.20-1.42.1.aarch64",
"SUSE Manager Client Tools 12:grafana-8.5.20-1.42.1.ppc64le",
"SUSE Manager Client Tools 12:grafana-8.5.20-1.42.1.s390x",
"SUSE Manager Client Tools 12:grafana-8.5.20-1.42.1.x86_64",
"SUSE Manager Client Tools 12:python2-spacewalk-check-4.3.15-52.86.1.noarch",
"SUSE Manager Client Tools 12:python2-spacewalk-client-setup-4.3.15-52.86.1.noarch",
"SUSE Manager Client Tools 12:python2-spacewalk-client-tools-4.3.15-52.86.1.noarch",
"SUSE Manager Client Tools 12:spacecmd-4.3.19-38.118.1.noarch",
"SUSE Manager Client Tools 12:spacewalk-check-4.3.15-52.86.1.noarch",
"SUSE Manager Client Tools 12:spacewalk-client-setup-4.3.15-52.86.1.noarch",
"SUSE Manager Client Tools 12:spacewalk-client-tools-4.3.15-52.86.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-23552",
"url": "https://www.suse.com/security/cve/CVE-2022-23552"
},
{
"category": "external",
"summary": "SUSE Bug 1207749 for CVE-2022-23552",
"url": "https://bugzilla.suse.com/1207749"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Manager Client Tools 12:grafana-8.5.20-1.42.1.aarch64",
"SUSE Manager Client Tools 12:grafana-8.5.20-1.42.1.ppc64le",
"SUSE Manager Client Tools 12:grafana-8.5.20-1.42.1.s390x",
"SUSE Manager Client Tools 12:grafana-8.5.20-1.42.1.x86_64",
"SUSE Manager Client Tools 12:python2-spacewalk-check-4.3.15-52.86.1.noarch",
"SUSE Manager Client Tools 12:python2-spacewalk-client-setup-4.3.15-52.86.1.noarch",
"SUSE Manager Client Tools 12:python2-spacewalk-client-tools-4.3.15-52.86.1.noarch",
"SUSE Manager Client Tools 12:spacecmd-4.3.19-38.118.1.noarch",
"SUSE Manager Client Tools 12:spacewalk-check-4.3.15-52.86.1.noarch",
"SUSE Manager Client Tools 12:spacewalk-client-setup-4.3.15-52.86.1.noarch",
"SUSE Manager Client Tools 12:spacewalk-client-tools-4.3.15-52.86.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"SUSE Manager Client Tools 12:grafana-8.5.20-1.42.1.aarch64",
"SUSE Manager Client Tools 12:grafana-8.5.20-1.42.1.ppc64le",
"SUSE Manager Client Tools 12:grafana-8.5.20-1.42.1.s390x",
"SUSE Manager Client Tools 12:grafana-8.5.20-1.42.1.x86_64",
"SUSE Manager Client Tools 12:python2-spacewalk-check-4.3.15-52.86.1.noarch",
"SUSE Manager Client Tools 12:python2-spacewalk-client-setup-4.3.15-52.86.1.noarch",
"SUSE Manager Client Tools 12:python2-spacewalk-client-tools-4.3.15-52.86.1.noarch",
"SUSE Manager Client Tools 12:spacecmd-4.3.19-38.118.1.noarch",
"SUSE Manager Client Tools 12:spacewalk-check-4.3.15-52.86.1.noarch",
"SUSE Manager Client Tools 12:spacewalk-client-setup-4.3.15-52.86.1.noarch",
"SUSE Manager Client Tools 12:spacewalk-client-tools-4.3.15-52.86.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2023-03-20T15:29:15Z",
"details": "important"
}
],
"title": "CVE-2022-23552"
},
{
"cve": "CVE-2022-39324",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-39324"
}
],
"notes": [
{
"category": "general",
"text": "Grafana is an open-source platform for monitoring and observability. Prior to versions 8.5.16 and 9.2.8, malicious user can create a snapshot and arbitrarily choose the `originalUrl` parameter by editing the query, thanks to a web proxy. When another user opens the URL of the snapshot, they will be presented with the regular web interface delivered by the trusted Grafana server. The `Open original dashboard` button no longer points to the to the real original dashboard but to the attacker\u0027s injected URL. This issue is fixed in versions 8.5.16 and 9.2.8.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Manager Client Tools 12:grafana-8.5.20-1.42.1.aarch64",
"SUSE Manager Client Tools 12:grafana-8.5.20-1.42.1.ppc64le",
"SUSE Manager Client Tools 12:grafana-8.5.20-1.42.1.s390x",
"SUSE Manager Client Tools 12:grafana-8.5.20-1.42.1.x86_64",
"SUSE Manager Client Tools 12:python2-spacewalk-check-4.3.15-52.86.1.noarch",
"SUSE Manager Client Tools 12:python2-spacewalk-client-setup-4.3.15-52.86.1.noarch",
"SUSE Manager Client Tools 12:python2-spacewalk-client-tools-4.3.15-52.86.1.noarch",
"SUSE Manager Client Tools 12:spacecmd-4.3.19-38.118.1.noarch",
"SUSE Manager Client Tools 12:spacewalk-check-4.3.15-52.86.1.noarch",
"SUSE Manager Client Tools 12:spacewalk-client-setup-4.3.15-52.86.1.noarch",
"SUSE Manager Client Tools 12:spacewalk-client-tools-4.3.15-52.86.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-39324",
"url": "https://www.suse.com/security/cve/CVE-2022-39324"
},
{
"category": "external",
"summary": "SUSE Bug 1207750 for CVE-2022-39324",
"url": "https://bugzilla.suse.com/1207750"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Manager Client Tools 12:grafana-8.5.20-1.42.1.aarch64",
"SUSE Manager Client Tools 12:grafana-8.5.20-1.42.1.ppc64le",
"SUSE Manager Client Tools 12:grafana-8.5.20-1.42.1.s390x",
"SUSE Manager Client Tools 12:grafana-8.5.20-1.42.1.x86_64",
"SUSE Manager Client Tools 12:python2-spacewalk-check-4.3.15-52.86.1.noarch",
"SUSE Manager Client Tools 12:python2-spacewalk-client-setup-4.3.15-52.86.1.noarch",
"SUSE Manager Client Tools 12:python2-spacewalk-client-tools-4.3.15-52.86.1.noarch",
"SUSE Manager Client Tools 12:spacecmd-4.3.19-38.118.1.noarch",
"SUSE Manager Client Tools 12:spacewalk-check-4.3.15-52.86.1.noarch",
"SUSE Manager Client Tools 12:spacewalk-client-setup-4.3.15-52.86.1.noarch",
"SUSE Manager Client Tools 12:spacewalk-client-tools-4.3.15-52.86.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"products": [
"SUSE Manager Client Tools 12:grafana-8.5.20-1.42.1.aarch64",
"SUSE Manager Client Tools 12:grafana-8.5.20-1.42.1.ppc64le",
"SUSE Manager Client Tools 12:grafana-8.5.20-1.42.1.s390x",
"SUSE Manager Client Tools 12:grafana-8.5.20-1.42.1.x86_64",
"SUSE Manager Client Tools 12:python2-spacewalk-check-4.3.15-52.86.1.noarch",
"SUSE Manager Client Tools 12:python2-spacewalk-client-setup-4.3.15-52.86.1.noarch",
"SUSE Manager Client Tools 12:python2-spacewalk-client-tools-4.3.15-52.86.1.noarch",
"SUSE Manager Client Tools 12:spacecmd-4.3.19-38.118.1.noarch",
"SUSE Manager Client Tools 12:spacewalk-check-4.3.15-52.86.1.noarch",
"SUSE Manager Client Tools 12:spacewalk-client-setup-4.3.15-52.86.1.noarch",
"SUSE Manager Client Tools 12:spacewalk-client-tools-4.3.15-52.86.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2023-03-20T15:29:15Z",
"details": "moderate"
}
],
"title": "CVE-2022-39324"
},
{
"cve": "CVE-2022-41723",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-41723"
}
],
"notes": [
{
"category": "general",
"text": "A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Manager Client Tools 12:grafana-8.5.20-1.42.1.aarch64",
"SUSE Manager Client Tools 12:grafana-8.5.20-1.42.1.ppc64le",
"SUSE Manager Client Tools 12:grafana-8.5.20-1.42.1.s390x",
"SUSE Manager Client Tools 12:grafana-8.5.20-1.42.1.x86_64",
"SUSE Manager Client Tools 12:python2-spacewalk-check-4.3.15-52.86.1.noarch",
"SUSE Manager Client Tools 12:python2-spacewalk-client-setup-4.3.15-52.86.1.noarch",
"SUSE Manager Client Tools 12:python2-spacewalk-client-tools-4.3.15-52.86.1.noarch",
"SUSE Manager Client Tools 12:spacecmd-4.3.19-38.118.1.noarch",
"SUSE Manager Client Tools 12:spacewalk-check-4.3.15-52.86.1.noarch",
"SUSE Manager Client Tools 12:spacewalk-client-setup-4.3.15-52.86.1.noarch",
"SUSE Manager Client Tools 12:spacewalk-client-tools-4.3.15-52.86.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-41723",
"url": "https://www.suse.com/security/cve/CVE-2022-41723"
},
{
"category": "external",
"summary": "SUSE Bug 1208270 for CVE-2022-41723",
"url": "https://bugzilla.suse.com/1208270"
},
{
"category": "external",
"summary": "SUSE Bug 1215588 for CVE-2022-41723",
"url": "https://bugzilla.suse.com/1215588"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Manager Client Tools 12:grafana-8.5.20-1.42.1.aarch64",
"SUSE Manager Client Tools 12:grafana-8.5.20-1.42.1.ppc64le",
"SUSE Manager Client Tools 12:grafana-8.5.20-1.42.1.s390x",
"SUSE Manager Client Tools 12:grafana-8.5.20-1.42.1.x86_64",
"SUSE Manager Client Tools 12:python2-spacewalk-check-4.3.15-52.86.1.noarch",
"SUSE Manager Client Tools 12:python2-spacewalk-client-setup-4.3.15-52.86.1.noarch",
"SUSE Manager Client Tools 12:python2-spacewalk-client-tools-4.3.15-52.86.1.noarch",
"SUSE Manager Client Tools 12:spacecmd-4.3.19-38.118.1.noarch",
"SUSE Manager Client Tools 12:spacewalk-check-4.3.15-52.86.1.noarch",
"SUSE Manager Client Tools 12:spacewalk-client-setup-4.3.15-52.86.1.noarch",
"SUSE Manager Client Tools 12:spacewalk-client-tools-4.3.15-52.86.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Manager Client Tools 12:grafana-8.5.20-1.42.1.aarch64",
"SUSE Manager Client Tools 12:grafana-8.5.20-1.42.1.ppc64le",
"SUSE Manager Client Tools 12:grafana-8.5.20-1.42.1.s390x",
"SUSE Manager Client Tools 12:grafana-8.5.20-1.42.1.x86_64",
"SUSE Manager Client Tools 12:python2-spacewalk-check-4.3.15-52.86.1.noarch",
"SUSE Manager Client Tools 12:python2-spacewalk-client-setup-4.3.15-52.86.1.noarch",
"SUSE Manager Client Tools 12:python2-spacewalk-client-tools-4.3.15-52.86.1.noarch",
"SUSE Manager Client Tools 12:spacecmd-4.3.19-38.118.1.noarch",
"SUSE Manager Client Tools 12:spacewalk-check-4.3.15-52.86.1.noarch",
"SUSE Manager Client Tools 12:spacewalk-client-setup-4.3.15-52.86.1.noarch",
"SUSE Manager Client Tools 12:spacewalk-client-tools-4.3.15-52.86.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2023-03-20T15:29:15Z",
"details": "important"
}
],
"title": "CVE-2022-41723"
},
{
"cve": "CVE-2022-46146",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-46146"
}
],
"notes": [
{
"category": "general",
"text": "Prometheus Exporter Toolkit is a utility package to build exporters. Prior to versions 0.7.2 and 0.8.2, if someone has access to a Prometheus web.yml file and users\u0027 bcrypted passwords, they can bypass security by poisoning the built-in authentication cache. Versions 0.7.2 and 0.8.2 contain a fix for the issue. There is no workaround, but attacker must have access to the hashed password to use this functionality.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Manager Client Tools 12:grafana-8.5.20-1.42.1.aarch64",
"SUSE Manager Client Tools 12:grafana-8.5.20-1.42.1.ppc64le",
"SUSE Manager Client Tools 12:grafana-8.5.20-1.42.1.s390x",
"SUSE Manager Client Tools 12:grafana-8.5.20-1.42.1.x86_64",
"SUSE Manager Client Tools 12:python2-spacewalk-check-4.3.15-52.86.1.noarch",
"SUSE Manager Client Tools 12:python2-spacewalk-client-setup-4.3.15-52.86.1.noarch",
"SUSE Manager Client Tools 12:python2-spacewalk-client-tools-4.3.15-52.86.1.noarch",
"SUSE Manager Client Tools 12:spacecmd-4.3.19-38.118.1.noarch",
"SUSE Manager Client Tools 12:spacewalk-check-4.3.15-52.86.1.noarch",
"SUSE Manager Client Tools 12:spacewalk-client-setup-4.3.15-52.86.1.noarch",
"SUSE Manager Client Tools 12:spacewalk-client-tools-4.3.15-52.86.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-46146",
"url": "https://www.suse.com/security/cve/CVE-2022-46146"
},
{
"category": "external",
"summary": "SUSE Bug 1208046 for CVE-2022-46146",
"url": "https://bugzilla.suse.com/1208046"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Manager Client Tools 12:grafana-8.5.20-1.42.1.aarch64",
"SUSE Manager Client Tools 12:grafana-8.5.20-1.42.1.ppc64le",
"SUSE Manager Client Tools 12:grafana-8.5.20-1.42.1.s390x",
"SUSE Manager Client Tools 12:grafana-8.5.20-1.42.1.x86_64",
"SUSE Manager Client Tools 12:python2-spacewalk-check-4.3.15-52.86.1.noarch",
"SUSE Manager Client Tools 12:python2-spacewalk-client-setup-4.3.15-52.86.1.noarch",
"SUSE Manager Client Tools 12:python2-spacewalk-client-tools-4.3.15-52.86.1.noarch",
"SUSE Manager Client Tools 12:spacecmd-4.3.19-38.118.1.noarch",
"SUSE Manager Client Tools 12:spacewalk-check-4.3.15-52.86.1.noarch",
"SUSE Manager Client Tools 12:spacewalk-client-setup-4.3.15-52.86.1.noarch",
"SUSE Manager Client Tools 12:spacewalk-client-tools-4.3.15-52.86.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Manager Client Tools 12:grafana-8.5.20-1.42.1.aarch64",
"SUSE Manager Client Tools 12:grafana-8.5.20-1.42.1.ppc64le",
"SUSE Manager Client Tools 12:grafana-8.5.20-1.42.1.s390x",
"SUSE Manager Client Tools 12:grafana-8.5.20-1.42.1.x86_64",
"SUSE Manager Client Tools 12:python2-spacewalk-check-4.3.15-52.86.1.noarch",
"SUSE Manager Client Tools 12:python2-spacewalk-client-setup-4.3.15-52.86.1.noarch",
"SUSE Manager Client Tools 12:python2-spacewalk-client-tools-4.3.15-52.86.1.noarch",
"SUSE Manager Client Tools 12:spacecmd-4.3.19-38.118.1.noarch",
"SUSE Manager Client Tools 12:spacewalk-check-4.3.15-52.86.1.noarch",
"SUSE Manager Client Tools 12:spacewalk-client-setup-4.3.15-52.86.1.noarch",
"SUSE Manager Client Tools 12:spacewalk-client-tools-4.3.15-52.86.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2023-03-20T15:29:15Z",
"details": "important"
}
],
"title": "CVE-2022-46146"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…