cvelistv5 - cve-2021-41174

URL	Tags
security-advisories@github.com	https://github.com/grafana/grafana/commit/31b78d51c693d828720a5b285107a50e6024c912	Patch, Third Party Advisory
security-advisories@github.com	https://github.com/grafana/grafana/commit/3cb5214fa45eb5a571fd70d6c6edf0d729983f82	Patch, Third Party Advisory
security-advisories@github.com	https://github.com/grafana/grafana/commit/fb85ed691290d211a5baa44d9a641ab137f0de88	Patch, Third Party Advisory
security-advisories@github.com	https://github.com/grafana/grafana/security/advisories/GHSA-3j9m-hcv9-rpj8	Third Party Advisory
security-advisories@github.com	https://security.netapp.com/advisory/ntap-20211125-0003/	Third Party Advisory

▼	Vendor	Product
	grafana	grafana

gsd-2021-41174

Vulnerability from gsd

Modified

2023-12-13 01:23

Details

Grafana is an open-source platform for monitoring and observability. In affected versions if an attacker is able to convince a victim to visit a URL referencing a vulnerable page, arbitrary JavaScript content may be executed within the context of the victim's browser. The user visiting the malicious link must be unauthenticated and the link must be for a page that contains the login button in the menu bar. The url has to be crafted to exploit AngularJS rendering and contain the interpolation binding for AngularJS expressions. AngularJS uses double curly braces for interpolation binding: {{ }} ex: {{constructor.constructor(‘alert(1)’)()}}. When the user follows the link and the page renders, the login button will contain the original link with a query parameter to force a redirect to the login page. The URL is not validated and the AngularJS rendering engine will execute the JavaScript expression contained in the URL. Users are advised to upgrade as soon as possible. If for some reason you cannot upgrade, you can use a reverse proxy or similar to block access to block the literal string {{ in the path.

Aliases

CVE-2021-41174

Aliases

CVE-2021-41174

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2021-41174",
    "description": "Grafana is an open-source platform for monitoring and observability. In affected versions if an attacker is able to convince a victim to visit a URL referencing a vulnerable page, arbitrary JavaScript content may be executed within the context of the victim\u0027s browser. The user visiting the malicious link must be unauthenticated and the link must be for a page that contains the login button in the menu bar. The url has to be crafted to exploit AngularJS rendering and contain the interpolation binding for AngularJS expressions. AngularJS uses double curly braces for interpolation binding: {{ }} ex: {{constructor.constructor(\u2018alert(1)\u2019)()}}. When the user follows the link and the page renders, the login button will contain the original link with a query parameter to force a redirect to the login page. The URL is not validated and the AngularJS rendering engine will execute the JavaScript expression contained in the URL. Users are advised to upgrade as soon as possible. If for some reason you cannot upgrade, you can use a reverse proxy or similar to block access to block the literal string {{ in the path.",
    "id": "GSD-2021-41174",
    "references": [
      "https://www.suse.com/security/cve/CVE-2021-41174.html",
      "https://security.archlinux.org/CVE-2021-41174"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2021-41174"
      ],
      "details": "Grafana is an open-source platform for monitoring and observability. In affected versions if an attacker is able to convince a victim to visit a URL referencing a vulnerable page, arbitrary JavaScript content may be executed within the context of the victim\u0027s browser. The user visiting the malicious link must be unauthenticated and the link must be for a page that contains the login button in the menu bar. The url has to be crafted to exploit AngularJS rendering and contain the interpolation binding for AngularJS expressions. AngularJS uses double curly braces for interpolation binding: {{ }} ex: {{constructor.constructor(\u2018alert(1)\u2019)()}}. When the user follows the link and the page renders, the login button will contain the original link with a query parameter to force a redirect to the login page. The URL is not validated and the AngularJS rendering engine will execute the JavaScript expression contained in the URL. Users are advised to upgrade as soon as possible. If for some reason you cannot upgrade, you can use a reverse proxy or similar to block access to block the literal string {{ in the path.",
      "id": "GSD-2021-41174",
      "modified": "2023-12-13T01:23:27.256947Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2021-41174",
        "STATE": "PUBLIC",
        "TITLE": "XSS vulnerability allowing arbitrary JavaScript execution"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "grafana",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "\u003e= 8.0.0, \u003c 8.2.3"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "grafana"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Grafana is an open-source platform for monitoring and observability. In affected versions if an attacker is able to convince a victim to visit a URL referencing a vulnerable page, arbitrary JavaScript content may be executed within the context of the victim\u0027s browser. The user visiting the malicious link must be unauthenticated and the link must be for a page that contains the login button in the menu bar. The url has to be crafted to exploit AngularJS rendering and contain the interpolation binding for AngularJS expressions. AngularJS uses double curly braces for interpolation binding: {{ }} ex: {{constructor.constructor(\u2018alert(1)\u2019)()}}. When the user follows the link and the page renders, the login button will contain the original link with a query parameter to force a redirect to the login page. The URL is not validated and the AngularJS rendering engine will execute the JavaScript expression contained in the URL. Users are advised to upgrade as soon as possible. If for some reason you cannot upgrade, you can use a reverse proxy or similar to block access to block the literal string {{ in the path."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.9,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:N",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/grafana/grafana/security/advisories/GHSA-3j9m-hcv9-rpj8",
            "refsource": "CONFIRM",
            "url": "https://github.com/grafana/grafana/security/advisories/GHSA-3j9m-hcv9-rpj8"
          },
          {
            "name": "https://github.com/grafana/grafana/commit/31b78d51c693d828720a5b285107a50e6024c912",
            "refsource": "MISC",
            "url": "https://github.com/grafana/grafana/commit/31b78d51c693d828720a5b285107a50e6024c912"
          },
          {
            "name": "https://github.com/grafana/grafana/commit/3cb5214fa45eb5a571fd70d6c6edf0d729983f82",
            "refsource": "MISC",
            "url": "https://github.com/grafana/grafana/commit/3cb5214fa45eb5a571fd70d6c6edf0d729983f82"
          },
          {
            "name": "https://github.com/grafana/grafana/commit/fb85ed691290d211a5baa44d9a641ab137f0de88",
            "refsource": "MISC",
            "url": "https://github.com/grafana/grafana/commit/fb85ed691290d211a5baa44d9a641ab137f0de88"
          },
          {
            "name": "https://security.netapp.com/advisory/ntap-20211125-0003/",
            "refsource": "CONFIRM",
            "url": "https://security.netapp.com/advisory/ntap-20211125-0003/"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-3j9m-hcv9-rpj8",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003e=8.0.0 \u003c8.2.3",
          "affected_versions": "All versions starting from 8.0.0 before 8.2.3",
          "cvss_v2": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-79",
            "CWE-79",
            "CWE-937"
          ],
          "date": "2021-11-29",
          "description": "Grafana is an open-source platform for monitoring and observability. arbitrary JavaScript content may be executed within the context of the victim\u0027s browser. The user visiting the malicious link must be unauthenticated and the link must be for a page that contains the login button in the menu bar. The url has to be crafted to exploit AngularJS rendering and contain the interpolation binding for AngularJS expressions. AngularJS uses double curly braces for interpolation binding: {{ }} ex: {{constructor.constructor(\u2018alert(1)\u2019)()}}. When the user follows the link and the page renders, the login button will contain the original link with a query parameter to force a redirect to the login page. The URL is not validated and the AngularJS rendering engine will execute the JavaScript expression contained in the URL. Users are advised to upgrade as soon as possible. If for some reason you cannot upgrade, you can use a reverse proxy or similar to block access to block the literal string {{ in the path.",
          "fixed_versions": [
            "8.2.3"
          ],
          "identifier": "CVE-2021-41174",
          "identifiers": [
            "GHSA-3j9m-hcv9-rpj8",
            "CVE-2021-41174"
          ],
          "not_impacted": "All versions before 8.0.0, all versions starting from 8.2.3",
          "package_slug": "npm/@grafana/data",
          "pubdate": "2021-11-08",
          "solution": "Upgrade to version 8.2.3 or above.",
          "title": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
          "urls": [
            "https://github.com/grafana/grafana/security/advisories/GHSA-3j9m-hcv9-rpj8",
            "https://github.com/grafana/grafana/commit/31b78d51c693d828720a5b285107a50e6024c912",
            "https://github.com/grafana/grafana/commit/3cb5214fa45eb5a571fd70d6c6edf0d729983f82",
            "https://github.com/grafana/grafana/commit/fb85ed691290d211a5baa44d9a641ab137f0de88",
            "https://nvd.nist.gov/vuln/detail/CVE-2021-41174",
            "https://security.netapp.com/advisory/ntap-20211125-0003/",
            "https://github.com/advisories/GHSA-3j9m-hcv9-rpj8"
          ],
          "uuid": "35963801-c88c-4b69-a91b-782735339643"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "8.2.3",
                "versionStartIncluding": "8.0.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2021-41174"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Grafana is an open-source platform for monitoring and observability. In affected versions if an attacker is able to convince a victim to visit a URL referencing a vulnerable page, arbitrary JavaScript content may be executed within the context of the victim\u0027s browser. The user visiting the malicious link must be unauthenticated and the link must be for a page that contains the login button in the menu bar. The url has to be crafted to exploit AngularJS rendering and contain the interpolation binding for AngularJS expressions. AngularJS uses double curly braces for interpolation binding: {{ }} ex: {{constructor.constructor(\u2018alert(1)\u2019)()}}. When the user follows the link and the page renders, the login button will contain the original link with a query parameter to force a redirect to the login page. The URL is not validated and the AngularJS rendering engine will execute the JavaScript expression contained in the URL. Users are advised to upgrade as soon as possible. If for some reason you cannot upgrade, you can use a reverse proxy or similar to block access to block the literal string {{ in the path."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-79"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/grafana/grafana/commit/3cb5214fa45eb5a571fd70d6c6edf0d729983f82",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/grafana/grafana/commit/3cb5214fa45eb5a571fd70d6c6edf0d729983f82"
            },
            {
              "name": "https://github.com/grafana/grafana/commit/31b78d51c693d828720a5b285107a50e6024c912",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/grafana/grafana/commit/31b78d51c693d828720a5b285107a50e6024c912"
            },
            {
              "name": "https://github.com/grafana/grafana/commit/fb85ed691290d211a5baa44d9a641ab137f0de88",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/grafana/grafana/commit/fb85ed691290d211a5baa44d9a641ab137f0de88"
            },
            {
              "name": "https://github.com/grafana/grafana/security/advisories/GHSA-3j9m-hcv9-rpj8",
              "refsource": "CONFIRM",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://github.com/grafana/grafana/security/advisories/GHSA-3j9m-hcv9-rpj8"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20211125-0003/",
              "refsource": "CONFIRM",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://security.netapp.com/advisory/ntap-20211125-0003/"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 8.6,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": true
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 2.7
        }
      },
      "lastModifiedDate": "2021-11-29T17:13Z",
      "publishedDate": "2021-11-03T18:15Z"
    }
  }
}

ghsa-3j9m-hcv9-rpj8

Vulnerability from github

Published

2021-11-08 18:13

Modified

2021-11-29 15:05

Severity ?

6.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:N

Summary

XSS vulnerability allowing arbitrary JavaScript execution

Details

Today we are releasing Grafana 8.2.3. This patch release includes an important security fix for an issue that affects all Grafana versions from 8.0.0-beta1.

Grafana Cloud instances have already been patched and an audit did not find any usage of this attack vector. Grafana Enterprise customers were provided with updated binaries under embargo.

CVE-2021-41174 XSS vulnerability on unauthenticated pages

Summary

CVSS Score: 6.9 Medium CVSS:CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:N/E:U/RL:O/RC:R/CR:L/MAV:N/MAC:H/MPR:N/MUI:R/MS:C/MC:N/MI:H/MA:L

We received a security report to security@grafana.com on 2021-10-21 about a vulnerability in Grafana regarding the XSS vulnerability.

It was later identified as affecting Grafana versions from 8.0.0-beta1 to 8.2.2. CVE-2021-41174 has been assigned to this vulnerability.

Impact

If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, arbitrary JavaScript content may be executed within the context of the victim's browser.

The user visiting the malicious link must be unauthenticated and the link must be for a page that contains the login button in the menu bar.

There are two ways an unauthenticated user can open a page in Grafana that contains the login button: - Anonymous authentication is enabled. This means all pages in Grafana would be open for the attack. - The link is to an unauthenticated page. The following pages are vulnerable: - /dashboard-solo/snapshot/* - /dashboard/snapshot/* - /invite/:code

The url has to be crafted to exploit AngularJS rendering and contain the interpolation binding for AngularJS expressions. AngularJS uses double curly braces for interpolation binding: {{ }}

An example of an expression would be: {{constructor.constructor(‘alert(1)’)()}}. This can be included in the link URL like this:

https://play.grafana.org/dashboard/snapshot/%7B%7Bconstructor.constructor('alert(1)')()%7D%7D?orgId=1

When the user follows the link and the page renders, the login button will contain the original link with a query parameter to force a redirect to the login page. The URL is not validated and the AngularJS rendering engine will execute the JavaScript expression contained in the URL.

Attack audit

We can not guarantee that the below will identify all attacks, so if you find something using the audit process described below, you should consider doing a full assessment.

Through reverse proxy/load balancer logs

To determine if your Grafana installation has been exploited for this vulnerability, search through your reverse proxy/load balancer access logs for instances where the path contains {{ followed by something that would invoke JavaScript code. For example, this could be code that attempts to show a fake login page or to steal browser or session data. The OWASP cheat sheet has several examples of XSS attacks.

Through the Grafana Enterprise audit feature

If you enabled “Log web requests” in your configuration with router_logging = true, look for requests where path contains {{ followed by something that would invoke JavaScript code.

Patched versions

Release 8.2.3:

Solutions and mitigations

Download and install the appropriate patch for your version of Grafana.

Grafana Cloud instances have already been patched, and Grafana Enterprise customers were provided with updated binaries under embargo.

Workaround

If for some reason you cannot upgrade, you can use a reverse proxy or similar to block access to block the literal string {{ in the path.

Example of an Nginx rule to block the literal string {{:

location ~ \{\{ { deny all; }

Timeline and postmortem

Here is a detailed timeline starting from when we originally learned of the issue. All times in UTC.

2021-10-21 23:13: Security researcher sends the initial report about an XSS vulnerability.
2021-10-21 23:13: Confirmed to be reproducible in at least versions 8.0.5 and 8.2.2.
2021-10-22 02:02 MEDIUM severity declared.
2021-10-22 09:22: it is discovered that Grafana instances with anonymous auth turned on are vulnerable. This includes https://play.grafana.org/ .
2021-10-22 09:50: Anonymous access disabled for all instances on Grafana Cloud as a mitigation measure.
2021-10-22 11:15: Workaround deployed on Grafana Cloud that blocks malicious requests.
2021-10-22 12:35: Enabled anonymous access for instances on Grafana Cloud.
2021-10-22 12:51: All instances protected by the workaround. From this point forward, Grafana Cloud is no longer affected.
2021-10-22 14:05 Grafana Cloud instances updated with a fix.
2021-10-22 19:23 :Determination that no weekend work is needed as the issue is of MEDIUM severity and the root cause has been identified.
2021-10-25 14:13: Audit of Grafana Cloud concluded, no evidence of exploitation.
2021-10-27 12:00: Grafana Enterprise images released to customers under embargo.
2021-11-03 12:00: Public release.

Reporting security issues

If you think you have found a security vulnerability, please send a report to security@grafana.com. This address can be used for all of Grafana Labs' open source and commercial products (including but not limited to Grafana, Tempo, Loki, k6, Tanka, and Grafana Cloud, Grafana Enterprise, and grafana.com). We only accept vulnerability reports at this address. We would prefer that you encrypt your message to us using our PGP key. The key fingerprint is:

F988 7BEA 027A 049F AE8E 5CAA D125 8932 BE24 C5CA

The key is available from keyserver.ubuntu.com by searching for security@grafana.

Security announcements

There is a Security category on the Grafana blog where we will post a summary, remediation, and mitigation details for any patch containing security fixes and you can subscribe to updates from our Security Announcements RSS feed.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@grafana/data"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.0.0"
            },
            {
              "fixed": "8.2.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-41174"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-11-03T18:18:08Z",
    "nvd_published_at": "2021-11-03T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Today we are releasing Grafana 8.2.3. This patch release includes an important security fix for an issue that affects all Grafana versions from 8.0.0-beta1.\n\n[Grafana Cloud](https://grafana.com/cloud) instances have already been patched and an audit did not find any usage of this attack vector. [Grafana Enterprise](https://grafana.com/products/enterprise) customers were provided with updated binaries under embargo.\n\n## CVE-2021-41174 XSS vulnerability on unauthenticated pages\n\n### Summary\n\nCVSS Score: 6.9 Medium\nCVSS:[CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:N/E:U/RL:O/RC:R/CR:L/MAV:N/MAC:H/MPR:N/MUI:R/MS:C/MC:N/MI:H/MA:L](https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:N/E:U/RL:O/RC:R/CR:L/MAV:N/MAC:H/MPR:N/MUI:R/MS:C/MC:N/MI:H/MA:L)\n\nWe received a security report to security@grafana.com on 2021-10-21 about a vulnerability in Grafana regarding the XSS vulnerability.\n\nIt was later identified as affecting Grafana versions from 8.0.0-beta1 to 8.2.2. [CVE-2021-41174](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41174) has been assigned to this vulnerability.\n\n### Impact\n\nIf an attacker is able to convince a victim to visit a URL referencing a vulnerable page, arbitrary JavaScript content may be executed within the context of the victim\u0027s browser.\n\nThe user visiting the malicious link must be unauthenticated and the link must be for a page that contains the login button in the menu bar.\n\nThere are two ways an unauthenticated user can open a page in Grafana that contains the login button:\n- Anonymous authentication is enabled. This means all pages in Grafana would be open for the attack.\n- The link is to an unauthenticated page. The following pages are vulnerable:\n  - `/dashboard-solo/snapshot/*`\n  - `/dashboard/snapshot/*`\n  - `/invite/:code`\n\nThe url has to be crafted to exploit AngularJS rendering and contain the interpolation binding for AngularJS expressions. AngularJS uses double curly braces for interpolation binding: {{ }} \n\nAn example of an expression would be: `{{constructor.constructor(\u2018alert(1)\u2019)()}}`. This can be included in the link URL like this: \n\nhttps://play.grafana.org/dashboard/snapshot/%7B%7Bconstructor.constructor(\u0027alert(1)\u0027)()%7D%7D?orgId=1\n\nWhen the user follows the link and the page renders, the login button will contain the original link with a query parameter to force a redirect to the login page. The URL is not validated and the AngularJS rendering engine will execute the JavaScript expression contained in the URL.\n\n### Attack audit\n\nWe can not guarantee that the below will identify all attacks, so if you find something using the audit process described below, you should consider doing a full assessment.\n\n#### Through reverse proxy/load balancer logs\n\nTo determine if your Grafana installation has been exploited for this vulnerability, search through your reverse proxy/load balancer access logs for instances where the path contains `{{` followed by something that would invoke JavaScript code. For example, this could be code that attempts to show a fake login page or to steal browser or session data. The [OWASP cheat sheet](https://cheatsheetseries.owasp.org/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.html) has several examples of XSS attacks.\n\n#### Through the Grafana Enterprise audit feature\n\nIf you enabled \u201cLog web requests\u201d in your configuration with `router_logging = true`, look for requests where `path` contains `{{` followed by something that would invoke JavaScript code.\n\n### Patched versions\n\nRelease 8.2.3:\n\n- [Download Grafana 8.2.3](https://grafana.com/grafana/download/8.2.3)\n- [Release notes](https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-2-3/)\n\n### Solutions and mitigations\n\nDownload and install the appropriate patch for your version of Grafana.\n\n[Grafana Cloud](https://grafana.com/cloud) instances have already been patched, and [Grafana Enterprise](https://grafana.com/products/enterprise) customers were provided with updated binaries under embargo.\n\n### Workaround\n\nIf for some reason you cannot upgrade, you can use a reverse proxy or similar to block access to block the literal string `{{` in the path.\n\nExample of an Nginx rule to block the literal string `{{`:\n\n```\nlocation ~ \\{\\{ {\n    deny all;\n}\n```\n### Timeline and postmortem\n\nHere is a detailed timeline starting from when we originally learned of the issue. All times in UTC. \n\n* 2021-10-21 23:13: Security researcher sends the initial report about an XSS vulnerability.\n* 2021-10-21 23:13: Confirmed to be reproducible in at least versions 8.0.5 and 8.2.2.\n* 2021-10-22 02:02 MEDIUM severity declared.\n* 2021-10-22 09:22: it is discovered that Grafana instances with anonymous auth turned on are vulnerable. This includes https://play.grafana.org/ .\n* 2021-10-22 09:50: Anonymous access disabled for all instances on Grafana Cloud as a mitigation measure.\n* 2021-10-22 11:15: Workaround deployed on Grafana Cloud that blocks malicious requests.\n* 2021-10-22 12:35: Enabled anonymous access for instances on Grafana Cloud. \n* 2021-10-22 12:51: All instances protected by the workaround. From this point forward, Grafana Cloud is no longer affected.\n* 2021-10-22 14:05 Grafana Cloud instances updated with a fix.\n* 2021-10-22 19:23 :Determination that no weekend work is needed as the issue is of MEDIUM severity and the root cause has been identified.\n* 2021-10-25 14:13: Audit of Grafana Cloud concluded, no evidence of exploitation.\n* 2021-10-27 12:00: Grafana Enterprise images released to customers under embargo.\n* 2021-11-03 12:00: Public release.\n\n## Reporting security issues\n\nIf you think you have found a security vulnerability, please send a report to [security@grafana.com](mailto:security@grafana.com). This address can be used for all of\nGrafana Labs\u0027 open source and commercial products (including but not limited to Grafana, Tempo, Loki, k6, Tanka, and  Grafana Cloud, Grafana Enterprise, and grafana.com). We only accept vulnerability reports at this address. We would prefer that you encrypt your message to us using our PGP key. The key fingerprint is:\n\nF988 7BEA 027A 049F AE8E  5CAA D125 8932 BE24 C5CA\n\nThe key is available from [ keyserver.ubuntu.com]( https://keyserver.ubuntu.com/pks/lookup?op=get\u0026fingerprint=on\u0026search=0xD1258932BE24C5CA) by searching for [security@grafana]( https://keyserver.ubuntu.com/pks/lookup?search=security@grafana\u0026fingerprint=on\u0026op=index).\n\n## Security announcements\n\nThere is a Security [category](https://grafana.com/tags/security/) on the Grafana blog where we will post a summary, remediation, and mitigation details for any patch containing security fixes and you can subscribe to updates from our [Security Announcements RSS feed](https://grafana.com/tags/security/index.xml).",
  "id": "GHSA-3j9m-hcv9-rpj8",
  "modified": "2021-11-29T15:05:31Z",
  "published": "2021-11-08T18:13:19Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/grafana/grafana/security/advisories/GHSA-3j9m-hcv9-rpj8"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41174"
    },
    {
      "type": "WEB",
      "url": "https://github.com/grafana/grafana/commit/31b78d51c693d828720a5b285107a50e6024c912"
    },
    {
      "type": "WEB",
      "url": "https://github.com/grafana/grafana/commit/3cb5214fa45eb5a571fd70d6c6edf0d729983f82"
    },
    {
      "type": "WEB",
      "url": "https://github.com/grafana/grafana/commit/fb85ed691290d211a5baa44d9a641ab137f0de88"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/grafana/grafana"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20211125-0003"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "XSS vulnerability allowing arbitrary JavaScript execution"
}

wid-sec-w-2022-0402

Vulnerability from csaf_certbund

Published

2021-11-03 23:00

Modified

2024-01-23 23:00

Summary

Grafana: Schwachstelle ermöglicht Cross-Site Scripting

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

Grafana ist eine Open-Source Analyse- und Visualisierungssoftware.

Angriff

Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Grafana ausnutzen, um einen Cross-Site Scripting Angriff durchzuführen.

Betroffene Betriebssysteme

- UNIX - Linux - Windows - Sonstiges

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "mittel"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Grafana ist eine Open-Source Analyse- und Visualisierungssoftware.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Grafana ausnutzen, um einen Cross-Site Scripting Angriff durchzuf\u00fchren.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- UNIX\n- Linux\n- Windows\n- Sonstiges",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2022-0402 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2021/wid-sec-w-2022-0402.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2022-0402 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0402"
      },
      {
        "category": "external",
        "summary": "Red Hat Bugzilla - Bug 2019952 vom 2021-11-03",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2019952"
      },
      {
        "category": "external",
        "summary": "OSS Mailingliste vom 2021-11-03",
        "url": "https://www.openwall.com/lists/oss-security/2021/11/03/1"
      },
      {
        "category": "external",
        "summary": "Arch Linux Security Advisory ASA-202111-5 vom 2021-11-05",
        "url": "https://security.archlinux.org/ASA-202111-5"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2022:0751-1 vom 2022-03-08",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2022-March/010387.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2022:1396-1 vom 2022-04-25",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2022-April/010822.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2022:2134-1 vom 2022-06-20",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2022-June/011316.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2022:3676-1 vom 2022-10-20",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2022-October/012594.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2022:4437-1 vom 2022-12-13",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2022-December/013220.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2022:4428-1 vom 2022-12-13",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2022-December/013218.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2022:4439-1 vom 2022-12-13",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2022-December/013221.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2024:0191-1 vom 2024-01-23",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-January/017744.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2024:0196-1 vom 2024-01-23",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-January/017743.html"
      }
    ],
    "source_lang": "en-US",
    "title": "Grafana: Schwachstelle erm\u00f6glicht Cross-Site Scripting",
    "tracking": {
      "current_release_date": "2024-01-23T23:00:00.000+00:00",
      "generator": {
        "date": "2024-02-15T16:49:26.386+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.0"
        }
      },
      "id": "WID-SEC-W-2022-0402",
      "initial_release_date": "2021-11-03T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2021-11-03T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2021-11-07T23:00:00.000+00:00",
          "number": "2",
          "summary": "Neue Updates von Arch Linux aufgenommen"
        },
        {
          "date": "2022-03-08T23:00:00.000+00:00",
          "number": "3",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2022-04-25T22:00:00.000+00:00",
          "number": "4",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2022-06-20T22:00:00.000+00:00",
          "number": "5",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2022-10-20T22:00:00.000+00:00",
          "number": "6",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2022-12-12T23:00:00.000+00:00",
          "number": "7",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2024-01-23T23:00:00.000+00:00",
          "number": "8",
          "summary": "Neue Updates von SUSE aufgenommen"
        }
      ],
      "status": "final",
      "version": "8"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Open Source Arch Linux",
            "product": {
              "name": "Open Source Arch Linux",
              "product_id": "T013312",
              "product_identification_helper": {
                "cpe": "cpe:/o:archlinux:archlinux:-"
              }
            }
          },
          {
            "category": "product_name",
            "name": "Open Source Grafana \u003c 8.2.3",
            "product": {
              "name": "Open Source Grafana \u003c 8.2.3",
              "product_id": "T020909",
              "product_identification_helper": {
                "cpe": "cpe:/a:grafana:grafana:8.2.3"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "SUSE Linux",
            "product": {
              "name": "SUSE Linux",
              "product_id": "T002207",
              "product_identification_helper": {
                "cpe": "cpe:/o:suse:suse_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2021-41174",
      "notes": [
        {
          "category": "description",
          "text": "In Grafana existiert eine Cross-Site Scripting Schwachstelle. HTML und Script-Eingaben werden nicht ordnungsgem\u00e4\u00df \u00fcberpr\u00fcft, bevor sie an den Benutzer zur\u00fcckgegeben werden. Ein entfernter anonymer Angreifer kann durch Ausnutzung dieser Schwachstelle beliebigen HTML- und Script-Code durch den Browser des Benutzers im Kontext der betroffenen Seite ausf\u00fchren. Zur erfolgreichen Ausnutzung ist eine Benutzeraktion erforderlich."
        }
      ],
      "product_status": {
        "known_affected": [
          "T002207",
          "T013312"
        ]
      },
      "release_date": "2021-11-03T23:00:00Z",
      "title": "CVE-2021-41174"
    }
  ]
}

Action not permitted

cve-2021-41174

Vulnerability from cvelistv5

gsd-2021-41174

Vulnerability from gsd

ghsa-3j9m-hcv9-rpj8

Vulnerability from github

CVE-2021-41174 XSS vulnerability on unauthenticated pages

Summary

Impact

Attack audit

Through reverse proxy/load balancer logs

Through the Grafana Enterprise audit feature

Patched versions

Solutions and mitigations

Workaround

Timeline and postmortem

Reporting security issues

Security announcements

wid-sec-w-2022-0402

Vulnerability from csaf_certbund

Tags