Action not permitted
Modal body text goes here.
cve-2023-1387
Vulnerability from cvelistv5
Published
2023-04-26 13:47
Modified
2024-08-02 05:49
Severity ?
EPSS score ?
Summary
Grafana is an open-source platform for monitoring and observability.
Starting with the 9.1 branch, Grafana introduced the ability to search for a JWT in the URL query parameter auth_token and use it as the authentication token.
By enabling the "url_login" configuration option (disabled by default), a JWT might be sent to data sources. If an attacker has access to the data source, the leaked token could be used to authenticate to Grafana.
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Grafana | Grafana | |
| Grafana | Grafana Enterprise |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T05:49:11.313Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://grafana.com/security/security-advisories/cve-2023-1387/"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/grafana/bugbounty/security/advisories/GHSA-5585-m9r5-p86j"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20230609-0003/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Grafana",
"vendor": "Grafana",
"versions": [
{
"lessThan": "9.2.17",
"status": "affected",
"version": "9.1.0",
"versionType": "semver"
},
{
"lessThan": "9.3.13",
"status": "affected",
"version": "9.3.0",
"versionType": "semver"
},
{
"lessThan": "9.5.0",
"status": "affected",
"version": "9.4.0",
"versionType": "semver"
}
]
},
{
"product": "Grafana Enterprise",
"vendor": "Grafana",
"versions": [
{
"lessThan": "9.2.17",
"status": "affected",
"version": "9.1.0",
"versionType": "semver"
},
{
"lessThan": "9.3.13",
"status": "affected",
"version": "9.3.0",
"versionType": "semver"
},
{
"lessThan": "9.5.0",
"status": "affected",
"version": "9.4.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eGrafana is an open-source platform for monitoring and observability. \u003c/p\u003e\u003cp\u003eStarting with the 9.1 branch, Grafana introduced the ability to search for a JWT in the URL query parameter auth_token and use it as the authentication token. \u003c/p\u003e\u003cp\u003eBy enabling the \"url_login\" configuration option (disabled by default), a JWT might be sent to data sources. If an attacker has access to the data source, the leaked token could be used to authenticate to Grafana.\u003c/p\u003e"
}
],
"value": "Grafana is an open-source platform for monitoring and observability. \n\nStarting with the 9.1 branch, Grafana introduced the ability to search for a JWT in the URL query parameter auth_token and use it as the authentication token. \n\nBy enabling the \"url_login\" configuration option (disabled by default), a JWT might be sent to data sources. If an attacker has access to the data source, the leaked token could be used to authenticate to Grafana.\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-116",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-116"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-26T13:47:16.914Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"url": "https://grafana.com/security/security-advisories/cve-2023-1387/"
},
{
"url": "https://github.com/grafana/bugbounty/security/advisories/GHSA-5585-m9r5-p86j"
},
{
"url": "https://security.netapp.com/advisory/ntap-20230609-0003/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2023-1387",
"datePublished": "2023-04-26T13:47:16.914Z",
"dateReserved": "2023-03-14T11:11:01.304Z",
"dateUpdated": "2024-08-02T05:49:11.313Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2023-1387\",\"sourceIdentifier\":\"security@grafana.com\",\"published\":\"2023-04-26T14:15:09.430\",\"lastModified\":\"2023-06-09T08:15:09.287\",\"vulnStatus\":\"Modified\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"Grafana is an open-source platform for monitoring and observability. \\n\\nStarting with the 9.1 branch, Grafana introduced the ability to search for a JWT in the URL query parameter auth_token and use it as the authentication token. \\n\\nBy enabling the \\\"url_login\\\" configuration option (disabled by default), a JWT might be sent to data sources. If an attacker has access to the data source, the leaked token could be used to authenticate to Grafana.\\n\\n\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6},{\"source\":\"security@grafana.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\",\"baseScore\":4.2,\"baseSeverity\":\"MEDIUM\"},\"exploitabilityScore\":0.5,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]},{\"source\":\"security@grafana.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-200\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"9.1.0\",\"versionEndExcluding\":\"9.2.17\",\"matchCriteriaId\":\"5664FC02-E4AA-41EC-8EAA-300AD2272CC2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"9.3.0\",\"versionEndExcluding\":\"9.3.13\",\"matchCriteriaId\":\"5A544263-545D-4D86-B29F-F7FC12E9A34F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"9.4.0\",\"versionEndExcluding\":\"9.4.9\",\"matchCriteriaId\":\"99EBCA47-A3CD-4C20-B151-300D43426EB2\"}]}]}],\"references\":[{\"url\":\"https://github.com/grafana/bugbounty/security/advisories/GHSA-5585-m9r5-p86j\",\"source\":\"security@grafana.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://grafana.com/security/security-advisories/cve-2023-1387/\",\"source\":\"security@grafana.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://security.netapp.com/advisory/ntap-20230609-0003/\",\"source\":\"security@grafana.com\"}]}}"
}
}
rhsa-2024_0746
Vulnerability from csaf_redhat
Published
2024-02-08 16:49
Modified
2024-11-06 04:58
Summary
Red Hat Security Advisory: new container image: rhceph-5.3
Notes
Topic
Updated container image for Red Hat Ceph Storage 5.3 is now available in
the Red Hat Ecosystem Catalog.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat Ceph Storage is a scalable, open, software-defined storage platform
that combines the most stable version of the Ceph storage system with a
Ceph management platform, deployment utilities, and support services.
This updated container image is based on Red Hat Ceph Storage 5.3 and Red
Hat Enterprise Linux.
Space precludes documenting all of these changes in this advisory. Users
are directed to the Red Hat Ceph Storage Release Notes for information on
the most significant of these changes:
https://access.redhat.com/documentation/en-us/red_hat_ceph_storage/5.3/html/release_notes/index
All users of Red Hat Ceph Storage are advised to pull these new images from
the Red Hat Ecosystem catalog.
Security Fix(es):
* grafana: Use of Cache Containing Sensitive Information (CVE-2022-23498)
* grafana: cross site scripting (CVE-2023-0507)
* grafana: cross site scripting (CVE-2023-0594)
* haproxy: request smuggling attack in HTTP/1 header parsing (CVE-2023-25725)
* golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717)
* haproxy: segfault DoS (CVE-2023-0056)
* grafana: JWT token leak to data source (CVE-2023-1387)
* grafana: stored XSS vulnerability affecting the core plugin "Text" (CVE-2023-22462)
* golang: html/template: backticks not treated as string delimiters (CVE-2023-24538)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated container image for Red Hat Ceph Storage 5.3 is now available in\nthe Red Hat Ecosystem Catalog.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat Ceph Storage is a scalable, open, software-defined storage platform\nthat combines the most stable version of the Ceph storage system with a\nCeph management platform, deployment utilities, and support services.\n\nThis updated container image is based on Red Hat Ceph Storage 5.3 and Red\nHat Enterprise Linux.\n\nSpace precludes documenting all of these changes in this advisory. Users\nare directed to the Red Hat Ceph Storage Release Notes for information on\nthe most significant of these changes:\n\nhttps://access.redhat.com/documentation/en-us/red_hat_ceph_storage/5.3/html/release_notes/index\n\nAll users of Red Hat Ceph Storage are advised to pull these new images from\nthe Red Hat Ecosystem catalog.\n\nSecurity Fix(es):\n\n* grafana: Use of Cache Containing Sensitive Information (CVE-2022-23498)\n\n* grafana: cross site scripting (CVE-2023-0507)\n\n* grafana: cross site scripting (CVE-2023-0594)\n\n* haproxy: request smuggling attack in HTTP/1 header parsing (CVE-2023-25725)\n\n* golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717)\n\n* haproxy: segfault DoS (CVE-2023-0056)\n\n* grafana: JWT token leak to data source (CVE-2023-1387)\n\n* grafana: stored XSS vulnerability affecting the core plugin \"Text\" (CVE-2023-22462)\n\n* golang: html/template: backticks not treated as string delimiters (CVE-2023-24538)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2024:0746",
"url": "https://access.redhat.com/errata/RHSA-2024:0746"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2160808",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2160808"
},
{
"category": "external",
"summary": "2161274",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2161274"
},
{
"category": "external",
"summary": "2164936",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2164936"
},
{
"category": "external",
"summary": "2167266",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2167266"
},
{
"category": "external",
"summary": "2168037",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2168037"
},
{
"category": "external",
"summary": "2168038",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2168038"
},
{
"category": "external",
"summary": "2169089",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2169089"
},
{
"category": "external",
"summary": "2184481",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2184481"
},
{
"category": "external",
"summary": "2186322",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2186322"
},
{
"category": "external",
"summary": "2256938",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2256938"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_0746.json"
}
],
"title": "Red Hat Security Advisory: new container image: rhceph-5.3",
"tracking": {
"current_release_date": "2024-11-06T04:58:36+00:00",
"generator": {
"date": "2024-11-06T04:58:36+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.1.1"
}
},
"id": "RHSA-2024:0746",
"initial_release_date": "2024-02-08T16:49:55+00:00",
"revision_history": [
{
"date": "2024-02-08T16:49:55+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2024-02-08T16:49:55+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-06T04:58:36+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Ceph Storage 5.3 Tools",
"product": {
"name": "Red Hat Ceph Storage 5.3 Tools",
"product_id": "8Base-RHCEPH-5.3-Tools",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:ceph_storage:5.3::el8"
}
}
}
],
"category": "product_family",
"name": "Red Hat Ceph Storage"
},
{
"branches": [
{
"category": "product_version",
"name": "rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"product": {
"name": "rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"product_id": "rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832?arch=amd64\u0026repository_url=registry.redhat.io/rhceph/rhceph-5-dashboard-rhel8\u0026tag=5-83"
}
}
},
{
"category": "product_version",
"name": "rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64",
"product": {
"name": "rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64",
"product_id": "rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64",
"product_identification_helper": {
"purl": "pkg:oci/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad?arch=amd64\u0026repository_url=registry.redhat.io/rhceph/keepalived-rhel8\u0026tag=2.1.5-39"
}
}
},
{
"category": "product_version",
"name": "rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64",
"product": {
"name": "rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64",
"product_id": "rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f?arch=amd64\u0026repository_url=registry.redhat.io/rhceph/rhceph-5-rhel8\u0026tag=5-499"
}
}
},
{
"category": "product_version",
"name": "rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64",
"product": {
"name": "rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64",
"product_id": "rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db?arch=amd64\u0026repository_url=registry.redhat.io/rhceph/rhceph-haproxy-rhel8\u0026tag=2.2.19-32"
}
}
},
{
"category": "product_version",
"name": "rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64",
"product": {
"name": "rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64",
"product_id": "rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64",
"product_identification_helper": {
"purl": "pkg:oci/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9?arch=amd64\u0026repository_url=registry.redhat.io/rhceph/snmp-notifier-rhel8\u0026tag=1.2.1-50"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"product": {
"name": "rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"product_id": "rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32?arch=ppc64le\u0026repository_url=registry.redhat.io/rhceph/rhceph-5-dashboard-rhel8\u0026tag=5-83"
}
}
},
{
"category": "product_version",
"name": "rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le",
"product": {
"name": "rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le",
"product_id": "rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58?arch=ppc64le\u0026repository_url=registry.redhat.io/rhceph/keepalived-rhel8\u0026tag=2.1.5-39"
}
}
},
{
"category": "product_version",
"name": "rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le",
"product": {
"name": "rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le",
"product_id": "rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b?arch=ppc64le\u0026repository_url=registry.redhat.io/rhceph/rhceph-5-rhel8\u0026tag=5-499"
}
}
},
{
"category": "product_version",
"name": "rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le",
"product": {
"name": "rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le",
"product_id": "rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935?arch=ppc64le\u0026repository_url=registry.redhat.io/rhceph/rhceph-haproxy-rhel8\u0026tag=2.2.19-32"
}
}
},
{
"category": "product_version",
"name": "rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le",
"product": {
"name": "rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le",
"product_id": "rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167?arch=ppc64le\u0026repository_url=registry.redhat.io/rhceph/snmp-notifier-rhel8\u0026tag=1.2.1-50"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x",
"product": {
"name": "rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x",
"product_id": "rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x",
"product_identification_helper": {
"purl": "pkg:oci/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088?arch=s390x\u0026repository_url=registry.redhat.io/rhceph/rhceph-5-dashboard-rhel8\u0026tag=5-83"
}
}
},
{
"category": "product_version",
"name": "rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x",
"product": {
"name": "rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x",
"product_id": "rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x",
"product_identification_helper": {
"purl": "pkg:oci/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2?arch=s390x\u0026repository_url=registry.redhat.io/rhceph/keepalived-rhel8\u0026tag=2.1.5-39"
}
}
},
{
"category": "product_version",
"name": "rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x",
"product": {
"name": "rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x",
"product_id": "rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x",
"product_identification_helper": {
"purl": "pkg:oci/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05?arch=s390x\u0026repository_url=registry.redhat.io/rhceph/rhceph-5-rhel8\u0026tag=5-499"
}
}
},
{
"category": "product_version",
"name": "rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x",
"product": {
"name": "rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x",
"product_id": "rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x",
"product_identification_helper": {
"purl": "pkg:oci/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2?arch=s390x\u0026repository_url=registry.redhat.io/rhceph/rhceph-haproxy-rhel8\u0026tag=2.2.19-32"
}
}
},
{
"category": "product_version",
"name": "rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x",
"product": {
"name": "rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x",
"product_id": "rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x",
"product_identification_helper": {
"purl": "pkg:oci/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709?arch=s390x\u0026repository_url=registry.redhat.io/rhceph/snmp-notifier-rhel8\u0026tag=1.2.1-50"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x as a component of Red Hat Ceph Storage 5.3 Tools",
"product_id": "8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x"
},
"product_reference": "rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x",
"relates_to_product_reference": "8Base-RHCEPH-5.3-Tools"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le as a component of Red Hat Ceph Storage 5.3 Tools",
"product_id": "8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le"
},
"product_reference": "rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le",
"relates_to_product_reference": "8Base-RHCEPH-5.3-Tools"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64 as a component of Red Hat Ceph Storage 5.3 Tools",
"product_id": "8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64"
},
"product_reference": "rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64",
"relates_to_product_reference": "8Base-RHCEPH-5.3-Tools"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64 as a component of Red Hat Ceph Storage 5.3 Tools",
"product_id": "8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64"
},
"product_reference": "rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"relates_to_product_reference": "8Base-RHCEPH-5.3-Tools"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le as a component of Red Hat Ceph Storage 5.3 Tools",
"product_id": "8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le"
},
"product_reference": "rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"relates_to_product_reference": "8Base-RHCEPH-5.3-Tools"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x as a component of Red Hat Ceph Storage 5.3 Tools",
"product_id": "8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x"
},
"product_reference": "rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x",
"relates_to_product_reference": "8Base-RHCEPH-5.3-Tools"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le as a component of Red Hat Ceph Storage 5.3 Tools",
"product_id": "8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le"
},
"product_reference": "rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le",
"relates_to_product_reference": "8Base-RHCEPH-5.3-Tools"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x as a component of Red Hat Ceph Storage 5.3 Tools",
"product_id": "8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x"
},
"product_reference": "rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x",
"relates_to_product_reference": "8Base-RHCEPH-5.3-Tools"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64 as a component of Red Hat Ceph Storage 5.3 Tools",
"product_id": "8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64"
},
"product_reference": "rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64",
"relates_to_product_reference": "8Base-RHCEPH-5.3-Tools"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64 as a component of Red Hat Ceph Storage 5.3 Tools",
"product_id": "8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64"
},
"product_reference": "rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64",
"relates_to_product_reference": "8Base-RHCEPH-5.3-Tools"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le as a component of Red Hat Ceph Storage 5.3 Tools",
"product_id": "8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le"
},
"product_reference": "rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le",
"relates_to_product_reference": "8Base-RHCEPH-5.3-Tools"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x as a component of Red Hat Ceph Storage 5.3 Tools",
"product_id": "8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x"
},
"product_reference": "rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x",
"relates_to_product_reference": "8Base-RHCEPH-5.3-Tools"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x as a component of Red Hat Ceph Storage 5.3 Tools",
"product_id": "8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x"
},
"product_reference": "rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x",
"relates_to_product_reference": "8Base-RHCEPH-5.3-Tools"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le as a component of Red Hat Ceph Storage 5.3 Tools",
"product_id": "8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le"
},
"product_reference": "rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le",
"relates_to_product_reference": "8Base-RHCEPH-5.3-Tools"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64 as a component of Red Hat Ceph Storage 5.3 Tools",
"product_id": "8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64"
},
"product_reference": "rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64",
"relates_to_product_reference": "8Base-RHCEPH-5.3-Tools"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-23498",
"cwe": {
"id": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor"
},
"discovery_date": "2023-02-06T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2167266"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Grafana package. When data-source query caching is enabled, Grafana caches all headers, including `grafana_session.` As a result, any user that queries a data source where the caching is enabled can acquire another user\u2019s session.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "grafana: Use of Cache Containing Sensitive Information",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x"
],
"known_not_affected": [
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-23498"
},
{
"category": "external",
"summary": "RHBZ#2167266",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2167266"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-23498",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-23498"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23498",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23498"
},
{
"category": "external",
"summary": "https://github.com/grafana/grafana/security/advisories/GHSA-2j8f-6whh-frc8",
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-2j8f-6whh-frc8"
}
],
"release_date": "2023-02-03T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-02-08T16:49:55+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/2789521\n\nand \n\nhttps://access.redhat.com/documentation/en-us/red_hat_ceph_storage/5/html-single/upgrade_guide/index\n\nFor supported configurations, refer to:\n\nhttps://access.redhat.com/articles/1548993",
"product_ids": [
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:0746"
},
{
"category": "workaround",
"details": "To mitigate the vulnerability, disable the data source query caching for all data sources.",
"product_ids": [
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "grafana: Use of Cache Containing Sensitive Information"
},
{
"cve": "CVE-2022-41717",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2023-01-16T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2161274"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the net/http library of the golang package. This flaw allows an attacker to cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Within Red Hat OpenShift Container Platform, the grafana container is listed as will not fix. Since OCP 4.10, Grafana itself is not shipped and the Grafana web server is protected behind an OAuth proxy server.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x"
],
"known_not_affected": [
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-41717"
},
{
"category": "external",
"summary": "RHBZ#2161274",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2161274"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-41717",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41717"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-41717",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41717"
},
{
"category": "external",
"summary": "https://go.dev/cl/455635",
"url": "https://go.dev/cl/455635"
},
{
"category": "external",
"summary": "https://go.dev/cl/455717",
"url": "https://go.dev/cl/455717"
},
{
"category": "external",
"summary": "https://go.dev/issue/56350",
"url": "https://go.dev/issue/56350"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ",
"url": "https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2022-1144",
"url": "https://pkg.go.dev/vuln/GO-2022-1144"
}
],
"release_date": "2022-11-30T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-02-08T16:49:55+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/2789521\n\nand \n\nhttps://access.redhat.com/documentation/en-us/red_hat_ceph_storage/5/html-single/upgrade_guide/index\n\nFor supported configurations, refer to:\n\nhttps://access.redhat.com/articles/1548993",
"product_ids": [
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:0746"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests"
},
{
"cve": "CVE-2023-0056",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2023-01-13T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2160808"
}
],
"notes": [
{
"category": "description",
"text": "An uncontrolled resource consumption vulnerability was discovered in HAProxy which could crash the service. This issue could allow an authenticated remote attacker to run a specially crafted malicious server in an OpenShift cluster. The biggest impact is to availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "haproxy: segfault DoS",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x"
],
"known_not_affected": [
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-0056"
},
{
"category": "external",
"summary": "RHBZ#2160808",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2160808"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-0056",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0056"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-0056",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0056"
},
{
"category": "external",
"summary": "https://github.com/haproxy/haproxy/issues/1972",
"url": "https://github.com/haproxy/haproxy/issues/1972"
}
],
"release_date": "2022-12-21T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-02-08T16:49:55+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/2789521\n\nand \n\nhttps://access.redhat.com/documentation/en-us/red_hat_ceph_storage/5/html-single/upgrade_guide/index\n\nFor supported configurations, refer to:\n\nhttps://access.redhat.com/articles/1548993",
"product_ids": [
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:0746"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "haproxy: segfault DoS"
},
{
"acknowledgments": [
{
"names": [
"Grafana Security Team"
],
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2023-0507",
"cwe": {
"id": "CWE-80",
"name": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"
},
"discovery_date": "2023-02-08T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2168038"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the GeoMap Grafana plugin, where a user can store unsanitized HTML in the GeoMap plugin under the Attribution text field, and the client will process it. The vulnerability makes it possible to use XHR to make arbitrary API calls on behalf of the attacked user. This means that a malicious user with editor permissions could alter a GeoMap panel to include JavaScript that changes the password for the user viewing the panel (this could be an admin) to a known password, thus gaining access to the admin account and resulting as the editor becoming an admin.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "grafana: cross site scripting",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "For Grafana package shipped in Red Hat Enterprise Linux, it is not possible to take advantage of this vulnerability without specialized \u0027editor\u0027 access, which reduces the impact of this issue in RHEL. Thus, it is set to Moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x"
],
"known_not_affected": [
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-0507"
},
{
"category": "external",
"summary": "RHBZ#2168038",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2168038"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-0507",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0507"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-0507",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0507"
},
{
"category": "external",
"summary": "https://grafana.com/security/security-advisories/CVE-2023-0507",
"url": "https://grafana.com/security/security-advisories/CVE-2023-0507"
}
],
"release_date": "2023-03-01T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-02-08T16:49:55+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/2789521\n\nand \n\nhttps://access.redhat.com/documentation/en-us/red_hat_ceph_storage/5/html-single/upgrade_guide/index\n\nFor supported configurations, refer to:\n\nhttps://access.redhat.com/articles/1548993",
"product_ids": [
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:0746"
},
{
"category": "workaround",
"details": "Applying the Content-Security-Policy shipped with Grafana would block inline scripts from executing and would mitigate this.",
"product_ids": [
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "grafana: cross site scripting"
},
{
"acknowledgments": [
{
"names": [
"Grafana Security Team"
],
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2023-0594",
"cwe": {
"id": "CWE-80",
"name": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"
},
"discovery_date": "2023-02-08T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2168037"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the grafana package. This flaw allows a malicious user with the ability to introduce trace data to provide a JavaScript that changes the password for the user viewing the trace view (this could be an admin) to a known password, thus gaining access to the admin account.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "grafana: cross site scripting",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is an issue with Grafana Tempo which we don\u0027t ship in Red Hat Enterprise Linux. Hence, RHEL-8, 9 are not-affected.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x"
],
"known_not_affected": [
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-0594"
},
{
"category": "external",
"summary": "RHBZ#2168037",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2168037"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-0594",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0594"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-0594",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0594"
},
{
"category": "external",
"summary": "https://grafana.com/security/security-advisories/CVE-2023-0594",
"url": "https://grafana.com/security/security-advisories/CVE-2023-0594"
}
],
"release_date": "2023-03-01T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-02-08T16:49:55+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/2789521\n\nand \n\nhttps://access.redhat.com/documentation/en-us/red_hat_ceph_storage/5/html-single/upgrade_guide/index\n\nFor supported configurations, refer to:\n\nhttps://access.redhat.com/articles/1548993",
"product_ids": [
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:0746"
},
{
"category": "workaround",
"details": "Applying the Content-Security-Policy shipped with Grafana would block inline scripts from executing and would mitigate this.",
"product_ids": [
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "grafana: cross site scripting"
},
{
"acknowledgments": [
{
"names": [
"Grafana Security Team"
],
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2023-1387",
"cwe": {
"id": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor"
},
"discovery_date": "2023-04-12T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2186322"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Grafana. This flaw allows a remote, authenticated attacker to obtain sensitive information caused by an issue when enabling the \"url_login\" configuration option. By sending a specially crafted request, an attacker can obtain JWT information and use this to launch further attacks against the affected system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "grafana: JWT token leak to data source",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x"
],
"known_not_affected": [
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-1387"
},
{
"category": "external",
"summary": "RHBZ#2186322",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2186322"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-1387",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-1387"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-1387",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1387"
},
{
"category": "external",
"summary": "https://grafana.com/blog/2023/04/26/grafana-security-release-new-versions-of-grafana-with-security-fixes-for-cve-2023-28119-and-cve-2023-1387/",
"url": "https://grafana.com/blog/2023/04/26/grafana-security-release-new-versions-of-grafana-with-security-fixes-for-cve-2023-28119-and-cve-2023-1387/"
},
{
"category": "external",
"summary": "https://grafana.com/security/security-advisories/cve-2023-1387/",
"url": "https://grafana.com/security/security-advisories/cve-2023-1387/"
}
],
"release_date": "2023-04-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-02-08T16:49:55+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/2789521\n\nand \n\nhttps://access.redhat.com/documentation/en-us/red_hat_ceph_storage/5/html-single/upgrade_guide/index\n\nFor supported configurations, refer to:\n\nhttps://access.redhat.com/articles/1548993",
"product_ids": [
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:0746"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "grafana: JWT token leak to data source"
},
{
"acknowledgments": [
{
"names": [
"Grafana Security Team"
],
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2023-22462",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2023-01-27T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2164936"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Grafana core plugin, \"Text.\" The vulnerability was possible due to React\u0027s render cycle that will pass through unsanitized HTML code. However, the HTML is cleaned and saved in Grafana\u0027s database in the next cycle. An attacker needs the Editor role in changing a Text panel to include JavaScript. Later, another user needs to edit the same Text panel and click \"Markdown\" or \"HTML\" to execute the code. This issue allows possible vertical privilege escalation, where a user with an Editor role can change to a known password for a user having an Admin role if the user with an Admin role executes malicious JavaScript viewing a dashboard.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "grafana: stored XSS vulnerability affecting the core plugin \"Text\"",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "OpenShift Service Mesh containers include the grafana RPM from RHEL and consume CVE fixes for grafana from RHEL channels. The servicemesh-grafana RPM shipped in early versions of OpenShift Service Mesh 2.1 is no longer maintained.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x"
],
"known_not_affected": [
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-22462"
},
{
"category": "external",
"summary": "RHBZ#2164936",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2164936"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-22462",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-22462"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-22462",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22462"
}
],
"release_date": "2023-03-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-02-08T16:49:55+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/2789521\n\nand \n\nhttps://access.redhat.com/documentation/en-us/red_hat_ceph_storage/5/html-single/upgrade_guide/index\n\nFor supported configurations, refer to:\n\nhttps://access.redhat.com/articles/1548993",
"product_ids": [
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:0746"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "grafana: stored XSS vulnerability affecting the core plugin \"Text\""
},
{
"cve": "CVE-2023-24538",
"cwe": {
"id": "CWE-94",
"name": "Improper Control of Generation of Code (\u0027Code Injection\u0027)"
},
"discovery_date": "2023-04-04T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2184481"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Golang Go. This flaw allows a remote attacker to execute arbitrary code on the system, caused by not properly considering backticks (`) as Javascript string delimiters. By sending a specially crafted request, an attacker execute arbitrary code on the system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: html/template: backticks not treated as string delimiters",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The described issue involving Go templates and JavaScript template literals poses a moderate severity rather than an important one due to several mitigating factors. Firstly, the vulnerability requires specific conditions to be met: the presence of Go templates within JavaScript template literals. This limits the scope of affected codebases, reducing the likelihood of exploitation. Additionally, the decision to disallow such interactions in future releases of Go indicates a proactive approach to addressing the issue. Furthermore, the affected packages or components within Red Hat Enterprise Linux, such as Conmon, Grafana, and the RHC package, have been assessed and determined not to be impacted due to their specific usage patterns. So the limited scope of affected systems and the absence of exploitation vectors in specific components within Red Hat Enterprise Linux contribute to categorizing the severity of the issue as moderate.\n\nFor Red Hat Enterprise Linux,\n\n* Conmon uses go in unit testing, but not functionally in the package. Go is used only in test files, hence, not in the actual code, thus, conmon is not affected.\n* The Go templates in Grafana do not contain any javascript. Thus, it is not affected.\n* The rhc package do not make use of html/template. Hence, it is also not affected.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x"
],
"known_not_affected": [
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-24538"
},
{
"category": "external",
"summary": "RHBZ#2184481",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2184481"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-24538",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-24538"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-24538",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24538"
},
{
"category": "external",
"summary": "https://github.com/golang/go/issues/59234",
"url": "https://github.com/golang/go/issues/59234"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8",
"url": "https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8"
}
],
"release_date": "2023-04-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-02-08T16:49:55+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/2789521\n\nand \n\nhttps://access.redhat.com/documentation/en-us/red_hat_ceph_storage/5/html-single/upgrade_guide/index\n\nFor supported configurations, refer to:\n\nhttps://access.redhat.com/articles/1548993",
"product_ids": [
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:0746"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: html/template: backticks not treated as string delimiters"
},
{
"cve": "CVE-2023-25725",
"cwe": {
"id": "CWE-444",
"name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
},
"discovery_date": "2023-02-11T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2169089"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in HAProxy\u0027s headers processing that causes HAProxy to drop important headers fields such as Connection, Content-length, Transfer-Encoding, and Host after having partially processed them. A maliciously crafted HTTP request could be used in an HTTP request smuggling attack to bypass filtering and detection by HAProxy.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "haproxy: request smuggling attack in HTTP/1 header parsing",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat OpenStack Platform doesn\u0027t ship any haproxy code of its own and instead the openstack-haproxy-container consumes the `haproxy` RPM provided by RHEL.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x"
],
"known_not_affected": [
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-25725"
},
{
"category": "external",
"summary": "RHBZ#2169089",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2169089"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-25725",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-25725"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-25725",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25725"
},
{
"category": "external",
"summary": "https://www.haproxy.com/blog/february-2023-header-parser-fixed/",
"url": "https://www.haproxy.com/blog/february-2023-header-parser-fixed/"
},
{
"category": "external",
"summary": "https://www.mail-archive.com/haproxy@formilux.org/msg43229.html",
"url": "https://www.mail-archive.com/haproxy@formilux.org/msg43229.html"
}
],
"release_date": "2023-02-14T16:20:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-02-08T16:49:55+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/2789521\n\nand \n\nhttps://access.redhat.com/documentation/en-us/red_hat_ceph_storage/5/html-single/upgrade_guide/index\n\nFor supported configurations, refer to:\n\nhttps://access.redhat.com/articles/1548993",
"product_ids": [
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:0746"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L",
"version": "3.1"
},
"products": [
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "haproxy: request smuggling attack in HTTP/1 header parsing"
}
]
}
rhsa-2023_7741
Vulnerability from csaf_redhat
Published
2023-12-12 13:55
Modified
2024-11-08 14:35
Summary
Red Hat Security Advisory: Red Hat Ceph Storage 6.1 security, enhancements, and bug fix update
Notes
Topic
Updated container image for Red Hat Ceph Storage 6.1 is now available in the Red Hat Ecosystem Catalog.
Details
Red Hat Ceph Storage is a scalable, open, software-defined storage platform that combines the most stable version of the Ceph storage system with a Ceph management platform, deployment utilities, and support services.
This updated container image is based on Red Hat Ceph Storage 6.1 and Red Hat Enterprise Linux.
Space precludes documenting all of these changes in this advisory. Users are directed to the Red Hat Ceph Storage Release Notes for information on the most significant of these changes:
https://access.redhat.com/documentation/en-us/red_hat_ceph_storage/6.1/html/release_notes/index
All users of Red Hat Ceph Storage are advised to pull these new images from the Red Hat Ecosystem catalog.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated container image for Red Hat Ceph Storage 6.1 is now available in the Red Hat Ecosystem Catalog.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat Ceph Storage is a scalable, open, software-defined storage platform that combines the most stable version of the Ceph storage system with a Ceph management platform, deployment utilities, and support services.\n\nThis updated container image is based on Red Hat Ceph Storage 6.1 and Red Hat Enterprise Linux.\n\nSpace precludes documenting all of these changes in this advisory. Users are directed to the Red Hat Ceph Storage Release Notes for information on the most significant of these changes:\n\nhttps://access.redhat.com/documentation/en-us/red_hat_ceph_storage/6.1/html/release_notes/index\n\nAll users of Red Hat Ceph Storage are advised to pull these new images from the Red Hat Ecosystem catalog.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2023:7741",
"url": "https://access.redhat.com/errata/RHSA-2023:7741"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/vulnerabilities/RHSB-2023-003",
"url": "https://access.redhat.com/security/vulnerabilities/RHSB-2023-003"
},
{
"category": "external",
"summary": "2181117",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2181117"
},
{
"category": "external",
"summary": "2186322",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2186322"
},
{
"category": "external",
"summary": "2210840",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2210840"
},
{
"category": "external",
"summary": "2210848",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2210848"
},
{
"category": "external",
"summary": "2242803",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242803"
},
{
"category": "external",
"summary": "2243296",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2243296"
},
{
"category": "external",
"summary": "2254041",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2254041"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_7741.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Ceph Storage 6.1 security, enhancements, and bug fix update",
"tracking": {
"current_release_date": "2024-11-08T14:35:26+00:00",
"generator": {
"date": "2024-11-08T14:35:26+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.1.1"
}
},
"id": "RHSA-2023:7741",
"initial_release_date": "2023-12-12T13:55:37+00:00",
"revision_history": [
{
"date": "2023-12-12T13:55:37+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2023-12-12T13:55:38+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-08T14:35:26+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Ceph Storage 6.1 Tools",
"product": {
"name": "Red Hat Ceph Storage 6.1 Tools",
"product_id": "9Base-RHCEPH-6.1-Tools",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:ceph_storage:6.1::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat Ceph Storage"
},
{
"branches": [
{
"category": "product_version",
"name": "rhceph/rhceph-6-dashboard-rhel9@sha256:4dc1e2ace5946178fae29c87e2f86467594833e27ddfef8a005273eb9a1bee45_s390x",
"product": {
"name": "rhceph/rhceph-6-dashboard-rhel9@sha256:4dc1e2ace5946178fae29c87e2f86467594833e27ddfef8a005273eb9a1bee45_s390x",
"product_id": "rhceph/rhceph-6-dashboard-rhel9@sha256:4dc1e2ace5946178fae29c87e2f86467594833e27ddfef8a005273eb9a1bee45_s390x",
"product_identification_helper": {
"purl": "pkg:oci/rhceph-6-dashboard-rhel9@sha256:4dc1e2ace5946178fae29c87e2f86467594833e27ddfef8a005273eb9a1bee45?arch=s390x\u0026repository_url=registry.redhat.io/rhceph/rhceph-6-dashboard-rhel9\u0026tag=6-82"
}
}
},
{
"category": "product_version",
"name": "rhceph/keepalived-rhel9@sha256:561fba3667ff302316ecef3dc7a80202ec5b854b347e4cbc5d2d4a2ad4419ed3_s390x",
"product": {
"name": "rhceph/keepalived-rhel9@sha256:561fba3667ff302316ecef3dc7a80202ec5b854b347e4cbc5d2d4a2ad4419ed3_s390x",
"product_id": "rhceph/keepalived-rhel9@sha256:561fba3667ff302316ecef3dc7a80202ec5b854b347e4cbc5d2d4a2ad4419ed3_s390x",
"product_identification_helper": {
"purl": "pkg:oci/keepalived-rhel9@sha256:561fba3667ff302316ecef3dc7a80202ec5b854b347e4cbc5d2d4a2ad4419ed3?arch=s390x\u0026repository_url=registry.redhat.io/rhceph/keepalived-rhel9\u0026tag=2.2.8-4"
}
}
},
{
"category": "product_version",
"name": "rhceph/rhceph-promtail-rhel9@sha256:93b546b7d97fd7fdaf9aef486218350817697a6237cbc3ff512eef40ef772a3a_s390x",
"product": {
"name": "rhceph/rhceph-promtail-rhel9@sha256:93b546b7d97fd7fdaf9aef486218350817697a6237cbc3ff512eef40ef772a3a_s390x",
"product_id": "rhceph/rhceph-promtail-rhel9@sha256:93b546b7d97fd7fdaf9aef486218350817697a6237cbc3ff512eef40ef772a3a_s390x",
"product_identification_helper": {
"purl": "pkg:oci/rhceph-promtail-rhel9@sha256:93b546b7d97fd7fdaf9aef486218350817697a6237cbc3ff512eef40ef772a3a?arch=s390x\u0026repository_url=registry.redhat.io/rhceph/rhceph-promtail-rhel9\u0026tag=v2.4.0-12"
}
}
},
{
"category": "product_version",
"name": "rhceph/rhceph-6-rhel9@sha256:f3eb950ff155132b8d113853d05a917a4e949fa80156bbbdda8e61a5a7d18799_s390x",
"product": {
"name": "rhceph/rhceph-6-rhel9@sha256:f3eb950ff155132b8d113853d05a917a4e949fa80156bbbdda8e61a5a7d18799_s390x",
"product_id": "rhceph/rhceph-6-rhel9@sha256:f3eb950ff155132b8d113853d05a917a4e949fa80156bbbdda8e61a5a7d18799_s390x",
"product_identification_helper": {
"purl": "pkg:oci/rhceph-6-rhel9@sha256:f3eb950ff155132b8d113853d05a917a4e949fa80156bbbdda8e61a5a7d18799?arch=s390x\u0026repository_url=registry.redhat.io/rhceph/rhceph-6-rhel9\u0026tag=6-263"
}
}
},
{
"category": "product_version",
"name": "rhceph/rhceph-haproxy-rhel9@sha256:6f6ed4e34b8450b5af74cab6bab790013006269cb997883fc50f5c20c1f5dd8d_s390x",
"product": {
"name": "rhceph/rhceph-haproxy-rhel9@sha256:6f6ed4e34b8450b5af74cab6bab790013006269cb997883fc50f5c20c1f5dd8d_s390x",
"product_id": "rhceph/rhceph-haproxy-rhel9@sha256:6f6ed4e34b8450b5af74cab6bab790013006269cb997883fc50f5c20c1f5dd8d_s390x",
"product_identification_helper": {
"purl": "pkg:oci/rhceph-haproxy-rhel9@sha256:6f6ed4e34b8450b5af74cab6bab790013006269cb997883fc50f5c20c1f5dd8d?arch=s390x\u0026repository_url=registry.redhat.io/rhceph/rhceph-haproxy-rhel9\u0026tag=2.4.22-5"
}
}
},
{
"category": "product_version",
"name": "rhceph/snmp-notifier-rhel9@sha256:a47193626427bfe8f686c9f591248d082271c0d20aed96aa268bf7a03b9123d8_s390x",
"product": {
"name": "rhceph/snmp-notifier-rhel9@sha256:a47193626427bfe8f686c9f591248d082271c0d20aed96aa268bf7a03b9123d8_s390x",
"product_id": "rhceph/snmp-notifier-rhel9@sha256:a47193626427bfe8f686c9f591248d082271c0d20aed96aa268bf7a03b9123d8_s390x",
"product_identification_helper": {
"purl": "pkg:oci/snmp-notifier-rhel9@sha256:a47193626427bfe8f686c9f591248d082271c0d20aed96aa268bf7a03b9123d8?arch=s390x\u0026repository_url=registry.redhat.io/rhceph/snmp-notifier-rhel9\u0026tag=1.2.1-48"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "rhceph/rhceph-6-dashboard-rhel9@sha256:ba574717bd9890dcf1677c9b56d45a2047bb1f6a72a0bb5b8e38c6f3f2db4884_amd64",
"product": {
"name": "rhceph/rhceph-6-dashboard-rhel9@sha256:ba574717bd9890dcf1677c9b56d45a2047bb1f6a72a0bb5b8e38c6f3f2db4884_amd64",
"product_id": "rhceph/rhceph-6-dashboard-rhel9@sha256:ba574717bd9890dcf1677c9b56d45a2047bb1f6a72a0bb5b8e38c6f3f2db4884_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhceph-6-dashboard-rhel9@sha256:ba574717bd9890dcf1677c9b56d45a2047bb1f6a72a0bb5b8e38c6f3f2db4884?arch=amd64\u0026repository_url=registry.redhat.io/rhceph/rhceph-6-dashboard-rhel9\u0026tag=6-82"
}
}
},
{
"category": "product_version",
"name": "rhceph/keepalived-rhel9@sha256:49e943d69210eb9f4218272f64cc2b9a100bb52416784c417b241c7dcd0eeb23_amd64",
"product": {
"name": "rhceph/keepalived-rhel9@sha256:49e943d69210eb9f4218272f64cc2b9a100bb52416784c417b241c7dcd0eeb23_amd64",
"product_id": "rhceph/keepalived-rhel9@sha256:49e943d69210eb9f4218272f64cc2b9a100bb52416784c417b241c7dcd0eeb23_amd64",
"product_identification_helper": {
"purl": "pkg:oci/keepalived-rhel9@sha256:49e943d69210eb9f4218272f64cc2b9a100bb52416784c417b241c7dcd0eeb23?arch=amd64\u0026repository_url=registry.redhat.io/rhceph/keepalived-rhel9\u0026tag=2.2.8-4"
}
}
},
{
"category": "product_version",
"name": "rhceph/rhceph-promtail-rhel9@sha256:d6233ee14663867808ca616c9327278af99e0439f0781b548be35e6ab5777de2_amd64",
"product": {
"name": "rhceph/rhceph-promtail-rhel9@sha256:d6233ee14663867808ca616c9327278af99e0439f0781b548be35e6ab5777de2_amd64",
"product_id": "rhceph/rhceph-promtail-rhel9@sha256:d6233ee14663867808ca616c9327278af99e0439f0781b548be35e6ab5777de2_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhceph-promtail-rhel9@sha256:d6233ee14663867808ca616c9327278af99e0439f0781b548be35e6ab5777de2?arch=amd64\u0026repository_url=registry.redhat.io/rhceph/rhceph-promtail-rhel9\u0026tag=v2.4.0-12"
}
}
},
{
"category": "product_version",
"name": "rhceph/rhceph-6-rhel9@sha256:0809ac10fd225656d8fec0002f71c41f7a07d9c5be0c0affd5740cdae43efcf8_amd64",
"product": {
"name": "rhceph/rhceph-6-rhel9@sha256:0809ac10fd225656d8fec0002f71c41f7a07d9c5be0c0affd5740cdae43efcf8_amd64",
"product_id": "rhceph/rhceph-6-rhel9@sha256:0809ac10fd225656d8fec0002f71c41f7a07d9c5be0c0affd5740cdae43efcf8_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhceph-6-rhel9@sha256:0809ac10fd225656d8fec0002f71c41f7a07d9c5be0c0affd5740cdae43efcf8?arch=amd64\u0026repository_url=registry.redhat.io/rhceph/rhceph-6-rhel9\u0026tag=6-263"
}
}
},
{
"category": "product_version",
"name": "rhceph/rhceph-haproxy-rhel9@sha256:04e7e7a046da793f667daa0d1eb8dc90ea984dcd1bdefc8a7b96441a6251b280_amd64",
"product": {
"name": "rhceph/rhceph-haproxy-rhel9@sha256:04e7e7a046da793f667daa0d1eb8dc90ea984dcd1bdefc8a7b96441a6251b280_amd64",
"product_id": "rhceph/rhceph-haproxy-rhel9@sha256:04e7e7a046da793f667daa0d1eb8dc90ea984dcd1bdefc8a7b96441a6251b280_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhceph-haproxy-rhel9@sha256:04e7e7a046da793f667daa0d1eb8dc90ea984dcd1bdefc8a7b96441a6251b280?arch=amd64\u0026repository_url=registry.redhat.io/rhceph/rhceph-haproxy-rhel9\u0026tag=2.4.22-5"
}
}
},
{
"category": "product_version",
"name": "rhceph/snmp-notifier-rhel9@sha256:ca759591794df7f94b67bf798d7d27dd6d2b45d49b8ef8511e2bf51f78672d7e_amd64",
"product": {
"name": "rhceph/snmp-notifier-rhel9@sha256:ca759591794df7f94b67bf798d7d27dd6d2b45d49b8ef8511e2bf51f78672d7e_amd64",
"product_id": "rhceph/snmp-notifier-rhel9@sha256:ca759591794df7f94b67bf798d7d27dd6d2b45d49b8ef8511e2bf51f78672d7e_amd64",
"product_identification_helper": {
"purl": "pkg:oci/snmp-notifier-rhel9@sha256:ca759591794df7f94b67bf798d7d27dd6d2b45d49b8ef8511e2bf51f78672d7e?arch=amd64\u0026repository_url=registry.redhat.io/rhceph/snmp-notifier-rhel9\u0026tag=1.2.1-48"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "rhceph/rhceph-6-dashboard-rhel9@sha256:72ebf29aa3a85cf49949379958744a699e1f572f79abf75e7cb8094ceecf074e_ppc64le",
"product": {
"name": "rhceph/rhceph-6-dashboard-rhel9@sha256:72ebf29aa3a85cf49949379958744a699e1f572f79abf75e7cb8094ceecf074e_ppc64le",
"product_id": "rhceph/rhceph-6-dashboard-rhel9@sha256:72ebf29aa3a85cf49949379958744a699e1f572f79abf75e7cb8094ceecf074e_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/rhceph-6-dashboard-rhel9@sha256:72ebf29aa3a85cf49949379958744a699e1f572f79abf75e7cb8094ceecf074e?arch=ppc64le\u0026repository_url=registry.redhat.io/rhceph/rhceph-6-dashboard-rhel9\u0026tag=6-82"
}
}
},
{
"category": "product_version",
"name": "rhceph/keepalived-rhel9@sha256:e12cb06f04ac2870d5c387612f4aab65438c4b8044337ab8c55e924dc273ee6b_ppc64le",
"product": {
"name": "rhceph/keepalived-rhel9@sha256:e12cb06f04ac2870d5c387612f4aab65438c4b8044337ab8c55e924dc273ee6b_ppc64le",
"product_id": "rhceph/keepalived-rhel9@sha256:e12cb06f04ac2870d5c387612f4aab65438c4b8044337ab8c55e924dc273ee6b_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/keepalived-rhel9@sha256:e12cb06f04ac2870d5c387612f4aab65438c4b8044337ab8c55e924dc273ee6b?arch=ppc64le\u0026repository_url=registry.redhat.io/rhceph/keepalived-rhel9\u0026tag=2.2.8-4"
}
}
},
{
"category": "product_version",
"name": "rhceph/rhceph-promtail-rhel9@sha256:9276234cb0599b75d0adc88c7b1882ff3da6742306a30f26dade3f9bde06ec7e_ppc64le",
"product": {
"name": "rhceph/rhceph-promtail-rhel9@sha256:9276234cb0599b75d0adc88c7b1882ff3da6742306a30f26dade3f9bde06ec7e_ppc64le",
"product_id": "rhceph/rhceph-promtail-rhel9@sha256:9276234cb0599b75d0adc88c7b1882ff3da6742306a30f26dade3f9bde06ec7e_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/rhceph-promtail-rhel9@sha256:9276234cb0599b75d0adc88c7b1882ff3da6742306a30f26dade3f9bde06ec7e?arch=ppc64le\u0026repository_url=registry.redhat.io/rhceph/rhceph-promtail-rhel9\u0026tag=v2.4.0-12"
}
}
},
{
"category": "product_version",
"name": "rhceph/rhceph-6-rhel9@sha256:6c58ed8e6779027d62bca2dab2de0336ee630257dc903c0ff8069ec986395f47_ppc64le",
"product": {
"name": "rhceph/rhceph-6-rhel9@sha256:6c58ed8e6779027d62bca2dab2de0336ee630257dc903c0ff8069ec986395f47_ppc64le",
"product_id": "rhceph/rhceph-6-rhel9@sha256:6c58ed8e6779027d62bca2dab2de0336ee630257dc903c0ff8069ec986395f47_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/rhceph-6-rhel9@sha256:6c58ed8e6779027d62bca2dab2de0336ee630257dc903c0ff8069ec986395f47?arch=ppc64le\u0026repository_url=registry.redhat.io/rhceph/rhceph-6-rhel9\u0026tag=6-263"
}
}
},
{
"category": "product_version",
"name": "rhceph/rhceph-haproxy-rhel9@sha256:fd567a237640c49c3cb5d392aa995069eb6d7398bffb2fe982f57563b640d630_ppc64le",
"product": {
"name": "rhceph/rhceph-haproxy-rhel9@sha256:fd567a237640c49c3cb5d392aa995069eb6d7398bffb2fe982f57563b640d630_ppc64le",
"product_id": "rhceph/rhceph-haproxy-rhel9@sha256:fd567a237640c49c3cb5d392aa995069eb6d7398bffb2fe982f57563b640d630_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/rhceph-haproxy-rhel9@sha256:fd567a237640c49c3cb5d392aa995069eb6d7398bffb2fe982f57563b640d630?arch=ppc64le\u0026repository_url=registry.redhat.io/rhceph/rhceph-haproxy-rhel9\u0026tag=2.4.22-5"
}
}
},
{
"category": "product_version",
"name": "rhceph/snmp-notifier-rhel9@sha256:39e1eb86a6cc6eaa31018a13f86bbb676ec26250d5daf116e3be6d6d194bfe42_ppc64le",
"product": {
"name": "rhceph/snmp-notifier-rhel9@sha256:39e1eb86a6cc6eaa31018a13f86bbb676ec26250d5daf116e3be6d6d194bfe42_ppc64le",
"product_id": "rhceph/snmp-notifier-rhel9@sha256:39e1eb86a6cc6eaa31018a13f86bbb676ec26250d5daf116e3be6d6d194bfe42_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/snmp-notifier-rhel9@sha256:39e1eb86a6cc6eaa31018a13f86bbb676ec26250d5daf116e3be6d6d194bfe42?arch=ppc64le\u0026repository_url=registry.redhat.io/rhceph/snmp-notifier-rhel9\u0026tag=1.2.1-48"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "rhceph/keepalived-rhel9@sha256:49e943d69210eb9f4218272f64cc2b9a100bb52416784c417b241c7dcd0eeb23_amd64 as a component of Red Hat Ceph Storage 6.1 Tools",
"product_id": "9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:49e943d69210eb9f4218272f64cc2b9a100bb52416784c417b241c7dcd0eeb23_amd64"
},
"product_reference": "rhceph/keepalived-rhel9@sha256:49e943d69210eb9f4218272f64cc2b9a100bb52416784c417b241c7dcd0eeb23_amd64",
"relates_to_product_reference": "9Base-RHCEPH-6.1-Tools"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhceph/keepalived-rhel9@sha256:561fba3667ff302316ecef3dc7a80202ec5b854b347e4cbc5d2d4a2ad4419ed3_s390x as a component of Red Hat Ceph Storage 6.1 Tools",
"product_id": "9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:561fba3667ff302316ecef3dc7a80202ec5b854b347e4cbc5d2d4a2ad4419ed3_s390x"
},
"product_reference": "rhceph/keepalived-rhel9@sha256:561fba3667ff302316ecef3dc7a80202ec5b854b347e4cbc5d2d4a2ad4419ed3_s390x",
"relates_to_product_reference": "9Base-RHCEPH-6.1-Tools"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhceph/keepalived-rhel9@sha256:e12cb06f04ac2870d5c387612f4aab65438c4b8044337ab8c55e924dc273ee6b_ppc64le as a component of Red Hat Ceph Storage 6.1 Tools",
"product_id": "9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:e12cb06f04ac2870d5c387612f4aab65438c4b8044337ab8c55e924dc273ee6b_ppc64le"
},
"product_reference": "rhceph/keepalived-rhel9@sha256:e12cb06f04ac2870d5c387612f4aab65438c4b8044337ab8c55e924dc273ee6b_ppc64le",
"relates_to_product_reference": "9Base-RHCEPH-6.1-Tools"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhceph/rhceph-6-dashboard-rhel9@sha256:4dc1e2ace5946178fae29c87e2f86467594833e27ddfef8a005273eb9a1bee45_s390x as a component of Red Hat Ceph Storage 6.1 Tools",
"product_id": "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:4dc1e2ace5946178fae29c87e2f86467594833e27ddfef8a005273eb9a1bee45_s390x"
},
"product_reference": "rhceph/rhceph-6-dashboard-rhel9@sha256:4dc1e2ace5946178fae29c87e2f86467594833e27ddfef8a005273eb9a1bee45_s390x",
"relates_to_product_reference": "9Base-RHCEPH-6.1-Tools"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhceph/rhceph-6-dashboard-rhel9@sha256:72ebf29aa3a85cf49949379958744a699e1f572f79abf75e7cb8094ceecf074e_ppc64le as a component of Red Hat Ceph Storage 6.1 Tools",
"product_id": "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:72ebf29aa3a85cf49949379958744a699e1f572f79abf75e7cb8094ceecf074e_ppc64le"
},
"product_reference": "rhceph/rhceph-6-dashboard-rhel9@sha256:72ebf29aa3a85cf49949379958744a699e1f572f79abf75e7cb8094ceecf074e_ppc64le",
"relates_to_product_reference": "9Base-RHCEPH-6.1-Tools"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhceph/rhceph-6-dashboard-rhel9@sha256:ba574717bd9890dcf1677c9b56d45a2047bb1f6a72a0bb5b8e38c6f3f2db4884_amd64 as a component of Red Hat Ceph Storage 6.1 Tools",
"product_id": "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:ba574717bd9890dcf1677c9b56d45a2047bb1f6a72a0bb5b8e38c6f3f2db4884_amd64"
},
"product_reference": "rhceph/rhceph-6-dashboard-rhel9@sha256:ba574717bd9890dcf1677c9b56d45a2047bb1f6a72a0bb5b8e38c6f3f2db4884_amd64",
"relates_to_product_reference": "9Base-RHCEPH-6.1-Tools"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhceph/rhceph-6-rhel9@sha256:0809ac10fd225656d8fec0002f71c41f7a07d9c5be0c0affd5740cdae43efcf8_amd64 as a component of Red Hat Ceph Storage 6.1 Tools",
"product_id": "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:0809ac10fd225656d8fec0002f71c41f7a07d9c5be0c0affd5740cdae43efcf8_amd64"
},
"product_reference": "rhceph/rhceph-6-rhel9@sha256:0809ac10fd225656d8fec0002f71c41f7a07d9c5be0c0affd5740cdae43efcf8_amd64",
"relates_to_product_reference": "9Base-RHCEPH-6.1-Tools"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhceph/rhceph-6-rhel9@sha256:6c58ed8e6779027d62bca2dab2de0336ee630257dc903c0ff8069ec986395f47_ppc64le as a component of Red Hat Ceph Storage 6.1 Tools",
"product_id": "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:6c58ed8e6779027d62bca2dab2de0336ee630257dc903c0ff8069ec986395f47_ppc64le"
},
"product_reference": "rhceph/rhceph-6-rhel9@sha256:6c58ed8e6779027d62bca2dab2de0336ee630257dc903c0ff8069ec986395f47_ppc64le",
"relates_to_product_reference": "9Base-RHCEPH-6.1-Tools"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhceph/rhceph-6-rhel9@sha256:f3eb950ff155132b8d113853d05a917a4e949fa80156bbbdda8e61a5a7d18799_s390x as a component of Red Hat Ceph Storage 6.1 Tools",
"product_id": "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:f3eb950ff155132b8d113853d05a917a4e949fa80156bbbdda8e61a5a7d18799_s390x"
},
"product_reference": "rhceph/rhceph-6-rhel9@sha256:f3eb950ff155132b8d113853d05a917a4e949fa80156bbbdda8e61a5a7d18799_s390x",
"relates_to_product_reference": "9Base-RHCEPH-6.1-Tools"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhceph/rhceph-haproxy-rhel9@sha256:04e7e7a046da793f667daa0d1eb8dc90ea984dcd1bdefc8a7b96441a6251b280_amd64 as a component of Red Hat Ceph Storage 6.1 Tools",
"product_id": "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:04e7e7a046da793f667daa0d1eb8dc90ea984dcd1bdefc8a7b96441a6251b280_amd64"
},
"product_reference": "rhceph/rhceph-haproxy-rhel9@sha256:04e7e7a046da793f667daa0d1eb8dc90ea984dcd1bdefc8a7b96441a6251b280_amd64",
"relates_to_product_reference": "9Base-RHCEPH-6.1-Tools"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhceph/rhceph-haproxy-rhel9@sha256:6f6ed4e34b8450b5af74cab6bab790013006269cb997883fc50f5c20c1f5dd8d_s390x as a component of Red Hat Ceph Storage 6.1 Tools",
"product_id": "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:6f6ed4e34b8450b5af74cab6bab790013006269cb997883fc50f5c20c1f5dd8d_s390x"
},
"product_reference": "rhceph/rhceph-haproxy-rhel9@sha256:6f6ed4e34b8450b5af74cab6bab790013006269cb997883fc50f5c20c1f5dd8d_s390x",
"relates_to_product_reference": "9Base-RHCEPH-6.1-Tools"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhceph/rhceph-haproxy-rhel9@sha256:fd567a237640c49c3cb5d392aa995069eb6d7398bffb2fe982f57563b640d630_ppc64le as a component of Red Hat Ceph Storage 6.1 Tools",
"product_id": "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:fd567a237640c49c3cb5d392aa995069eb6d7398bffb2fe982f57563b640d630_ppc64le"
},
"product_reference": "rhceph/rhceph-haproxy-rhel9@sha256:fd567a237640c49c3cb5d392aa995069eb6d7398bffb2fe982f57563b640d630_ppc64le",
"relates_to_product_reference": "9Base-RHCEPH-6.1-Tools"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhceph/rhceph-promtail-rhel9@sha256:9276234cb0599b75d0adc88c7b1882ff3da6742306a30f26dade3f9bde06ec7e_ppc64le as a component of Red Hat Ceph Storage 6.1 Tools",
"product_id": "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:9276234cb0599b75d0adc88c7b1882ff3da6742306a30f26dade3f9bde06ec7e_ppc64le"
},
"product_reference": "rhceph/rhceph-promtail-rhel9@sha256:9276234cb0599b75d0adc88c7b1882ff3da6742306a30f26dade3f9bde06ec7e_ppc64le",
"relates_to_product_reference": "9Base-RHCEPH-6.1-Tools"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhceph/rhceph-promtail-rhel9@sha256:93b546b7d97fd7fdaf9aef486218350817697a6237cbc3ff512eef40ef772a3a_s390x as a component of Red Hat Ceph Storage 6.1 Tools",
"product_id": "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:93b546b7d97fd7fdaf9aef486218350817697a6237cbc3ff512eef40ef772a3a_s390x"
},
"product_reference": "rhceph/rhceph-promtail-rhel9@sha256:93b546b7d97fd7fdaf9aef486218350817697a6237cbc3ff512eef40ef772a3a_s390x",
"relates_to_product_reference": "9Base-RHCEPH-6.1-Tools"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhceph/rhceph-promtail-rhel9@sha256:d6233ee14663867808ca616c9327278af99e0439f0781b548be35e6ab5777de2_amd64 as a component of Red Hat Ceph Storage 6.1 Tools",
"product_id": "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:d6233ee14663867808ca616c9327278af99e0439f0781b548be35e6ab5777de2_amd64"
},
"product_reference": "rhceph/rhceph-promtail-rhel9@sha256:d6233ee14663867808ca616c9327278af99e0439f0781b548be35e6ab5777de2_amd64",
"relates_to_product_reference": "9Base-RHCEPH-6.1-Tools"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhceph/snmp-notifier-rhel9@sha256:39e1eb86a6cc6eaa31018a13f86bbb676ec26250d5daf116e3be6d6d194bfe42_ppc64le as a component of Red Hat Ceph Storage 6.1 Tools",
"product_id": "9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:39e1eb86a6cc6eaa31018a13f86bbb676ec26250d5daf116e3be6d6d194bfe42_ppc64le"
},
"product_reference": "rhceph/snmp-notifier-rhel9@sha256:39e1eb86a6cc6eaa31018a13f86bbb676ec26250d5daf116e3be6d6d194bfe42_ppc64le",
"relates_to_product_reference": "9Base-RHCEPH-6.1-Tools"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhceph/snmp-notifier-rhel9@sha256:a47193626427bfe8f686c9f591248d082271c0d20aed96aa268bf7a03b9123d8_s390x as a component of Red Hat Ceph Storage 6.1 Tools",
"product_id": "9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:a47193626427bfe8f686c9f591248d082271c0d20aed96aa268bf7a03b9123d8_s390x"
},
"product_reference": "rhceph/snmp-notifier-rhel9@sha256:a47193626427bfe8f686c9f591248d082271c0d20aed96aa268bf7a03b9123d8_s390x",
"relates_to_product_reference": "9Base-RHCEPH-6.1-Tools"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhceph/snmp-notifier-rhel9@sha256:ca759591794df7f94b67bf798d7d27dd6d2b45d49b8ef8511e2bf51f78672d7e_amd64 as a component of Red Hat Ceph Storage 6.1 Tools",
"product_id": "9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:ca759591794df7f94b67bf798d7d27dd6d2b45d49b8ef8511e2bf51f78672d7e_amd64"
},
"product_reference": "rhceph/snmp-notifier-rhel9@sha256:ca759591794df7f94b67bf798d7d27dd6d2b45d49b8ef8511e2bf51f78672d7e_amd64",
"relates_to_product_reference": "9Base-RHCEPH-6.1-Tools"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Grafana Security Team"
],
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2023-1387",
"cwe": {
"id": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor"
},
"discovery_date": "2023-04-12T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:49e943d69210eb9f4218272f64cc2b9a100bb52416784c417b241c7dcd0eeb23_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:561fba3667ff302316ecef3dc7a80202ec5b854b347e4cbc5d2d4a2ad4419ed3_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:e12cb06f04ac2870d5c387612f4aab65438c4b8044337ab8c55e924dc273ee6b_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:0809ac10fd225656d8fec0002f71c41f7a07d9c5be0c0affd5740cdae43efcf8_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:6c58ed8e6779027d62bca2dab2de0336ee630257dc903c0ff8069ec986395f47_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:f3eb950ff155132b8d113853d05a917a4e949fa80156bbbdda8e61a5a7d18799_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:04e7e7a046da793f667daa0d1eb8dc90ea984dcd1bdefc8a7b96441a6251b280_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:6f6ed4e34b8450b5af74cab6bab790013006269cb997883fc50f5c20c1f5dd8d_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:fd567a237640c49c3cb5d392aa995069eb6d7398bffb2fe982f57563b640d630_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:9276234cb0599b75d0adc88c7b1882ff3da6742306a30f26dade3f9bde06ec7e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:93b546b7d97fd7fdaf9aef486218350817697a6237cbc3ff512eef40ef772a3a_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:d6233ee14663867808ca616c9327278af99e0439f0781b548be35e6ab5777de2_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:39e1eb86a6cc6eaa31018a13f86bbb676ec26250d5daf116e3be6d6d194bfe42_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:a47193626427bfe8f686c9f591248d082271c0d20aed96aa268bf7a03b9123d8_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:ca759591794df7f94b67bf798d7d27dd6d2b45d49b8ef8511e2bf51f78672d7e_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2186322"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Grafana. This flaw allows a remote, authenticated attacker to obtain sensitive information caused by an issue when enabling the \"url_login\" configuration option. By sending a specially crafted request, an attacker can obtain JWT information and use this to launch further attacks against the affected system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "grafana: JWT token leak to data source",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:4dc1e2ace5946178fae29c87e2f86467594833e27ddfef8a005273eb9a1bee45_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:72ebf29aa3a85cf49949379958744a699e1f572f79abf75e7cb8094ceecf074e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:ba574717bd9890dcf1677c9b56d45a2047bb1f6a72a0bb5b8e38c6f3f2db4884_amd64"
],
"known_not_affected": [
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:49e943d69210eb9f4218272f64cc2b9a100bb52416784c417b241c7dcd0eeb23_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:561fba3667ff302316ecef3dc7a80202ec5b854b347e4cbc5d2d4a2ad4419ed3_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:e12cb06f04ac2870d5c387612f4aab65438c4b8044337ab8c55e924dc273ee6b_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:0809ac10fd225656d8fec0002f71c41f7a07d9c5be0c0affd5740cdae43efcf8_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:6c58ed8e6779027d62bca2dab2de0336ee630257dc903c0ff8069ec986395f47_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:f3eb950ff155132b8d113853d05a917a4e949fa80156bbbdda8e61a5a7d18799_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:04e7e7a046da793f667daa0d1eb8dc90ea984dcd1bdefc8a7b96441a6251b280_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:6f6ed4e34b8450b5af74cab6bab790013006269cb997883fc50f5c20c1f5dd8d_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:fd567a237640c49c3cb5d392aa995069eb6d7398bffb2fe982f57563b640d630_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:9276234cb0599b75d0adc88c7b1882ff3da6742306a30f26dade3f9bde06ec7e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:93b546b7d97fd7fdaf9aef486218350817697a6237cbc3ff512eef40ef772a3a_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:d6233ee14663867808ca616c9327278af99e0439f0781b548be35e6ab5777de2_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:39e1eb86a6cc6eaa31018a13f86bbb676ec26250d5daf116e3be6d6d194bfe42_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:a47193626427bfe8f686c9f591248d082271c0d20aed96aa268bf7a03b9123d8_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:ca759591794df7f94b67bf798d7d27dd6d2b45d49b8ef8511e2bf51f78672d7e_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-1387"
},
{
"category": "external",
"summary": "RHBZ#2186322",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2186322"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-1387",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-1387"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-1387",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1387"
},
{
"category": "external",
"summary": "https://grafana.com/blog/2023/04/26/grafana-security-release-new-versions-of-grafana-with-security-fixes-for-cve-2023-28119-and-cve-2023-1387/",
"url": "https://grafana.com/blog/2023/04/26/grafana-security-release-new-versions-of-grafana-with-security-fixes-for-cve-2023-28119-and-cve-2023-1387/"
},
{
"category": "external",
"summary": "https://grafana.com/security/security-advisories/cve-2023-1387/",
"url": "https://grafana.com/security/security-advisories/cve-2023-1387/"
}
],
"release_date": "2023-04-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-12-12T13:55:37+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/documentation/en-us/red_hat_ceph_storage/6\n\nFor supported configurations, refer to:\n\nhttps://access.redhat.com/articles/1548993",
"product_ids": [
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:4dc1e2ace5946178fae29c87e2f86467594833e27ddfef8a005273eb9a1bee45_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:72ebf29aa3a85cf49949379958744a699e1f572f79abf75e7cb8094ceecf074e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:ba574717bd9890dcf1677c9b56d45a2047bb1f6a72a0bb5b8e38c6f3f2db4884_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:7741"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:4dc1e2ace5946178fae29c87e2f86467594833e27ddfef8a005273eb9a1bee45_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:72ebf29aa3a85cf49949379958744a699e1f572f79abf75e7cb8094ceecf074e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:ba574717bd9890dcf1677c9b56d45a2047bb1f6a72a0bb5b8e38c6f3f2db4884_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "grafana: JWT token leak to data source"
},
{
"cve": "CVE-2023-1410",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2023-03-23T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:49e943d69210eb9f4218272f64cc2b9a100bb52416784c417b241c7dcd0eeb23_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:561fba3667ff302316ecef3dc7a80202ec5b854b347e4cbc5d2d4a2ad4419ed3_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:e12cb06f04ac2870d5c387612f4aab65438c4b8044337ab8c55e924dc273ee6b_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:0809ac10fd225656d8fec0002f71c41f7a07d9c5be0c0affd5740cdae43efcf8_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:6c58ed8e6779027d62bca2dab2de0336ee630257dc903c0ff8069ec986395f47_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:f3eb950ff155132b8d113853d05a917a4e949fa80156bbbdda8e61a5a7d18799_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:04e7e7a046da793f667daa0d1eb8dc90ea984dcd1bdefc8a7b96441a6251b280_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:6f6ed4e34b8450b5af74cab6bab790013006269cb997883fc50f5c20c1f5dd8d_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:fd567a237640c49c3cb5d392aa995069eb6d7398bffb2fe982f57563b640d630_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:9276234cb0599b75d0adc88c7b1882ff3da6742306a30f26dade3f9bde06ec7e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:93b546b7d97fd7fdaf9aef486218350817697a6237cbc3ff512eef40ef772a3a_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:d6233ee14663867808ca616c9327278af99e0439f0781b548be35e6ab5777de2_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:39e1eb86a6cc6eaa31018a13f86bbb676ec26250d5daf116e3be6d6d194bfe42_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:a47193626427bfe8f686c9f591248d082271c0d20aed96aa268bf7a03b9123d8_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:ca759591794df7f94b67bf798d7d27dd6d2b45d49b8ef8511e2bf51f78672d7e_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2181117"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Grafana. This flaw allows an attacker to host a Graphite instance with modified Function Descriptions containing XSS payloads. When the victim uses it in a query and accidentally hovers over the Function Description, an attacker-controlled XSS payload will be executed.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "grafana: Stored XSS in Graphite FunctionDescription tooltip",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:4dc1e2ace5946178fae29c87e2f86467594833e27ddfef8a005273eb9a1bee45_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:72ebf29aa3a85cf49949379958744a699e1f572f79abf75e7cb8094ceecf074e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:ba574717bd9890dcf1677c9b56d45a2047bb1f6a72a0bb5b8e38c6f3f2db4884_amd64"
],
"known_not_affected": [
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:49e943d69210eb9f4218272f64cc2b9a100bb52416784c417b241c7dcd0eeb23_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:561fba3667ff302316ecef3dc7a80202ec5b854b347e4cbc5d2d4a2ad4419ed3_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:e12cb06f04ac2870d5c387612f4aab65438c4b8044337ab8c55e924dc273ee6b_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:0809ac10fd225656d8fec0002f71c41f7a07d9c5be0c0affd5740cdae43efcf8_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:6c58ed8e6779027d62bca2dab2de0336ee630257dc903c0ff8069ec986395f47_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:f3eb950ff155132b8d113853d05a917a4e949fa80156bbbdda8e61a5a7d18799_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:04e7e7a046da793f667daa0d1eb8dc90ea984dcd1bdefc8a7b96441a6251b280_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:6f6ed4e34b8450b5af74cab6bab790013006269cb997883fc50f5c20c1f5dd8d_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:fd567a237640c49c3cb5d392aa995069eb6d7398bffb2fe982f57563b640d630_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:9276234cb0599b75d0adc88c7b1882ff3da6742306a30f26dade3f9bde06ec7e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:93b546b7d97fd7fdaf9aef486218350817697a6237cbc3ff512eef40ef772a3a_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:d6233ee14663867808ca616c9327278af99e0439f0781b548be35e6ab5777de2_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:39e1eb86a6cc6eaa31018a13f86bbb676ec26250d5daf116e3be6d6d194bfe42_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:a47193626427bfe8f686c9f591248d082271c0d20aed96aa268bf7a03b9123d8_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:ca759591794df7f94b67bf798d7d27dd6d2b45d49b8ef8511e2bf51f78672d7e_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-1410"
},
{
"category": "external",
"summary": "RHBZ#2181117",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2181117"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-1410",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-1410"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-1410",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1410"
},
{
"category": "external",
"summary": "https://github.com/grafana/bugbounty/security/advisories/GHSA-qrrg-gw7w-vp76",
"url": "https://github.com/grafana/bugbounty/security/advisories/GHSA-qrrg-gw7w-vp76"
},
{
"category": "external",
"summary": "https://grafana.com/blog/2023/03/22/grafana-security-release-new-versions-with-security-fixes-for-cve-2023-1410/",
"url": "https://grafana.com/blog/2023/03/22/grafana-security-release-new-versions-with-security-fixes-for-cve-2023-1410/"
}
],
"release_date": "2023-03-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-12-12T13:55:37+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/documentation/en-us/red_hat_ceph_storage/6\n\nFor supported configurations, refer to:\n\nhttps://access.redhat.com/articles/1548993",
"product_ids": [
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:4dc1e2ace5946178fae29c87e2f86467594833e27ddfef8a005273eb9a1bee45_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:72ebf29aa3a85cf49949379958744a699e1f572f79abf75e7cb8094ceecf074e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:ba574717bd9890dcf1677c9b56d45a2047bb1f6a72a0bb5b8e38c6f3f2db4884_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:7741"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:4dc1e2ace5946178fae29c87e2f86467594833e27ddfef8a005273eb9a1bee45_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:72ebf29aa3a85cf49949379958744a699e1f572f79abf75e7cb8094ceecf074e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:ba574717bd9890dcf1677c9b56d45a2047bb1f6a72a0bb5b8e38c6f3f2db4884_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "grafana: Stored XSS in Graphite FunctionDescription tooltip"
},
{
"acknowledgments": [
{
"names": [
"Grafana Security Team"
],
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2023-2183",
"cwe": {
"id": "CWE-284",
"name": "Improper Access Control"
},
"discovery_date": "2023-05-29T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:49e943d69210eb9f4218272f64cc2b9a100bb52416784c417b241c7dcd0eeb23_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:561fba3667ff302316ecef3dc7a80202ec5b854b347e4cbc5d2d4a2ad4419ed3_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:e12cb06f04ac2870d5c387612f4aab65438c4b8044337ab8c55e924dc273ee6b_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:0809ac10fd225656d8fec0002f71c41f7a07d9c5be0c0affd5740cdae43efcf8_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:6c58ed8e6779027d62bca2dab2de0336ee630257dc903c0ff8069ec986395f47_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:f3eb950ff155132b8d113853d05a917a4e949fa80156bbbdda8e61a5a7d18799_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:04e7e7a046da793f667daa0d1eb8dc90ea984dcd1bdefc8a7b96441a6251b280_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:6f6ed4e34b8450b5af74cab6bab790013006269cb997883fc50f5c20c1f5dd8d_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:fd567a237640c49c3cb5d392aa995069eb6d7398bffb2fe982f57563b640d630_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:9276234cb0599b75d0adc88c7b1882ff3da6742306a30f26dade3f9bde06ec7e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:93b546b7d97fd7fdaf9aef486218350817697a6237cbc3ff512eef40ef772a3a_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:d6233ee14663867808ca616c9327278af99e0439f0781b548be35e6ab5777de2_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:39e1eb86a6cc6eaa31018a13f86bbb676ec26250d5daf116e3be6d6d194bfe42_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:a47193626427bfe8f686c9f591248d082271c0d20aed96aa268bf7a03b9123d8_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:ca759591794df7f94b67bf798d7d27dd6d2b45d49b8ef8511e2bf51f78672d7e_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2210848"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in grafana. This issue may allow a malicious user to craft a request to the API that enables them to send alert messages via the \"API Alert - Test\".",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "grafana: missing access control allows test alerts by underprivileged user",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "OpenShift ServiceMesh (OSSM) has switched to using upstream rhel rpms for grafana, and is no longer maintaining the servicemesh-grafana package. Hence, it is marked as affected/won\u0027tfix.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:4dc1e2ace5946178fae29c87e2f86467594833e27ddfef8a005273eb9a1bee45_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:72ebf29aa3a85cf49949379958744a699e1f572f79abf75e7cb8094ceecf074e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:ba574717bd9890dcf1677c9b56d45a2047bb1f6a72a0bb5b8e38c6f3f2db4884_amd64"
],
"known_not_affected": [
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:49e943d69210eb9f4218272f64cc2b9a100bb52416784c417b241c7dcd0eeb23_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:561fba3667ff302316ecef3dc7a80202ec5b854b347e4cbc5d2d4a2ad4419ed3_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:e12cb06f04ac2870d5c387612f4aab65438c4b8044337ab8c55e924dc273ee6b_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:0809ac10fd225656d8fec0002f71c41f7a07d9c5be0c0affd5740cdae43efcf8_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:6c58ed8e6779027d62bca2dab2de0336ee630257dc903c0ff8069ec986395f47_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:f3eb950ff155132b8d113853d05a917a4e949fa80156bbbdda8e61a5a7d18799_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:04e7e7a046da793f667daa0d1eb8dc90ea984dcd1bdefc8a7b96441a6251b280_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:6f6ed4e34b8450b5af74cab6bab790013006269cb997883fc50f5c20c1f5dd8d_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:fd567a237640c49c3cb5d392aa995069eb6d7398bffb2fe982f57563b640d630_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:9276234cb0599b75d0adc88c7b1882ff3da6742306a30f26dade3f9bde06ec7e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:93b546b7d97fd7fdaf9aef486218350817697a6237cbc3ff512eef40ef772a3a_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:d6233ee14663867808ca616c9327278af99e0439f0781b548be35e6ab5777de2_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:39e1eb86a6cc6eaa31018a13f86bbb676ec26250d5daf116e3be6d6d194bfe42_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:a47193626427bfe8f686c9f591248d082271c0d20aed96aa268bf7a03b9123d8_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:ca759591794df7f94b67bf798d7d27dd6d2b45d49b8ef8511e2bf51f78672d7e_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-2183"
},
{
"category": "external",
"summary": "RHBZ#2210848",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2210848"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-2183",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-2183"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-2183",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2183"
},
{
"category": "external",
"summary": "https://grafana.com/security/security-advisories/cve-2023-2183/",
"url": "https://grafana.com/security/security-advisories/cve-2023-2183/"
}
],
"release_date": "2023-06-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-12-12T13:55:37+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/documentation/en-us/red_hat_ceph_storage/6\n\nFor supported configurations, refer to:\n\nhttps://access.redhat.com/articles/1548993",
"product_ids": [
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:4dc1e2ace5946178fae29c87e2f86467594833e27ddfef8a005273eb9a1bee45_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:72ebf29aa3a85cf49949379958744a699e1f572f79abf75e7cb8094ceecf074e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:ba574717bd9890dcf1677c9b56d45a2047bb1f6a72a0bb5b8e38c6f3f2db4884_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:7741"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:4dc1e2ace5946178fae29c87e2f86467594833e27ddfef8a005273eb9a1bee45_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:72ebf29aa3a85cf49949379958744a699e1f572f79abf75e7cb8094ceecf074e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:ba574717bd9890dcf1677c9b56d45a2047bb1f6a72a0bb5b8e38c6f3f2db4884_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "grafana: missing access control allows test alerts by underprivileged user"
},
{
"acknowledgments": [
{
"names": [
"Grafana Security Team"
],
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2023-2801",
"cwe": {
"id": "CWE-820",
"name": "Missing Synchronization"
},
"discovery_date": "2023-05-29T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:49e943d69210eb9f4218272f64cc2b9a100bb52416784c417b241c7dcd0eeb23_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:561fba3667ff302316ecef3dc7a80202ec5b854b347e4cbc5d2d4a2ad4419ed3_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:e12cb06f04ac2870d5c387612f4aab65438c4b8044337ab8c55e924dc273ee6b_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:0809ac10fd225656d8fec0002f71c41f7a07d9c5be0c0affd5740cdae43efcf8_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:6c58ed8e6779027d62bca2dab2de0336ee630257dc903c0ff8069ec986395f47_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:f3eb950ff155132b8d113853d05a917a4e949fa80156bbbdda8e61a5a7d18799_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:04e7e7a046da793f667daa0d1eb8dc90ea984dcd1bdefc8a7b96441a6251b280_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:6f6ed4e34b8450b5af74cab6bab790013006269cb997883fc50f5c20c1f5dd8d_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:fd567a237640c49c3cb5d392aa995069eb6d7398bffb2fe982f57563b640d630_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:9276234cb0599b75d0adc88c7b1882ff3da6742306a30f26dade3f9bde06ec7e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:93b546b7d97fd7fdaf9aef486218350817697a6237cbc3ff512eef40ef772a3a_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:d6233ee14663867808ca616c9327278af99e0439f0781b548be35e6ab5777de2_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:39e1eb86a6cc6eaa31018a13f86bbb676ec26250d5daf116e3be6d6d194bfe42_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:a47193626427bfe8f686c9f591248d082271c0d20aed96aa268bf7a03b9123d8_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:ca759591794df7f94b67bf798d7d27dd6d2b45d49b8ef8511e2bf51f78672d7e_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2210840"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in grafana. This issue occurs when sending an API call to the /ds/query or public dashboard query endpoint that has mixed queries, such as having two or more distinct data sources in one API call. As a result, the Grafana instance will crash. Currently, the only feature that uses mixed queries within Grafana is public dashboards, but it is also possible to trigger this issue by calling the API directly.\r\nIf public dashboards are enabled, reproduction requires a public dashboard to be under a heavy load. If public dashboards are disabled, reproduction only occurs when the /ds/query endpoint with a mixed query payload is under a heavy load with a load testing script.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "grafana: data source proxy race condition",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "- In OpenShift Container Platform (OCP), Red Hat Advanced Cluster Management for Kubernetes (RHACM), and OpenShift ServiceMesh (OSSM) the grafana components are protected by OpenShift OAuth that reduces the impact of this flaw to Moderate.\n- OpenShift ServiceMesh (OSSM) has switched to using upstream rhel rpms for grafana and is no longer maintaining the servicemesh-grafana package. Hence, it is marked as affected/won\u0027tfix.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:4dc1e2ace5946178fae29c87e2f86467594833e27ddfef8a005273eb9a1bee45_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:72ebf29aa3a85cf49949379958744a699e1f572f79abf75e7cb8094ceecf074e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:ba574717bd9890dcf1677c9b56d45a2047bb1f6a72a0bb5b8e38c6f3f2db4884_amd64"
],
"known_not_affected": [
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:49e943d69210eb9f4218272f64cc2b9a100bb52416784c417b241c7dcd0eeb23_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:561fba3667ff302316ecef3dc7a80202ec5b854b347e4cbc5d2d4a2ad4419ed3_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:e12cb06f04ac2870d5c387612f4aab65438c4b8044337ab8c55e924dc273ee6b_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:0809ac10fd225656d8fec0002f71c41f7a07d9c5be0c0affd5740cdae43efcf8_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:6c58ed8e6779027d62bca2dab2de0336ee630257dc903c0ff8069ec986395f47_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:f3eb950ff155132b8d113853d05a917a4e949fa80156bbbdda8e61a5a7d18799_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:04e7e7a046da793f667daa0d1eb8dc90ea984dcd1bdefc8a7b96441a6251b280_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:6f6ed4e34b8450b5af74cab6bab790013006269cb997883fc50f5c20c1f5dd8d_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:fd567a237640c49c3cb5d392aa995069eb6d7398bffb2fe982f57563b640d630_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:9276234cb0599b75d0adc88c7b1882ff3da6742306a30f26dade3f9bde06ec7e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:93b546b7d97fd7fdaf9aef486218350817697a6237cbc3ff512eef40ef772a3a_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:d6233ee14663867808ca616c9327278af99e0439f0781b548be35e6ab5777de2_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:39e1eb86a6cc6eaa31018a13f86bbb676ec26250d5daf116e3be6d6d194bfe42_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:a47193626427bfe8f686c9f591248d082271c0d20aed96aa268bf7a03b9123d8_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:ca759591794df7f94b67bf798d7d27dd6d2b45d49b8ef8511e2bf51f78672d7e_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-2801"
},
{
"category": "external",
"summary": "RHBZ#2210840",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2210840"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-2801",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-2801"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-2801",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2801"
},
{
"category": "external",
"summary": "https://grafana.com/security/security-advisories/cve-2023-2801/",
"url": "https://grafana.com/security/security-advisories/cve-2023-2801/"
}
],
"release_date": "2023-06-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-12-12T13:55:37+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/documentation/en-us/red_hat_ceph_storage/6\n\nFor supported configurations, refer to:\n\nhttps://access.redhat.com/articles/1548993",
"product_ids": [
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:4dc1e2ace5946178fae29c87e2f86467594833e27ddfef8a005273eb9a1bee45_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:72ebf29aa3a85cf49949379958744a699e1f572f79abf75e7cb8094ceecf074e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:ba574717bd9890dcf1677c9b56d45a2047bb1f6a72a0bb5b8e38c6f3f2db4884_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:7741"
},
{
"category": "workaround",
"details": "Block mixed query requests and patch to disable mixed query concurrent calls",
"product_ids": [
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:49e943d69210eb9f4218272f64cc2b9a100bb52416784c417b241c7dcd0eeb23_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:561fba3667ff302316ecef3dc7a80202ec5b854b347e4cbc5d2d4a2ad4419ed3_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:e12cb06f04ac2870d5c387612f4aab65438c4b8044337ab8c55e924dc273ee6b_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:4dc1e2ace5946178fae29c87e2f86467594833e27ddfef8a005273eb9a1bee45_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:72ebf29aa3a85cf49949379958744a699e1f572f79abf75e7cb8094ceecf074e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:ba574717bd9890dcf1677c9b56d45a2047bb1f6a72a0bb5b8e38c6f3f2db4884_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:0809ac10fd225656d8fec0002f71c41f7a07d9c5be0c0affd5740cdae43efcf8_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:6c58ed8e6779027d62bca2dab2de0336ee630257dc903c0ff8069ec986395f47_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:f3eb950ff155132b8d113853d05a917a4e949fa80156bbbdda8e61a5a7d18799_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:04e7e7a046da793f667daa0d1eb8dc90ea984dcd1bdefc8a7b96441a6251b280_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:6f6ed4e34b8450b5af74cab6bab790013006269cb997883fc50f5c20c1f5dd8d_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:fd567a237640c49c3cb5d392aa995069eb6d7398bffb2fe982f57563b640d630_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:9276234cb0599b75d0adc88c7b1882ff3da6742306a30f26dade3f9bde06ec7e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:93b546b7d97fd7fdaf9aef486218350817697a6237cbc3ff512eef40ef772a3a_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:d6233ee14663867808ca616c9327278af99e0439f0781b548be35e6ab5777de2_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:39e1eb86a6cc6eaa31018a13f86bbb676ec26250d5daf116e3be6d6d194bfe42_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:a47193626427bfe8f686c9f591248d082271c0d20aed96aa268bf7a03b9123d8_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:ca759591794df7f94b67bf798d7d27dd6d2b45d49b8ef8511e2bf51f78672d7e_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:4dc1e2ace5946178fae29c87e2f86467594833e27ddfef8a005273eb9a1bee45_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:72ebf29aa3a85cf49949379958744a699e1f572f79abf75e7cb8094ceecf074e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:ba574717bd9890dcf1677c9b56d45a2047bb1f6a72a0bb5b8e38c6f3f2db4884_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "grafana: data source proxy race condition"
},
{
"cve": "CVE-2023-39325",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2023-10-10T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:49e943d69210eb9f4218272f64cc2b9a100bb52416784c417b241c7dcd0eeb23_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:561fba3667ff302316ecef3dc7a80202ec5b854b347e4cbc5d2d4a2ad4419ed3_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:e12cb06f04ac2870d5c387612f4aab65438c4b8044337ab8c55e924dc273ee6b_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:0809ac10fd225656d8fec0002f71c41f7a07d9c5be0c0affd5740cdae43efcf8_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:6c58ed8e6779027d62bca2dab2de0336ee630257dc903c0ff8069ec986395f47_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:f3eb950ff155132b8d113853d05a917a4e949fa80156bbbdda8e61a5a7d18799_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:04e7e7a046da793f667daa0d1eb8dc90ea984dcd1bdefc8a7b96441a6251b280_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:6f6ed4e34b8450b5af74cab6bab790013006269cb997883fc50f5c20c1f5dd8d_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:fd567a237640c49c3cb5d392aa995069eb6d7398bffb2fe982f57563b640d630_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:9276234cb0599b75d0adc88c7b1882ff3da6742306a30f26dade3f9bde06ec7e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:93b546b7d97fd7fdaf9aef486218350817697a6237cbc3ff512eef40ef772a3a_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:d6233ee14663867808ca616c9327278af99e0439f0781b548be35e6ab5777de2_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:39e1eb86a6cc6eaa31018a13f86bbb676ec26250d5daf116e3be6d6d194bfe42_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:a47193626427bfe8f686c9f591248d082271c0d20aed96aa268bf7a03b9123d8_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:ca759591794df7f94b67bf798d7d27dd6d2b45d49b8ef8511e2bf51f78672d7e_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2243296"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in handling multiplexed streams in the HTTP/2 protocol. A client can repeatedly make a request for a new multiplex stream and immediately send an RST_STREAM frame to cancel it. This creates extra work for the server setting up and tearing down the streams while not hitting any server-side limit for the maximum number of active streams per connection, resulting in a denial of service due to server resource consumption. Red Hat has rated the severity of this flaw as \u0027Important\u0027 as the US Cybersecurity and Infrastructure Security Agency (CISA) declared this vulnerability an active exploit.\r\n\r\nCVE-2023-39325 was assigned for the `Rapid Reset Attack` in the Go language packages.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487)",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This CVE is related to CVE-2023-44487.\n\nThe majority of RHEL utilities are not long-running applications; instead, they are command-line tools. These tools utilize Golang package as build-time dependency, which is why they are classified as having a \"Moderate\" level of impact.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:4dc1e2ace5946178fae29c87e2f86467594833e27ddfef8a005273eb9a1bee45_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:72ebf29aa3a85cf49949379958744a699e1f572f79abf75e7cb8094ceecf074e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:ba574717bd9890dcf1677c9b56d45a2047bb1f6a72a0bb5b8e38c6f3f2db4884_amd64"
],
"known_not_affected": [
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:49e943d69210eb9f4218272f64cc2b9a100bb52416784c417b241c7dcd0eeb23_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:561fba3667ff302316ecef3dc7a80202ec5b854b347e4cbc5d2d4a2ad4419ed3_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:e12cb06f04ac2870d5c387612f4aab65438c4b8044337ab8c55e924dc273ee6b_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:0809ac10fd225656d8fec0002f71c41f7a07d9c5be0c0affd5740cdae43efcf8_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:6c58ed8e6779027d62bca2dab2de0336ee630257dc903c0ff8069ec986395f47_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:f3eb950ff155132b8d113853d05a917a4e949fa80156bbbdda8e61a5a7d18799_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:04e7e7a046da793f667daa0d1eb8dc90ea984dcd1bdefc8a7b96441a6251b280_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:6f6ed4e34b8450b5af74cab6bab790013006269cb997883fc50f5c20c1f5dd8d_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:fd567a237640c49c3cb5d392aa995069eb6d7398bffb2fe982f57563b640d630_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:9276234cb0599b75d0adc88c7b1882ff3da6742306a30f26dade3f9bde06ec7e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:93b546b7d97fd7fdaf9aef486218350817697a6237cbc3ff512eef40ef772a3a_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:d6233ee14663867808ca616c9327278af99e0439f0781b548be35e6ab5777de2_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:39e1eb86a6cc6eaa31018a13f86bbb676ec26250d5daf116e3be6d6d194bfe42_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:a47193626427bfe8f686c9f591248d082271c0d20aed96aa268bf7a03b9123d8_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:ca759591794df7f94b67bf798d7d27dd6d2b45d49b8ef8511e2bf51f78672d7e_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-39325"
},
{
"category": "external",
"summary": "RHBZ#2243296",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2243296"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-39325",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-39325"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-39325",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39325"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2023-44487",
"url": "https://access.redhat.com/security/cve/CVE-2023-44487"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/vulnerabilities/RHSB-2023-003",
"url": "https://access.redhat.com/security/vulnerabilities/RHSB-2023-003"
},
{
"category": "external",
"summary": "https://go.dev/issue/63417",
"url": "https://go.dev/issue/63417"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2023-2102",
"url": "https://pkg.go.dev/vuln/GO-2023-2102"
},
{
"category": "external",
"summary": "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487",
"url": "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487"
}
],
"release_date": "2023-10-10T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-12-12T13:55:37+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/documentation/en-us/red_hat_ceph_storage/6\n\nFor supported configurations, refer to:\n\nhttps://access.redhat.com/articles/1548993",
"product_ids": [
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:4dc1e2ace5946178fae29c87e2f86467594833e27ddfef8a005273eb9a1bee45_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:72ebf29aa3a85cf49949379958744a699e1f572f79abf75e7cb8094ceecf074e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:ba574717bd9890dcf1677c9b56d45a2047bb1f6a72a0bb5b8e38c6f3f2db4884_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:7741"
},
{
"category": "workaround",
"details": "The default stream concurrency limit in golang is 250 streams (requests) per HTTP/2 connection. This value may be adjusted in the golang.org/x/net/http2 package using the Server.MaxConcurrentStreams setting and the ConfigureServer function which are available in golang.org/x/net/http2.",
"product_ids": [
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:49e943d69210eb9f4218272f64cc2b9a100bb52416784c417b241c7dcd0eeb23_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:561fba3667ff302316ecef3dc7a80202ec5b854b347e4cbc5d2d4a2ad4419ed3_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:e12cb06f04ac2870d5c387612f4aab65438c4b8044337ab8c55e924dc273ee6b_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:4dc1e2ace5946178fae29c87e2f86467594833e27ddfef8a005273eb9a1bee45_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:72ebf29aa3a85cf49949379958744a699e1f572f79abf75e7cb8094ceecf074e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:ba574717bd9890dcf1677c9b56d45a2047bb1f6a72a0bb5b8e38c6f3f2db4884_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:0809ac10fd225656d8fec0002f71c41f7a07d9c5be0c0affd5740cdae43efcf8_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:6c58ed8e6779027d62bca2dab2de0336ee630257dc903c0ff8069ec986395f47_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:f3eb950ff155132b8d113853d05a917a4e949fa80156bbbdda8e61a5a7d18799_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:04e7e7a046da793f667daa0d1eb8dc90ea984dcd1bdefc8a7b96441a6251b280_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:6f6ed4e34b8450b5af74cab6bab790013006269cb997883fc50f5c20c1f5dd8d_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:fd567a237640c49c3cb5d392aa995069eb6d7398bffb2fe982f57563b640d630_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:9276234cb0599b75d0adc88c7b1882ff3da6742306a30f26dade3f9bde06ec7e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:93b546b7d97fd7fdaf9aef486218350817697a6237cbc3ff512eef40ef772a3a_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:d6233ee14663867808ca616c9327278af99e0439f0781b548be35e6ab5777de2_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:39e1eb86a6cc6eaa31018a13f86bbb676ec26250d5daf116e3be6d6d194bfe42_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:a47193626427bfe8f686c9f591248d082271c0d20aed96aa268bf7a03b9123d8_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:ca759591794df7f94b67bf798d7d27dd6d2b45d49b8ef8511e2bf51f78672d7e_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:4dc1e2ace5946178fae29c87e2f86467594833e27ddfef8a005273eb9a1bee45_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:72ebf29aa3a85cf49949379958744a699e1f572f79abf75e7cb8094ceecf074e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:ba574717bd9890dcf1677c9b56d45a2047bb1f6a72a0bb5b8e38c6f3f2db4884_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487)"
},
{
"cve": "CVE-2023-44487",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2023-10-09T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:49e943d69210eb9f4218272f64cc2b9a100bb52416784c417b241c7dcd0eeb23_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:561fba3667ff302316ecef3dc7a80202ec5b854b347e4cbc5d2d4a2ad4419ed3_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:e12cb06f04ac2870d5c387612f4aab65438c4b8044337ab8c55e924dc273ee6b_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:0809ac10fd225656d8fec0002f71c41f7a07d9c5be0c0affd5740cdae43efcf8_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:6c58ed8e6779027d62bca2dab2de0336ee630257dc903c0ff8069ec986395f47_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:f3eb950ff155132b8d113853d05a917a4e949fa80156bbbdda8e61a5a7d18799_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:04e7e7a046da793f667daa0d1eb8dc90ea984dcd1bdefc8a7b96441a6251b280_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:6f6ed4e34b8450b5af74cab6bab790013006269cb997883fc50f5c20c1f5dd8d_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:fd567a237640c49c3cb5d392aa995069eb6d7398bffb2fe982f57563b640d630_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:9276234cb0599b75d0adc88c7b1882ff3da6742306a30f26dade3f9bde06ec7e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:93b546b7d97fd7fdaf9aef486218350817697a6237cbc3ff512eef40ef772a3a_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:d6233ee14663867808ca616c9327278af99e0439f0781b548be35e6ab5777de2_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:39e1eb86a6cc6eaa31018a13f86bbb676ec26250d5daf116e3be6d6d194bfe42_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:a47193626427bfe8f686c9f591248d082271c0d20aed96aa268bf7a03b9123d8_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:ca759591794df7f94b67bf798d7d27dd6d2b45d49b8ef8511e2bf51f78672d7e_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2242803"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in handling multiplexed streams in the HTTP/2 protocol. A client can repeatedly make a request for a new multiplex stream and immediately send an RST_STREAM frame to cancel it. This creates extra work for the server setting up and tearing down the streams while not hitting any server-side limit for the maximum number of active streams per connection, resulting in a denial of service due to server resource consumption. Red Hat has rated the severity of this flaw as \u0027Important\u0027 as the US Cybersecurity and Infrastructure Security Agency (CISA) declared this vulnerability an active exploit.\r\n\r\nCVE-2023-39325 was assigned for the Rapid Reset Attack in the Go language packages.\r\n\r\nSecurity Bulletin\r\nhttps://access.redhat.com/security/vulnerabilities/RHSB-2023-003",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack)",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "NGINX has been marked as Moderate Impact because, for performance and resource consumption reasons, NGINX limits the number of concurrent streams to a default of 128. In addition, to optimally balance network and server performance, NGINX allows the client to persist HTTP connections for up to 1000 requests by default using an HTTP keepalive.\n\nThe majority of RHEL utilities are not long-running applications; instead, they are command-line tools. These tools utilize Golang package as build-time dependency, which is why they are classified as having a \"Moderate\" level of impact.\n\nrhc component is no longer impacted by CVE-2023-44487 \u0026 CVE-2023-39325.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:4dc1e2ace5946178fae29c87e2f86467594833e27ddfef8a005273eb9a1bee45_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:72ebf29aa3a85cf49949379958744a699e1f572f79abf75e7cb8094ceecf074e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:ba574717bd9890dcf1677c9b56d45a2047bb1f6a72a0bb5b8e38c6f3f2db4884_amd64"
],
"known_not_affected": [
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:49e943d69210eb9f4218272f64cc2b9a100bb52416784c417b241c7dcd0eeb23_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:561fba3667ff302316ecef3dc7a80202ec5b854b347e4cbc5d2d4a2ad4419ed3_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:e12cb06f04ac2870d5c387612f4aab65438c4b8044337ab8c55e924dc273ee6b_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:0809ac10fd225656d8fec0002f71c41f7a07d9c5be0c0affd5740cdae43efcf8_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:6c58ed8e6779027d62bca2dab2de0336ee630257dc903c0ff8069ec986395f47_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:f3eb950ff155132b8d113853d05a917a4e949fa80156bbbdda8e61a5a7d18799_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:04e7e7a046da793f667daa0d1eb8dc90ea984dcd1bdefc8a7b96441a6251b280_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:6f6ed4e34b8450b5af74cab6bab790013006269cb997883fc50f5c20c1f5dd8d_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:fd567a237640c49c3cb5d392aa995069eb6d7398bffb2fe982f57563b640d630_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:9276234cb0599b75d0adc88c7b1882ff3da6742306a30f26dade3f9bde06ec7e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:93b546b7d97fd7fdaf9aef486218350817697a6237cbc3ff512eef40ef772a3a_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:d6233ee14663867808ca616c9327278af99e0439f0781b548be35e6ab5777de2_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:39e1eb86a6cc6eaa31018a13f86bbb676ec26250d5daf116e3be6d6d194bfe42_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:a47193626427bfe8f686c9f591248d082271c0d20aed96aa268bf7a03b9123d8_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:ca759591794df7f94b67bf798d7d27dd6d2b45d49b8ef8511e2bf51f78672d7e_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-44487"
},
{
"category": "external",
"summary": "RHBZ#2242803",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242803"
},
{
"category": "external",
"summary": "RHSB-2023-003",
"url": "https://access.redhat.com/security/vulnerabilities/RHSB-2023-003"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-44487",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-44487"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-44487",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44487"
},
{
"category": "external",
"summary": "https://github.com/dotnet/announcements/issues/277",
"url": "https://github.com/dotnet/announcements/issues/277"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2023-2102",
"url": "https://pkg.go.dev/vuln/GO-2023-2102"
},
{
"category": "external",
"summary": "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487",
"url": "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487"
},
{
"category": "external",
"summary": "https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/",
"url": "https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/"
},
{
"category": "external",
"summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
}
],
"release_date": "2023-10-10T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-12-12T13:55:37+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/documentation/en-us/red_hat_ceph_storage/6\n\nFor supported configurations, refer to:\n\nhttps://access.redhat.com/articles/1548993",
"product_ids": [
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:4dc1e2ace5946178fae29c87e2f86467594833e27ddfef8a005273eb9a1bee45_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:72ebf29aa3a85cf49949379958744a699e1f572f79abf75e7cb8094ceecf074e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:ba574717bd9890dcf1677c9b56d45a2047bb1f6a72a0bb5b8e38c6f3f2db4884_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:7741"
},
{
"category": "workaround",
"details": "Users are strongly urged to update their software as soon as fixes are available. \nThere are several mitigation approaches for this flaw. \n\n1. If circumstances permit, users may disable http2 endpoints to circumvent the flaw altogether until a fix is available.\n2. IP-based blocking or flood protection and rate control tools may be used at network endpoints to filter incoming traffic.\n3. Several package specific mitigations are also available. \n a. nginx: https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/\n b. netty: https://github.com/netty/netty/security/advisories/GHSA-xpw8-rcwv-8f8p\n c. haproxy: https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487\n d. nghttp2: https://github.com/nghttp2/nghttp2/security/advisories/GHSA-vx74-f528-fxqg\n e. golang: The default stream concurrency limit in golang is 250 streams (requests) per HTTP/2 connection. This value may be adjusted in the golang.org/x/net/http2 package using the Server.MaxConcurrentStreams setting and the ConfigureServer function which are available in golang.org/x/net/http2.",
"product_ids": [
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:49e943d69210eb9f4218272f64cc2b9a100bb52416784c417b241c7dcd0eeb23_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:561fba3667ff302316ecef3dc7a80202ec5b854b347e4cbc5d2d4a2ad4419ed3_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:e12cb06f04ac2870d5c387612f4aab65438c4b8044337ab8c55e924dc273ee6b_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:4dc1e2ace5946178fae29c87e2f86467594833e27ddfef8a005273eb9a1bee45_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:72ebf29aa3a85cf49949379958744a699e1f572f79abf75e7cb8094ceecf074e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:ba574717bd9890dcf1677c9b56d45a2047bb1f6a72a0bb5b8e38c6f3f2db4884_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:0809ac10fd225656d8fec0002f71c41f7a07d9c5be0c0affd5740cdae43efcf8_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:6c58ed8e6779027d62bca2dab2de0336ee630257dc903c0ff8069ec986395f47_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:f3eb950ff155132b8d113853d05a917a4e949fa80156bbbdda8e61a5a7d18799_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:04e7e7a046da793f667daa0d1eb8dc90ea984dcd1bdefc8a7b96441a6251b280_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:6f6ed4e34b8450b5af74cab6bab790013006269cb997883fc50f5c20c1f5dd8d_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:fd567a237640c49c3cb5d392aa995069eb6d7398bffb2fe982f57563b640d630_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:9276234cb0599b75d0adc88c7b1882ff3da6742306a30f26dade3f9bde06ec7e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:93b546b7d97fd7fdaf9aef486218350817697a6237cbc3ff512eef40ef772a3a_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:d6233ee14663867808ca616c9327278af99e0439f0781b548be35e6ab5777de2_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:39e1eb86a6cc6eaa31018a13f86bbb676ec26250d5daf116e3be6d6d194bfe42_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:a47193626427bfe8f686c9f591248d082271c0d20aed96aa268bf7a03b9123d8_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:ca759591794df7f94b67bf798d7d27dd6d2b45d49b8ef8511e2bf51f78672d7e_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:4dc1e2ace5946178fae29c87e2f86467594833e27ddfef8a005273eb9a1bee45_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:72ebf29aa3a85cf49949379958744a699e1f572f79abf75e7cb8094ceecf074e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:ba574717bd9890dcf1677c9b56d45a2047bb1f6a72a0bb5b8e38c6f3f2db4884_amd64"
]
}
],
"threats": [
{
"category": "exploit_status",
"date": "2023-10-10T00:00:00+00:00",
"details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
},
{
"category": "impact",
"details": "Important"
}
],
"title": "HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack)"
}
]
}
ghsa-c3h9-vpfv-3x4m
Vulnerability from github
Published
2023-04-26 15:30
Modified
2024-04-04 03:41
Severity ?
Details
Grafana is an open-source platform for monitoring and observability.
Starting with the 9.1 branch, Grafana introduced the ability to search for a JWT in the URL query parameter auth_token and use it as the authentication token.
By enabling the "url_login" configuration option (disabled by default), a JWT might be sent to data sources. If an attacker has access to the data source, the leaked token could be used to authenticate to Grafana.
{
"affected": [],
"aliases": [
"CVE-2023-1387"
],
"database_specific": {
"cwe_ids": [
"CWE-200"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-04-26T14:15:09Z",
"severity": "HIGH"
},
"details": "Grafana is an open-source platform for monitoring and observability. \n\nStarting with the 9.1 branch, Grafana introduced the ability to search for a JWT in the URL query parameter auth_token and use it as the authentication token. \n\nBy enabling the \"url_login\" configuration option (disabled by default), a JWT might be sent to data sources. If an attacker has access to the data source, the leaked token could be used to authenticate to Grafana.\n\n",
"id": "GHSA-c3h9-vpfv-3x4m",
"modified": "2024-04-04T03:41:38Z",
"published": "2023-04-26T15:30:21Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/grafana/bugbounty/security/advisories/GHSA-5585-m9r5-p86j"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1387"
},
{
"type": "WEB",
"url": "https://grafana.com/security/security-advisories/cve-2023-1387"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20230609-0003"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
gsd-2023-1387
Vulnerability from gsd
Modified
2023-12-13 01:20
Details
Grafana is an open-source platform for monitoring and observability.
Starting with the 9.1 branch, Grafana introduced the ability to search for a JWT in the URL query parameter auth_token and use it as the authentication token.
By enabling the "url_login" configuration option (disabled by default), a JWT might be sent to data sources. If an attacker has access to the data source, the leaked token could be used to authenticate to Grafana.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2023-1387",
"id": "GSD-2023-1387"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2023-1387"
],
"details": "Grafana is an open-source platform for monitoring and observability. \n\nStarting with the 9.1 branch, Grafana introduced the ability to search for a JWT in the URL query parameter auth_token and use it as the authentication token. \n\nBy enabling the \"url_login\" configuration option (disabled by default), a JWT might be sent to data sources. If an attacker has access to the data source, the leaked token could be used to authenticate to Grafana.\n\n",
"id": "GSD-2023-1387",
"modified": "2023-12-13T01:20:41.957154Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "security@grafana.com",
"ID": "CVE-2023-1387",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Grafana",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "9.1.0",
"version_value": "9.2.17"
},
{
"version_affected": "\u003c",
"version_name": "9.3.0",
"version_value": "9.3.13"
},
{
"version_affected": "\u003c",
"version_name": "9.4.0",
"version_value": "9.5.0"
}
]
}
},
{
"product_name": "Grafana Enterprise",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "9.1.0",
"version_value": "9.2.17"
},
{
"version_affected": "\u003c",
"version_name": "9.3.0",
"version_value": "9.3.13"
},
{
"version_affected": "\u003c",
"version_name": "9.4.0",
"version_value": "9.5.0"
}
]
}
}
]
},
"vendor_name": "Grafana"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Grafana is an open-source platform for monitoring and observability. \n\nStarting with the 9.1 branch, Grafana introduced the ability to search for a JWT in the URL query parameter auth_token and use it as the authentication token. \n\nBy enabling the \"url_login\" configuration option (disabled by default), a JWT might be sent to data sources. If an attacker has access to the data source, the leaked token could be used to authenticate to Grafana.\n\n"
}
]
},
"impact": {
"cvss": [
{
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"cweId": "CWE-200",
"lang": "eng",
"value": "CWE-200"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://grafana.com/security/security-advisories/cve-2023-1387/",
"refsource": "MISC",
"url": "https://grafana.com/security/security-advisories/cve-2023-1387/"
},
{
"name": "https://github.com/grafana/bugbounty/security/advisories/GHSA-5585-m9r5-p86j",
"refsource": "MISC",
"url": "https://github.com/grafana/bugbounty/security/advisories/GHSA-5585-m9r5-p86j"
},
{
"name": "https://security.netapp.com/advisory/ntap-20230609-0003/",
"refsource": "MISC",
"url": "https://security.netapp.com/advisory/ntap-20230609-0003/"
}
]
}
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "9.4.9",
"versionStartIncluding": "9.4.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "9.3.13",
"versionStartIncluding": "9.3.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "9.2.17",
"versionStartIncluding": "9.1.0",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "security@grafana.com",
"ID": "CVE-2023-1387"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "Grafana is an open-source platform for monitoring and observability. \n\nStarting with the 9.1 branch, Grafana introduced the ability to search for a JWT in the URL query parameter auth_token and use it as the authentication token. \n\nBy enabling the \"url_login\" configuration option (disabled by default), a JWT might be sent to data sources. If an attacker has access to the data source, the leaked token could be used to authenticate to Grafana.\n\n"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://grafana.com/security/security-advisories/cve-2023-1387/",
"refsource": "MISC",
"tags": [
"Vendor Advisory"
],
"url": "https://grafana.com/security/security-advisories/cve-2023-1387/"
},
{
"name": "https://github.com/grafana/bugbounty/security/advisories/GHSA-5585-m9r5-p86j",
"refsource": "MISC",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/grafana/bugbounty/security/advisories/GHSA-5585-m9r5-p86j"
},
{
"name": "https://security.netapp.com/advisory/ntap-20230609-0003/",
"refsource": "MISC",
"tags": [],
"url": "https://security.netapp.com/advisory/ntap-20230609-0003/"
}
]
}
},
"impact": {
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6
}
},
"lastModifiedDate": "2023-06-09T08:15Z",
"publishedDate": "2023-04-26T14:15Z"
}
}
}
wid-sec-w-2023-1088
Vulnerability from csaf_certbund
Published
2023-04-26 22:00
Modified
2024-02-08 23:00
Summary
Grafana: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Grafana ist eine Open-Source Analyse- und Visualisierungssoftware.
Angriff
Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Grafana ausnutzen, um Informationen offenzulegen und einen Denial of Service Zustand zu verursachen.
Betroffene Betriebssysteme
- Linux
- MacOS X
- Windows
- Sonstiges
{
"document": {
"aggregate_severity": {
"text": "mittel"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Grafana ist eine Open-Source Analyse- und Visualisierungssoftware.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Grafana ausnutzen, um Informationen offenzulegen und einen Denial of Service Zustand zu verursachen.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Linux\n- MacOS X\n- Windows\n- Sonstiges",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2023-1088 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-1088.json"
},
{
"category": "self",
"summary": "WID-SEC-2023-1088 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-1088"
},
{
"category": "external",
"summary": "Grafana Security Release vom 2023-04-26",
"url": "https://grafana.com/blog/2023/04/26/grafana-security-release-new-versions-of-grafana-with-security-fixes-for-cve-2023-28119-and-cve-2023-1387/"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2023:7741 vom 2023-12-12",
"url": "https://access.redhat.com/errata/RHSA-2023:7741"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2024:0196-1 vom 2024-01-23",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2024-January/017743.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2024:0191-1 vom 2024-01-23",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2024-January/017744.html"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2024:0746 vom 2024-02-08",
"url": "https://access.redhat.com/errata/RHSA-2024:0746"
}
],
"source_lang": "en-US",
"title": "Grafana: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2024-02-08T23:00:00.000+00:00",
"generator": {
"date": "2024-02-15T17:25:55.148+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.3.0"
}
},
"id": "WID-SEC-W-2023-1088",
"initial_release_date": "2023-04-26T22:00:00.000+00:00",
"revision_history": [
{
"date": "2023-04-26T22:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2023-12-12T23:00:00.000+00:00",
"number": "2",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2024-01-23T23:00:00.000+00:00",
"number": "3",
"summary": "Neue Updates von SUSE aufgenommen"
},
{
"date": "2024-02-08T23:00:00.000+00:00",
"number": "4",
"summary": "Neue Updates von Red Hat aufgenommen"
}
],
"status": "final",
"version": "4"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c 9.5.1",
"product": {
"name": "Open Source Grafana \u003c 9.5.1",
"product_id": "T027524",
"product_identification_helper": {
"cpe": "cpe:/a:grafana:grafana:9.5.1"
}
}
},
{
"category": "product_version_range",
"name": "\u003c 9.5.0",
"product": {
"name": "Open Source Grafana \u003c 9.5.0",
"product_id": "T027525",
"product_identification_helper": {
"cpe": "cpe:/a:grafana:grafana:9.5.0"
}
}
},
{
"category": "product_version_range",
"name": "\u003c 9.4.9",
"product": {
"name": "Open Source Grafana \u003c 9.4.9",
"product_id": "T027526",
"product_identification_helper": {
"cpe": "cpe:/a:grafana:grafana:9.4.9"
}
}
},
{
"category": "product_version_range",
"name": "\u003c 9.3.13",
"product": {
"name": "Open Source Grafana \u003c 9.3.13",
"product_id": "T027527",
"product_identification_helper": {
"cpe": "cpe:/a:grafana:grafana:9.3.13"
}
}
},
{
"category": "product_version_range",
"name": "\u003c 9.2.17",
"product": {
"name": "Open Source Grafana \u003c 9.2.17",
"product_id": "T027528",
"product_identification_helper": {
"cpe": "cpe:/a:grafana:grafana:9.2.17"
}
}
},
{
"category": "product_version_range",
"name": "\u003c 8.5.24",
"product": {
"name": "Open Source Grafana \u003c 8.5.24",
"product_id": "T027529",
"product_identification_helper": {
"cpe": "cpe:/a:grafana:grafana:8.5.24"
}
}
}
],
"category": "product_name",
"name": "Grafana"
}
],
"category": "vendor",
"name": "Open Source"
},
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux",
"product": {
"name": "Red Hat Enterprise Linux",
"product_id": "67646",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:-"
}
}
}
],
"category": "vendor",
"name": "Red Hat"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux",
"product": {
"name": "SUSE Linux",
"product_id": "T002207",
"product_identification_helper": {
"cpe": "cpe:/o:suse:suse_linux:-"
}
}
}
],
"category": "vendor",
"name": "SUSE"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-1387",
"notes": [
{
"category": "description",
"text": "Es existiert eine Schwachstelle in Grafana. Der Fehler besteht, weil ein JWT-Token als Header an die Datenquelle \u00fcbergeben werden kann, wenn die JWT-Authentifizierung \u00fcber URL Login aktiviert ist. Ein entfernter, authentisierter Angreifer mit bestimmten Rechten kann diese Schwachstelle ausnutzen, um vertrauliche Informationen offenzulegen. Eine erfolgreiche Ausnutzung erfordert eine Benutzerinteraktion."
}
],
"product_status": {
"known_affected": [
"T002207",
"67646"
]
},
"release_date": "2023-04-26T22:00:00Z",
"title": "CVE-2023-1387"
},
{
"cve": "CVE-2023-28119",
"notes": [
{
"category": "description",
"text": "Es existiert eine Schwachstelle in Grafana. Der Fehler besteht, weil die Funktion flate.NewReader aus der Komponente crewjam/saml die Gr\u00f6\u00dfe der Eingabe nicht begrenzt. Ein entfernter, anonymer Angreifer kann diese Schwachstelle ausnutzen, indem er mehr als 1 MB an Daten in der HTTP-Anforderung an die Verarbeitungsfunktionen weitergibt, um einen Denial-of-Service-Zustand zu verursachen."
}
],
"product_status": {
"known_affected": [
"T002207",
"67646"
]
},
"release_date": "2023-04-26T22:00:00Z",
"title": "CVE-2023-28119"
}
]
}
Loading...
Loading...
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.