rhsa-2023_6420
Vulnerability from csaf_redhat
Published
2023-11-07 08:59
Modified
2024-11-23 02:35
Summary
Red Hat Security Advisory: grafana security and enhancement update
Notes
Topic
An update for grafana is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB.
Security Fix(es):
* grafana: persistent xss in grafana core plugins (CVE-2022-23552)
* grafana: plugin signature bypass (CVE-2022-31123)
* grafana: data source and plugin proxy endpoints leaking authentication tokens to some destination plugins (CVE-2022-31130)
* grafana: Data source and plugin proxy endpoints could leak the authentication cookie to some destination plugins (CVE-2022-39201)
* grafana: email addresses and usernames cannot be trusted (CVE-2022-39306)
* grafana: User enumeration via forget password (CVE-2022-39307)
* grafana: Spoofing of the originalUrl parameter of snapshots (CVE-2022-39324)
* golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717)
* golang: net/http, net/textproto: denial of service from excessive memory allocation (CVE-2023-24534)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.3 Release Notes linked from the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Moderate" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update for grafana is now available for Red Hat Enterprise Linux 9.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB \u0026 OpenTSDB. \n\nSecurity Fix(es):\n\n* grafana: persistent xss in grafana core plugins (CVE-2022-23552)\n\n* grafana: plugin signature bypass (CVE-2022-31123)\n\n* grafana: data source and plugin proxy endpoints leaking authentication tokens to some destination plugins (CVE-2022-31130)\n\n* grafana: Data source and plugin proxy endpoints could leak the authentication cookie to some destination plugins (CVE-2022-39201)\n\n* grafana: email addresses and usernames cannot be trusted (CVE-2022-39306)\n\n* grafana: User enumeration via forget password (CVE-2022-39307)\n\n* grafana: Spoofing of the originalUrl parameter of snapshots (CVE-2022-39324)\n\n* golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717)\n\n* golang: net/http, net/textproto: denial of service from excessive memory allocation (CVE-2023-24534)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 9.3 Release Notes linked from the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2023:6420", "url": "https://access.redhat.com/errata/RHSA-2023:6420" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#moderate", "url": "https://access.redhat.com/security/updates/classification/#moderate" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.3_release_notes/index", "url": "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.3_release_notes/index" }, { "category": "external", "summary": "2131146", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2131146" }, { "category": "external", "summary": "2131147", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2131147" }, { "category": "external", "summary": "2131148", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2131148" }, { "category": "external", "summary": "2138014", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2138014" }, { "category": "external", "summary": "2138015", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2138015" }, { "category": "external", "summary": "2148252", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2148252" }, { "category": "external", "summary": "2158420", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2158420" }, { "category": "external", "summary": "2161274", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2161274" }, { "category": "external", "summary": "2184483", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2184483" }, { "category": "external", "summary": "2188193", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2188193" }, { "category": "external", "summary": "2193018", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2193018" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_6420.json" } ], "title": "Red Hat Security Advisory: grafana security and enhancement update", "tracking": { "current_release_date": "2024-11-23T02:35:42+00:00", "generator": { "date": "2024-11-23T02:35:42+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2023:6420", "initial_release_date": "2023-11-07T08:59:06+00:00", "revision_history": [ { "date": "2023-11-07T08:59:06+00:00", "number": "1", "summary": "Initial version" }, { "date": "2023-11-07T08:59:06+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-23T02:35:42+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Enterprise Linux AppStream (v. 9)", "product": { "name": "Red Hat Enterprise Linux AppStream (v. 9)", "product_id": "AppStream-9.3.0.GA", "product_identification_helper": { "cpe": "cpe:/a:redhat:enterprise_linux:9::appstream" } } } ], "category": "product_family", "name": "Red Hat Enterprise Linux" }, { "branches": [ { "category": "product_version", "name": "grafana-0:9.2.10-7.el9_3.src", "product": { "name": "grafana-0:9.2.10-7.el9_3.src", "product_id": "grafana-0:9.2.10-7.el9_3.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/grafana@9.2.10-7.el9_3?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "grafana-0:9.2.10-7.el9_3.aarch64", "product": { "name": "grafana-0:9.2.10-7.el9_3.aarch64", "product_id": "grafana-0:9.2.10-7.el9_3.aarch64", "product_identification_helper": { "purl": "pkg:rpm/redhat/grafana@9.2.10-7.el9_3?arch=aarch64" } } }, { "category": "product_version", "name": "grafana-debugsource-0:9.2.10-7.el9_3.aarch64", "product": { "name": "grafana-debugsource-0:9.2.10-7.el9_3.aarch64", "product_id": "grafana-debugsource-0:9.2.10-7.el9_3.aarch64", "product_identification_helper": { "purl": "pkg:rpm/redhat/grafana-debugsource@9.2.10-7.el9_3?arch=aarch64" } } }, { "category": "product_version", "name": "grafana-debuginfo-0:9.2.10-7.el9_3.aarch64", "product": { "name": "grafana-debuginfo-0:9.2.10-7.el9_3.aarch64", "product_id": "grafana-debuginfo-0:9.2.10-7.el9_3.aarch64", "product_identification_helper": { "purl": "pkg:rpm/redhat/grafana-debuginfo@9.2.10-7.el9_3?arch=aarch64" } } } ], "category": "architecture", "name": "aarch64" }, { "branches": [ { "category": "product_version", "name": "grafana-0:9.2.10-7.el9_3.ppc64le", "product": { "name": "grafana-0:9.2.10-7.el9_3.ppc64le", "product_id": "grafana-0:9.2.10-7.el9_3.ppc64le", "product_identification_helper": { "purl": "pkg:rpm/redhat/grafana@9.2.10-7.el9_3?arch=ppc64le" } } }, { "category": "product_version", "name": "grafana-debugsource-0:9.2.10-7.el9_3.ppc64le", "product": { "name": "grafana-debugsource-0:9.2.10-7.el9_3.ppc64le", "product_id": "grafana-debugsource-0:9.2.10-7.el9_3.ppc64le", "product_identification_helper": { "purl": "pkg:rpm/redhat/grafana-debugsource@9.2.10-7.el9_3?arch=ppc64le" } } }, { "category": "product_version", "name": "grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le", "product": { "name": "grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le", "product_id": "grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le", "product_identification_helper": { "purl": "pkg:rpm/redhat/grafana-debuginfo@9.2.10-7.el9_3?arch=ppc64le" } } } ], "category": "architecture", "name": "ppc64le" }, { "branches": [ { "category": "product_version", "name": "grafana-0:9.2.10-7.el9_3.x86_64", "product": { "name": "grafana-0:9.2.10-7.el9_3.x86_64", "product_id": "grafana-0:9.2.10-7.el9_3.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/grafana@9.2.10-7.el9_3?arch=x86_64" } } }, { "category": "product_version", "name": "grafana-debugsource-0:9.2.10-7.el9_3.x86_64", "product": { "name": "grafana-debugsource-0:9.2.10-7.el9_3.x86_64", "product_id": "grafana-debugsource-0:9.2.10-7.el9_3.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/grafana-debugsource@9.2.10-7.el9_3?arch=x86_64" } } }, { "category": "product_version", "name": "grafana-debuginfo-0:9.2.10-7.el9_3.x86_64", "product": { "name": "grafana-debuginfo-0:9.2.10-7.el9_3.x86_64", "product_id": "grafana-debuginfo-0:9.2.10-7.el9_3.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/grafana-debuginfo@9.2.10-7.el9_3?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" }, { "branches": [ { "category": "product_version", "name": "grafana-0:9.2.10-7.el9_3.s390x", "product": { "name": "grafana-0:9.2.10-7.el9_3.s390x", "product_id": "grafana-0:9.2.10-7.el9_3.s390x", "product_identification_helper": { "purl": "pkg:rpm/redhat/grafana@9.2.10-7.el9_3?arch=s390x" } } }, { "category": "product_version", "name": "grafana-debugsource-0:9.2.10-7.el9_3.s390x", "product": { "name": "grafana-debugsource-0:9.2.10-7.el9_3.s390x", "product_id": "grafana-debugsource-0:9.2.10-7.el9_3.s390x", "product_identification_helper": { "purl": "pkg:rpm/redhat/grafana-debugsource@9.2.10-7.el9_3?arch=s390x" } } }, { "category": "product_version", "name": "grafana-debuginfo-0:9.2.10-7.el9_3.s390x", "product": { "name": "grafana-debuginfo-0:9.2.10-7.el9_3.s390x", "product_id": "grafana-debuginfo-0:9.2.10-7.el9_3.s390x", "product_identification_helper": { "purl": "pkg:rpm/redhat/grafana-debuginfo@9.2.10-7.el9_3?arch=s390x" } } } ], "category": "architecture", "name": "s390x" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "grafana-0:9.2.10-7.el9_3.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)", "product_id": "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64" }, "product_reference": "grafana-0:9.2.10-7.el9_3.aarch64", "relates_to_product_reference": "AppStream-9.3.0.GA" }, { "category": "default_component_of", "full_product_name": { "name": "grafana-0:9.2.10-7.el9_3.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)", "product_id": "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le" }, "product_reference": "grafana-0:9.2.10-7.el9_3.ppc64le", "relates_to_product_reference": "AppStream-9.3.0.GA" }, { "category": "default_component_of", "full_product_name": { "name": "grafana-0:9.2.10-7.el9_3.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)", "product_id": "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x" }, "product_reference": "grafana-0:9.2.10-7.el9_3.s390x", "relates_to_product_reference": "AppStream-9.3.0.GA" }, { "category": "default_component_of", "full_product_name": { "name": "grafana-0:9.2.10-7.el9_3.src as a component of Red Hat Enterprise Linux AppStream (v. 9)", "product_id": "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src" }, "product_reference": "grafana-0:9.2.10-7.el9_3.src", "relates_to_product_reference": "AppStream-9.3.0.GA" }, { "category": "default_component_of", "full_product_name": { "name": "grafana-0:9.2.10-7.el9_3.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)", "product_id": "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64" }, "product_reference": "grafana-0:9.2.10-7.el9_3.x86_64", "relates_to_product_reference": "AppStream-9.3.0.GA" }, { "category": "default_component_of", "full_product_name": { "name": "grafana-debuginfo-0:9.2.10-7.el9_3.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)", "product_id": "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64" }, "product_reference": "grafana-debuginfo-0:9.2.10-7.el9_3.aarch64", "relates_to_product_reference": "AppStream-9.3.0.GA" }, { "category": "default_component_of", "full_product_name": { "name": "grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)", "product_id": "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le" }, "product_reference": "grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le", "relates_to_product_reference": "AppStream-9.3.0.GA" }, { "category": "default_component_of", "full_product_name": { "name": "grafana-debuginfo-0:9.2.10-7.el9_3.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)", "product_id": "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x" }, "product_reference": "grafana-debuginfo-0:9.2.10-7.el9_3.s390x", "relates_to_product_reference": "AppStream-9.3.0.GA" }, { "category": "default_component_of", "full_product_name": { "name": "grafana-debuginfo-0:9.2.10-7.el9_3.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)", "product_id": "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64" }, "product_reference": "grafana-debuginfo-0:9.2.10-7.el9_3.x86_64", "relates_to_product_reference": "AppStream-9.3.0.GA" }, { "category": "default_component_of", "full_product_name": { "name": "grafana-debugsource-0:9.2.10-7.el9_3.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)", "product_id": "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64" }, "product_reference": "grafana-debugsource-0:9.2.10-7.el9_3.aarch64", "relates_to_product_reference": "AppStream-9.3.0.GA" }, { "category": "default_component_of", "full_product_name": { "name": "grafana-debugsource-0:9.2.10-7.el9_3.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)", "product_id": "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le" }, "product_reference": "grafana-debugsource-0:9.2.10-7.el9_3.ppc64le", "relates_to_product_reference": "AppStream-9.3.0.GA" }, { "category": "default_component_of", "full_product_name": { "name": "grafana-debugsource-0:9.2.10-7.el9_3.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)", "product_id": "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x" }, "product_reference": "grafana-debugsource-0:9.2.10-7.el9_3.s390x", "relates_to_product_reference": "AppStream-9.3.0.GA" }, { "category": "default_component_of", "full_product_name": { "name": "grafana-debugsource-0:9.2.10-7.el9_3.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)", "product_id": "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64" }, "product_reference": "grafana-debugsource-0:9.2.10-7.el9_3.x86_64", "relates_to_product_reference": "AppStream-9.3.0.GA" } ] }, "vulnerabilities": [ { "acknowledgments": [ { "names": [ "Grafana Security Team" ] } ], "cve": "CVE-2022-23552", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "discovery_date": "2023-01-05T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2158420" } ], "notes": [ { "category": "description", "text": "A flaw was found in The GeoMap and Canvas plugins of Grafana. The GeoMap and Canvas plugins are core plugins in Grafana, which means that all Grafana instances have GeoMap and Canvas installed. These two plugins are vulnerable to Cross-site scripting, where an attacker with an Editor role can add an SVG file containing malicious JavaScript code. The Javascript is executed when a user with an admin role later edits the GeoMap/Canvas panel.", "title": "Vulnerability description" }, { "category": "summary", "text": "grafana: persistent xss in grafana core plugins", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-23552" }, { "category": "external", "summary": "RHBZ#2158420", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2158420" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-23552", "url": "https://www.cve.org/CVERecord?id=CVE-2022-23552" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23552", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23552" }, { "category": "external", "summary": "https://grafana.com/blog/2023/01/25/grafana-security-releases-new-versions-with-fixes-for-cve-2022-23552-cve-2022-41912-and-cve-2022-39324/", "url": "https://grafana.com/blog/2023/01/25/grafana-security-releases-new-versions-with-fixes-for-cve-2022-23552-cve-2022-41912-and-cve-2022-39324/" } ], "release_date": "2023-01-27T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-11-07T08:59:06+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:6420" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" }, "products": [ "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "grafana: persistent xss in grafana core plugins" }, { "cve": "CVE-2022-31123", "discovery_date": "2022-09-30T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2131147" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Grafana web application, where it is possible to install plugins which are not digitally signed. An admin could install unsigned plugins, which may contain malicious code.", "title": "Vulnerability description" }, { "category": "summary", "text": "grafana: plugin signature bypass", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-31123" }, { "category": "external", "summary": "RHBZ#2131147", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2131147" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-31123", "url": "https://www.cve.org/CVERecord?id=CVE-2022-31123" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-31123", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31123" }, { "category": "external", "summary": "https://github.com/grafana/grafana/security/advisories/GHSA-rhxj-gh46-jvw8", "url": "https://github.com/grafana/grafana/security/advisories/GHSA-rhxj-gh46-jvw8" } ], "release_date": "2022-10-14T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-11-07T08:59:06+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:6420" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:L", "version": "3.1" }, "products": [ "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "grafana: plugin signature bypass" }, { "cve": "CVE-2022-31130", "discovery_date": "2022-09-30T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2131146" } ], "notes": [ { "category": "description", "text": "A flaw was found in Grafana\u0027s use of the GitLab data source plugin, leaking the API key to gitlab. This can result in the destination plugin receiving a Grafana user\u0027s authentication token, which could be used by an attacker.", "title": "Vulnerability description" }, { "category": "summary", "text": "grafana: data source and plugin proxy endpoints leaking authentication tokens to some destination plugins", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-31130" }, { "category": "external", "summary": "RHBZ#2131146", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2131146" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-31130", "url": "https://www.cve.org/CVERecord?id=CVE-2022-31130" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-31130", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31130" } ], "release_date": "2022-10-14T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-11-07T08:59:06+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:6420" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" }, "products": [ "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "grafana: data source and plugin proxy endpoints leaking authentication tokens to some destination plugins" }, { "cve": "CVE-2022-39201", "discovery_date": "2022-09-30T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2131148" } ], "notes": [ { "category": "description", "text": "A flaw was found in Grafana. The vulnerability impacts data source and plugin proxy endpoints under certain conditions. Grafana could leak the authentication cookie of users to plugins, which could result in an impact to confidentiality, integrity, and availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "grafana: Data source and plugin proxy endpoints could leak the authentication cookie to some destination plugins", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-39201" }, { "category": "external", "summary": "RHBZ#2131148", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2131148" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-39201", "url": "https://www.cve.org/CVERecord?id=CVE-2022-39201" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-39201", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39201" } ], "release_date": "2022-10-14T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-11-07T08:59:06+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:6420" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "grafana: Data source and plugin proxy endpoints could leak the authentication cookie to some destination plugins" }, { "acknowledgments": [ { "names": [ "Grafana Team" ], "summary": "Acknowledged by upstream." } ], "cve": "CVE-2022-39306", "cwe": { "id": "CWE-303", "name": "Incorrect Implementation of Authentication Algorithm" }, "discovery_date": "2022-10-26T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2138014" } ], "notes": [ { "category": "description", "text": "An authentication bypass flaw was discovered in Grafana. This issue could allow a remote unauthenticated attacker to create an account and provide access to a certain organization, which can be exploited by gaining access to the signup link. The highest impacts to the system are confidentiality and integrity.", "title": "Vulnerability description" }, { "category": "summary", "text": "grafana: email addresses and usernames cannot be trusted", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-39306" }, { "category": "external", "summary": "RHBZ#2138014", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2138014" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-39306", "url": "https://www.cve.org/CVERecord?id=CVE-2022-39306" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-39306", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39306" }, { "category": "external", "summary": "https://grafana.com/blog/2022/11/08/security-release-new-versions-of-grafana-with-critical-and-moderate-fixes-for-cve-2022-39328-cve-2022-39307-and-cve-2022-39306/", "url": "https://grafana.com/blog/2022/11/08/security-release-new-versions-of-grafana-with-critical-and-moderate-fixes-for-cve-2022-39328-cve-2022-39307-and-cve-2022-39306/" } ], "release_date": "2022-11-08T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-11-07T08:59:06+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:6420" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1" }, "products": [ "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "grafana: email addresses and usernames cannot be trusted" }, { "acknowledgments": [ { "names": [ "Grafana Team" ] } ], "cve": "CVE-2022-39307", "cwe": { "id": "CWE-200", "name": "Exposure of Sensitive Information to an Unauthorized Actor" }, "discovery_date": "2022-10-26T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2138015" } ], "notes": [ { "category": "description", "text": "An information leak was discovered in Grafana. Remote unauthenticated users could exploit the forget password feature to discover which user accounts exist.", "title": "Vulnerability description" }, { "category": "summary", "text": "grafana: User enumeration via forget password", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-39307" }, { "category": "external", "summary": "RHBZ#2138015", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2138015" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-39307", "url": "https://www.cve.org/CVERecord?id=CVE-2022-39307" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-39307", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39307" }, { "category": "external", "summary": "https://grafana.com/blog/2022/11/08/security-release-new-versions-of-grafana-with-critical-and-moderate-fixes-for-cve-2022-39328-cve-2022-39307-and-cve-2022-39306/", "url": "https://grafana.com/blog/2022/11/08/security-release-new-versions-of-grafana-with-critical-and-moderate-fixes-for-cve-2022-39328-cve-2022-39307-and-cve-2022-39306/" } ], "release_date": "2022-11-08T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-11-07T08:59:06+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:6420" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1" }, "products": [ "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "grafana: User enumeration via forget password" }, { "acknowledgments": [ { "names": [ "Grafana Security Team" ], "summary": "Acknowledged by upstream." } ], "cve": "CVE-2022-39324", "cwe": { "id": "CWE-472", "name": "External Control of Assumed-Immutable Web Parameter" }, "discovery_date": "2022-11-24T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2148252" } ], "notes": [ { "category": "description", "text": "A flaw was found in the grafana package. While creating a snapshot, an attacker may manipulate a hidden HTTP parameter to inject a malicious URL in the \"Open original dashboard\" button.", "title": "Vulnerability description" }, { "category": "summary", "text": "grafana: Spoofing of the originalUrl parameter of snapshots", "title": "Vulnerability summary" }, { "category": "other", "text": "OpenShift Service Mesh containers include the Grafana RPM from RHEL and consume CVE fixes for Grafana from RHEL channels. The servicemesh-grafana RPM shipped in early versions of OpenShift Service Mesh 2.1 is no longer maintained.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-39324" }, { "category": "external", "summary": "RHBZ#2148252", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2148252" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-39324", "url": "https://www.cve.org/CVERecord?id=CVE-2022-39324" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-39324", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39324" }, { "category": "external", "summary": "https://grafana.com/blog/2023/01/25/grafana-security-releases-new-versions-with-fixes-for-cve-2022-23552-cve-2022-41912-and-cve-2022-39324/", "url": "https://grafana.com/blog/2023/01/25/grafana-security-releases-new-versions-with-fixes-for-cve-2022-23552-cve-2022-41912-and-cve-2022-39324/" } ], "release_date": "2023-01-30T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-11-07T08:59:06+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:6420" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L", "version": "3.1" }, "products": [ "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "grafana: Spoofing of the originalUrl parameter of snapshots" }, { "cve": "CVE-2022-41717", "cwe": { "id": "CWE-770", "name": "Allocation of Resources Without Limits or Throttling" }, "discovery_date": "2023-01-16T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2161274" } ], "notes": [ { "category": "description", "text": "A flaw was found in the net/http library of the golang package. This flaw allows an attacker to cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.", "title": "Vulnerability description" }, { "category": "summary", "text": "golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests", "title": "Vulnerability summary" }, { "category": "other", "text": "Within Red Hat OpenShift Container Platform, the grafana container is listed as will not fix. Since OCP 4.10, Grafana itself is not shipped and the Grafana web server is protected behind an OAuth proxy server.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-41717" }, { "category": "external", "summary": "RHBZ#2161274", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2161274" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-41717", "url": "https://www.cve.org/CVERecord?id=CVE-2022-41717" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-41717", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41717" }, { "category": "external", "summary": "https://go.dev/cl/455635", "url": "https://go.dev/cl/455635" }, { "category": "external", "summary": "https://go.dev/cl/455717", "url": "https://go.dev/cl/455717" }, { "category": "external", "summary": "https://go.dev/issue/56350", "url": "https://go.dev/issue/56350" }, { "category": "external", "summary": "https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ", "url": "https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ" }, { "category": "external", "summary": "https://pkg.go.dev/vuln/GO-2022-1144", "url": "https://pkg.go.dev/vuln/GO-2022-1144" } ], "release_date": "2022-11-30T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-11-07T08:59:06+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:6420" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1" }, "products": [ "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests" }, { "cve": "CVE-2023-24534", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2023-04-04T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2184483" } ], "notes": [ { "category": "description", "text": "A flaw was found in Golang Go, where it is vulnerable to a denial of service caused by memory exhaustion in the common function in HTTP and MIME header parsing. By sending a specially crafted request, a remote attacker can cause a denial of service.", "title": "Vulnerability description" }, { "category": "summary", "text": "golang: net/http, net/textproto: denial of service from excessive memory allocation", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2023-24534" }, { "category": "external", "summary": "RHBZ#2184483", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2184483" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2023-24534", "url": "https://www.cve.org/CVERecord?id=CVE-2023-24534" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-24534", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24534" }, { "category": "external", "summary": "https://go.dev/issue/58975", "url": "https://go.dev/issue/58975" }, { "category": "external", "summary": "https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8", "url": "https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8" } ], "release_date": "2023-04-04T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-11-07T08:59:06+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:6420" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.aarch64", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.ppc64le", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.s390x", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.src", "AppStream-9.3.0.GA:grafana-0:9.2.10-7.el9_3.x86_64", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.aarch64", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.ppc64le", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.s390x", "AppStream-9.3.0.GA:grafana-debuginfo-0:9.2.10-7.el9_3.x86_64", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.aarch64", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.ppc64le", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.s390x", "AppStream-9.3.0.GA:grafana-debugsource-0:9.2.10-7.el9_3.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "golang: net/http, net/textproto: denial of service from excessive memory allocation" } ] }
Loading...
Loading...
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.