Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

fstec логотип

BDU:2023-02415

Опубликовано: 21 янв. 2022
Источник: fstec
CVSS3: 6.8
CVSS2: 6.8
EPSS Низкий

Описание

Уязвимость HTTP прокси-сервера веб-инструмента представления данных Grafana связана с недостаточной защитой структуры веб-страницы. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, проводить межсайтовые сценарные атаки с помощью специально созданной вредоносной HTML-страницы

Вендор

Red Hat Inc.
Fedora Project
ООО «Ред Софт»
Grafana
NetApp Inc.

Наименование ПО

Red Hat Enterprise Linux
Fedora
Openshift Service Mesh
РЕД ОС
Red Hat Advanced Cluster Management for Kubernetes
Red Hat OpenShift GitOps
Red Hat OpenShift Container Platform
Grafana
NetApp E-Series Performance Analyzer

Версия ПО

8 (Red Hat Enterprise Linux)
34 (Fedora)
2 (Openshift Service Mesh)
35 (Fedora)
7.3 (РЕД ОС)
2 (Red Hat Advanced Cluster Management for Kubernetes)
36 (Fedora)
- (Red Hat OpenShift GitOps)
3.11 (Red Hat OpenShift Container Platform)
4 (Red Hat OpenShift Container Platform)
9 (Red Hat Enterprise Linux)
2.1.0 (Openshift Service Mesh)
от 2.0.0-beta1 до 7.5.15 (Grafana)
от 8.0.0 до 8.3.5 (Grafana)
до 3.0 (NetApp E-Series Performance Analyzer)

Тип ПО

Операционная система
Прикладное ПО информационных систем
Сетевое средство

Операционные системы и аппаратные платформы

Red Hat Inc. Red Hat Enterprise Linux 8
Fedora Project Fedora 34
Fedora Project Fedora 35
ООО «Ред Софт» РЕД ОС 7.3
Fedora Project Fedora 36
Red Hat Inc. Red Hat Enterprise Linux 9

Уровень опасности уязвимости

Средний уровень опасности (базовая оценка CVSS 2.0 составляет 6,8)
Средний уровень опасности (базовая оценка CVSS 3.0 составляет 6,8)

Возможные меры по устранению уязвимости

Использование рекомендаций:
Для Grafana:
https://grafana.com/blog/2022/02/08/grafana-7.5.15-and-8.3.5-released-with-moderate-severity-security-fixes/
https://github.com/grafana/grafana/commit/27726868b3d7c613844b55cd209ca93645c99b85
https://github.com/grafana/grafana/commit/41c1cd2865fee195a76f4856905077dfff311169
Для продуктов Red Hat Inc.:
https://access.redhat.com/security/cve/cve-2022-21702
Для Fedora:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HLAQRRGNSO5MYCPAXGPH2OCSHOGHSQMQ/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2PFW6Q2LXXWTFRTMTRN4ZGADFRQPKJ3D/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/36GUEPA5TPSC57DZTPYPBL6T7UPQ2FRH/
Для NetApp E-Series Performance Analyzer:
https://security.netapp.com/advisory/ntap-20220303-0005/
https://github.com/NetApp/eseries-perf-analyzer
Для РедОС: http://repo.red-soft.ru/redos/7.3c/x86_64/updates/
Компенсирующие меры:
Используя прокси-сервер, установите заголовок ответа Content Security Policy: sandbox для следующих маршрутов:
/api/datasources/proxy*
/api/plugin-proxy*
/api/plugins/<pluginId>/resources*
/api/datasources/<id>/resources*
Или, используя прокси-сервер, установите заголовок ответа Content-Disposition: attachment; “proxy.txt”.

Статус уязвимости

Подтверждена производителем

Наличие эксплойта

Существует в открытом доступе

Информация об устранении

Уязвимость устранена

Ссылки на источники

Идентификаторы других систем описаний уязвимостей

EPSS

Процентиль: 75%
0.00948
Низкий

6.8 Medium

CVSS3

6.8 Medium

CVSS2

Связанные уязвимости

ubuntu логотип

CVE-2022-21702

CVSS3: 6.5
ubuntu
больше 3 лет назад

Grafana is an open-source platform for monitoring and observability. In affected versions an attacker could serve HTML content thru the Grafana datasource or plugin proxy and trick a user to visit this HTML page using a specially crafted link and execute a Cross-site Scripting (XSS) attack. The attacker could either compromise an existing datasource for a specific Grafana instance or either set up its own public service and instruct anyone to set it up in their Grafana instance. To be impacted, all of the following must be applicable. For the data source proxy: A Grafana HTTP-based datasource configured with Server as Access Mode and a URL set, the attacker has to be in control of the HTTP server serving the URL of above datasource, and a specially crafted link pointing at the attacker controlled data source must be clicked on by an authenticated user. For the plugin proxy: A Grafana HTTP-based app plugin configured and enabled with a URL set, the attacker has to be in control of th...

redhat логотип

CVE-2022-21702

CVSS3: 6.8
redhat
больше 3 лет назад

Grafana is an open-source platform for monitoring and observability. In affected versions an attacker could serve HTML content thru the Grafana datasource or plugin proxy and trick a user to visit this HTML page using a specially crafted link and execute a Cross-site Scripting (XSS) attack. The attacker could either compromise an existing datasource for a specific Grafana instance or either set up its own public service and instruct anyone to set it up in their Grafana instance. To be impacted, all of the following must be applicable. For the data source proxy: A Grafana HTTP-based datasource configured with Server as Access Mode and a URL set, the attacker has to be in control of the HTTP server serving the URL of above datasource, and a specially crafted link pointing at the attacker controlled data source must be clicked on by an authenticated user. For the plugin proxy: A Grafana HTTP-based app plugin configured and enabled with a URL set, the attacker has to be in control of th...

nvd логотип

CVE-2022-21702

CVSS3: 6.5
nvd
больше 3 лет назад

Grafana is an open-source platform for monitoring and observability. In affected versions an attacker could serve HTML content thru the Grafana datasource or plugin proxy and trick a user to visit this HTML page using a specially crafted link and execute a Cross-site Scripting (XSS) attack. The attacker could either compromise an existing datasource for a specific Grafana instance or either set up its own public service and instruct anyone to set it up in their Grafana instance. To be impacted, all of the following must be applicable. For the data source proxy: A Grafana HTTP-based datasource configured with Server as Access Mode and a URL set, the attacker has to be in control of the HTTP server serving the URL of above datasource, and a specially crafted link pointing at the attacker controlled data source must be clicked on by an authenticated user. For the plugin proxy: A Grafana HTTP-based app plugin configured and enabled with a URL set, the attacker has to be in control of the H

debian логотип

CVE-2022-21702

CVSS3: 6.5
debian
больше 3 лет назад

Grafana is an open-source platform for monitoring and observability. I ...

github логотип

GHSA-xc3p-28hw-q24g

CVSS3: 6.8
github
около 1 года назад

Grafana proxy Cross-site Scripting

EPSS

Процентиль: 75%
0.00948
Низкий

6.8 Medium

CVSS3

6.8 Medium

CVSS2