CVE-2020-24303

Отчет

A vulnerable version of Grafana is shipped in OpenShift 3.11 - 4.5 and OpenShift ServiceMesh, however Prometheus is used as a data source and modification to Elasticsearch or Testdata requires full control of the grafana component. Access is restricted to authenticated users only by OpenShift OAuth. As OpenShift and OpenShift ServiceMesh still packages the vulnerable code, the components are affected but with impact Low. OpenShift 4.6 uses version 7.2.0 of Grafana in openshift4/ose-grafana-container and is not affected. Red Hat Ceph Storage 3 and 4 ship a vulnerable version of grafana, however, Prometheus is used as the data source., and thus the impact is rated as low. Red Hat Gluster Storage 3 ships vulnerable version of grafana, however Graphite is the only supported data source and hence this issue has been rated as having a security impact of Low.