Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2022-31097

Опубликовано: 14 июл. 2022
Источник: redhat
CVSS3: 7.3

Описание

Grafana is an open-source platform for monitoring and observability. Versions on the 8.x and 9.x branch prior to 9.0.3, 8.5.9, 8.4.10, and 8.3.10 are vulnerable to stored cross-site scripting via the Unified Alerting feature of Grafana. An attacker can exploit this vulnerability to escalate privilege from editor to admin by tricking an authenticated admin to click on a link. Versions 9.0.3, 8.5.9, 8.4.10, and 8.3.10 contain a patch. As a workaround, it is possible to disable alerting or use legacy alerting.

A Cross-site scripting (XSS) vulnerability was found in the Unified Alerting feature of Grafana. This stored XSS can elevate privileges from Editor to Admin.

Меры по смягчению последствий

Disable Unified alerting. https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#unified_alerting

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
OpenShift Service Mesh 2.0servicemesh-grafanaAffected
OpenShift Service Mesh 2.1servicemesh-grafanaAffected
Red Hat Advanced Cluster Management for Kubernetes 2rhacm2/acm-grafana-rhel8Not affected
Red Hat Ceph Storage 3grafanaAffected
Red Hat Ceph Storage 4rhceph/rhceph-4-dashboard-rhel8Affected
Red Hat Ceph Storage 5rhceph/rhceph-5-dashboard-rhel8Affected
Red Hat Enterprise Linux 8grafanaNot affected
Red Hat Enterprise Linux 9grafanaNot affected
Red Hat OpenShift Container Platform 4openshift4/ose-grafanaNot affected
Red Hat Storage 3grafanaAffected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important
Дефект:
CWE-79
https://bugzilla.redhat.com/show_bug.cgi?id=2104365grafana: stored XSS vulnerability

7.3 High

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2022-31097

CVSS3: 7.3
ubuntu
почти 3 года назад

Grafana is an open-source platform for monitoring and observability. Versions on the 8.x and 9.x branch prior to 9.0.3, 8.5.9, 8.4.10, and 8.3.10 are vulnerable to stored cross-site scripting via the Unified Alerting feature of Grafana. An attacker can exploit this vulnerability to escalate privilege from editor to admin by tricking an authenticated admin to click on a link. Versions 9.0.3, 8.5.9, 8.4.10, and 8.3.10 contain a patch. As a workaround, it is possible to disable alerting or use legacy alerting.

nvd логотип

CVE-2022-31097

CVSS3: 7.3
nvd
почти 3 года назад

Grafana is an open-source platform for monitoring and observability. Versions on the 8.x and 9.x branch prior to 9.0.3, 8.5.9, 8.4.10, and 8.3.10 are vulnerable to stored cross-site scripting via the Unified Alerting feature of Grafana. An attacker can exploit this vulnerability to escalate privilege from editor to admin by tricking an authenticated admin to click on a link. Versions 9.0.3, 8.5.9, 8.4.10, and 8.3.10 contain a patch. As a workaround, it is possible to disable alerting or use legacy alerting.

debian логотип

CVE-2022-31097

CVSS3: 7.3
debian
почти 3 года назад

Grafana is an open-source platform for monitoring and observability. V ...

github логотип

GHSA-vw7q-p2qg-4m5f

CVSS3: 7.3
github
около 1 года назад

Grafana Stored Cross-site Scripting in Unified Alerting

fstec логотип

BDU:2022-07077

CVSS3: 8.7
fstec
почти 3 года назад

Уязвимость компонентов column.title и cellLinkTooltip веб-инструмента представления данных Grafana, позволяющая нарушителю повысить свои привилегии

7.3 High

CVSS3