Описание
Security update for grafana
This update for grafana fixes the following issues:
- CVE-2022-23552: Fixed SVG processing by adding a dompurify preprocessor step (bsc#1207749).
- CVE-2022-39324: Fixed originalUrl spoof security issue (bsc#1207750).
- CVE-2022-41723: Fixed go issue to avoid quadratic complexity in HPACK decoding (bsc#1208293).
- CVE-2022-46146: Fixed basic authentication bypass by updating the exporter toolkit (bsc#1208065).
- Trim leading and trailing whitespaces from email and username on signup
- Fix invitation validation: Check whether the provided email address is the same as where the invitation is sent
Список пакетов
Container ses/7.1/ceph/grafana:latest
SUSE Linux Enterprise Module for Package Hub 15 SP4
openSUSE Leap 15.4
Ссылки
- Link for SUSE-SU-2023:0821-1
- E-Mail link for SUSE-SU-2023:0821-1
- SUSE Security Ratings
- SUSE Bug 1207749
- SUSE Bug 1207750
- SUSE Bug 1208065
- SUSE Bug 1208293
- SUSE CVE CVE-2022-23552 page
- SUSE CVE CVE-2022-39324 page
- SUSE CVE CVE-2022-41723 page
- SUSE CVE CVE-2022-46146 page
Описание
Grafana is an open-source platform for monitoring and observability. Starting with the 8.1 branch and prior to versions 8.5.16, 9.2.10, and 9.3.4, Grafana had a stored XSS vulnerability affecting the core plugin GeoMap. The stored XSS vulnerability was possible because SVG files weren't properly sanitized and allowed arbitrary JavaScript to be executed in the context of the currently authorized user of the Grafana instance. An attacker needs to have the Editor role in order to change a panel to include either an external URL to a SVG-file containing JavaScript, or use the `data:` scheme to load an inline SVG-file containing JavaScript. This means that vertical privilege escalation is possible, where a user with Editor role can change to a known password for a user having Admin role if the user with Admin role executes malicious JavaScript viewing a dashboard. Users may upgrade to version 8.5.16, 9.2.10, or 9.3.4 to receive a fix.
Затронутые продукты
Ссылки
- CVE-2022-23552
- SUSE Bug 1207749
Описание
Grafana is an open-source platform for monitoring and observability. Prior to versions 8.5.16 and 9.2.8, malicious user can create a snapshot and arbitrarily choose the `originalUrl` parameter by editing the query, thanks to a web proxy. When another user opens the URL of the snapshot, they will be presented with the regular web interface delivered by the trusted Grafana server. The `Open original dashboard` button no longer points to the to the real original dashboard but to the attacker's injected URL. This issue is fixed in versions 8.5.16 and 9.2.8.
Затронутые продукты
Ссылки
- CVE-2022-39324
- SUSE Bug 1207750
Описание
A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.
Затронутые продукты
Ссылки
- CVE-2022-41723
- SUSE Bug 1208270
- SUSE Bug 1215588
Описание
Prometheus Exporter Toolkit is a utility package to build exporters. Prior to versions 0.7.2 and 0.8.2, if someone has access to a Prometheus web.yml file and users' bcrypted passwords, they can bypass security by poisoning the built-in authentication cache. Versions 0.7.2 and 0.8.2 contain a fix for the issue. There is no workaround, but attacker must have access to the hashed password to use this functionality.
Затронутые продукты
Ссылки
- CVE-2022-46146
- SUSE Bug 1208046