Описание
Security update for grafana
This version update from 8.5.20 to 8.5.22 for grafana fixes the following issues:
-
Security issues fixed:
- CVE-2023-1410: Fix XSS in Graphite functions tooltip (bsc#1209645)
- CVE-2023-0507: Apply attribute sanitation to GeomapPanel (bsc#1208821)
- CVE-2023-0594: Avoid storing XSS in TraceView panel (bsc#1208819)
-
The following non-security bug was fixed:
- Login: Fix panic when UpsertUser is called without ReqContext
Список пакетов
Container ses/7.1/ceph/grafana:latest
SUSE Linux Enterprise Module for Package Hub 15 SP4
openSUSE Leap 15.4
Ссылки
- Link for SUSE-SU-2023:1904-1
- E-Mail link for SUSE-SU-2023:1904-1
- SUSE Security Ratings
- SUSE Bug 1208819
- SUSE Bug 1208821
- SUSE Bug 1209645
- SUSE CVE CVE-2023-0507 page
- SUSE CVE CVE-2023-0594 page
- SUSE CVE CVE-2023-1410 page
Описание
Grafana is an open-source platform for monitoring and observability. Starting with the 8.1 branch, Grafana had a stored XSS vulnerability affecting the core plugin GeoMap. The stored XSS vulnerability was possible due to map attributions weren't properly sanitized and allowed arbitrary JavaScript to be executed in the context of the currently authorized user of the Grafana instance. An attacker needs to have the Editor role in order to change a panel to include a map attribution containing JavaScript. This means that vertical privilege escalation is possible, where a user with Editor role can change to a known password for a user having Admin role if the user with Admin role executes malicious JavaScript viewing a dashboard. Users may upgrade to version 8.5.21, 9.2.13 and 9.3.8 to receive a fix.
Затронутые продукты
Ссылки
- CVE-2023-0507
- SUSE Bug 1208821
Описание
Grafana is an open-source platform for monitoring and observability. Starting with the 7.0 branch, Grafana had a stored XSS vulnerability in the trace view visualization. The stored XSS vulnerability was possible due the value of a span's attributes/resources were not properly sanitized and this will be rendered when the span's attributes/resources are expanded. An attacker needs to have the Editor role in order to change the value of a trace view visualization to contain JavaScript. This means that vertical privilege escalation is possible, where a user with Editor role can change to a known password for a user having Admin role if the user with Admin role executes malicious JavaScript viewing a dashboard. Users may upgrade to version 8.5.21, 9.2.13 and 9.3.8 to receive a fix.
Затронутые продукты
Ссылки
- CVE-2023-0594
- SUSE Bug 1208819
Описание
Grafana is an open-source platform for monitoring and observability. Grafana had a stored XSS vulnerability in the Graphite FunctionDescription tooltip. The stored XSS vulnerability was possible due the value of the Function Description was not properly sanitized. An attacker needs to have control over the Graphite data source in order to manipulate a function description and a Grafana admin needs to configure the data source, later a Grafana user needs to select a tampered function and hover over the description. Users may upgrade to version 8.5.22, 9.2.15 and 9.3.11 to receive a fix.
Затронутые продукты
Ссылки
- CVE-2023-1410
- SUSE Bug 1209645