Search for packages
| purl | pkg:rpm/redhat/grafana@7.5.15-3?arch=el9 |
| Next non-vulnerable version | None. |
| Latest non-vulnerable version | None. |
| Risk | 4.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-29pd-1pjc-kuds
Aliases: CVE-2022-21702 GHSA-xc3p-28hw-q24g |
Grafana proxy Cross-site Scripting Today we are releasing Grafana 8.3.5 and 7.5.15. This patch release includes MEDIUM severity security fix for XSS for Grafana. Release v.8.3.5, only containing security fixes: - [Download Grafana 8.3.5](https://grafana.com/grafana/download/8.3.5) - [Release notes](https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-3-5/) Release v.7.5.15, only containing security fixes: - [Download Grafana 7.5.15](https://grafana.com/grafana/download/7.5.15) - [Release notes](https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-5-15/) ## XSS ([CVE-2022-21702](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21702)) ### Summary On Jan. 16, an external security researcher, Jasu Viding contacted Grafana to disclose an XSS vulnerability in the way that Grafana handles data sources. An attacker could serve HTML content through the Grafana datasource or plugin proxy and trick a user to visit this HTML page using a specially crafted link and execute a Cross-site Scripting (XSS) attack. The attacker could either compromise an existing datasource for a specific Grafana instance or either set up its own public service and instruct anyone to set it up in their Grafana instance. We believe that this vulnerability is rated at CVSS 6.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N). ### Impact Should an existing data source connected to Grafana be compromised, it could be used to inappropriately gain access to other data sources connected to the same Grafana org. ### Affected versions with MEDIUM severity To be impacted, all of the following must be applicable: **For data source proxy**: - A Grafana instance running version v2.0.0-beta1 up to v8.3.4. - A Grafana HTTP-based datasource configured with Server as Access Mode and a URL set. - Attacker to be in control of the HTTP server serving the URL of above data source. - A specially crafted link pointing at http://host/api/datasources/proxy/"data source id" and attacker somehow tricks a user of the above Grafana instance to click/visit the link. - A user that’s already authenticated to above Grafana instance clicks on/visits the specially crafted link sent/provided by the attacker. **For plugin proxy**: - A Grafana instance running version v2.0.0-beta1 up to v8.3.4. - A Grafana HTTP-based app plugin configured and enabled with a URL set. - Attacker to be in control of the HTTP server serving the URL of above app. - A specially crafted link pointing at http://host/api/plugin-proxy/"plugin id" and attacker somehow tricks a user of the above Grafana instance to click/visit the link. - A user that’s already authenticated to above Grafana instance clicks on/visits the specially crafted link sent/provided by the attacker. **Backend plugin resource**: - A Grafana instance running version v7.0.0-beta1 up to v8.3.4. - Attacker potentially needs to craft a custom plugin to be able to pull this off, but if an attacker can compromise/control the backend service that a backend plugin connects to, it might be possible to serve HTML content via the /api/plugins/"plugin Id"/resources* or /api/datasources/"id"/resources* routes. - A specially crafted link pointing at /api/plugins/"plugin Id">/resources* or /api/datasources/"id"/resources* and attacker somehow tricks a user of the above Grafana instance to click/visit the link. - A user that’s already authenticated to above Grafana instance clicks on/visits the specially crafted link sent/provided by the attacker. ### Root Causes #### Trigger Reproduced and confirmed via this Golang app: ``` package main import ( "fmt" "log" "net/http" ) func main() { http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) { fmt.Fprintf(w, "<html><body><script>alert('XSS');</script></body></html>") }) log.Fatal(http.ListenAndServe(":3011", nil)) } ``` A Prometheus datasource is configured in Grafana with URL http://localhost:3011. When visitining http://localhost:3000/api/datasources/proxy/170 the scripts declared in the HTML page executes. Confirmed in both Chrome and Firefox. ### Solutions and mitigations All installations between Grafana v2.0.0-beta1 up to v8.3.4 should be upgraded as soon as possible. #### Workarounds Using a proxy, set a response header Content Security Policy: sandbox for the following routes: `/api/datasources/proxy*` `/api/plugin-proxy*` `/api/plugins/<pluginId>/resources*` `/api/datasources/<id>/resources*` Another possible mitigation is setting the response header Content-Disposition: attachment; “proxy.txt”. Confirmed in both Chrome and Firefox. ### Timeline and postmortem Here is a detailed timeline starting from when we originally learned of the issue. All times in UTC. - 2022-01-16 16:19 Issue submitted by Jasu Viding - 2022-01-17 14:40 CVSS score confirmed 6.8 at maximum and MEDIUM impact - 2022-01-17 15:15 Vulnerability confirmed reproducible - 2022-01-17 16:01 Begin mitigation for Grafana Cloud - 2022-01-18 15:12 Similar report received - 2022-01-19 09:57 CVE requested - 2022-01-19 13:21 PR with fix opened - 2022-01-19 19:53 GitHub issues CVE-2022-21702 - 2022-01-20 12:43 Second similar report received - 2022-01-21 14:30 Private release planned for 2022-01-25, and public release planned for 2022-02-01 - 2022-01-25 12:00 Private release with patches - 2022-02-01 12:00 During the public release process, we realized that private 7.x release was incomplete. Abort public release, send second private release to customers using 7.x - 2022-02-08 13:00 Public release ### Acknowledgement We would like to thank Jasu Viding for responsibly disclosing the vulnerability. ### Reporting security issues If you think you have found a security vulnerability, please send a report to security@grafana.com. This address can be used for all of Grafana Labs' open source and commercial products (including, but not limited to Grafana, Grafana Cloud, Grafana Enterprise, and grafana.com). We can accept only vulnerability reports at this address. We would prefer that you encrypt your message to us by using our PGP key. The key fingerprint is F988 7BEA 027A 049F AE8E 5CAA D125 8932 BE24 C5CA The key is available from keyserver.ubuntu.com. ### Security announcements We maintain a [security category](https://community.grafana.com/c/support/security-announcements) on our blog, where we will always post a summary, remediation, and mitigation details for any patch containing security fixes. You can also subscribe to our [RSS feed](https://grafana.com/tags/security/index.xml). | There are no reported fixed by versions. |
|
VCID-498g-zap2-vqag
Aliases: CVE-2022-30635 |
Multiple vulnerabilities have been found in Go, the worst of which could result in remote code execution. | There are no reported fixed by versions. |
|
VCID-5c67-zpsw-cyb2
Aliases: CVE-2022-28131 |
Multiple vulnerabilities have been found in Go, the worst of which could result in remote code execution. | There are no reported fixed by versions. |
|
VCID-6189-d1tw-bfcp
Aliases: CVE-2022-30630 |
Multiple vulnerabilities have been found in Go, the worst of which could result in remote code execution. | There are no reported fixed by versions. |
|
VCID-81aw-mk9s-eydd
Aliases: CVE-2022-32148 |
Multiple vulnerabilities have been found in Go, the worst of which could result in remote code execution. | There are no reported fixed by versions. |
|
VCID-86mk-kwg6-63h6
Aliases: CVE-2022-30633 |
Multiple vulnerabilities have been found in Go, the worst of which could result in remote code execution. | There are no reported fixed by versions. |
|
VCID-as38-uuy9-5qhu
Aliases: CVE-2022-1962 |
golang: go/parser: stack exhaustion in all Parse* functions | There are no reported fixed by versions. |
|
VCID-f5qg-jth9-hycf
Aliases: CVE-2022-21698 GHSA-cg3q-j54f-5p7p |
Uncontrolled Resource Consumption in promhttp This is the Go client library for Prometheus. It has two separate parts, one for instrumenting application code, and one for creating clients that talk to the Prometheus HTTP API. client_golang is the instrumentation library for Go applications in Prometheus, and the promhttp package in client_golang provides tooling around HTTP servers and clients. ### Impact HTTP server susceptible to a Denial of Service through unbounded cardinality, and potential memory exhaustion, when handling requests with non-standard HTTP methods. ### Affected Configuration In order to be affected, an instrumented software must * Use any of `promhttp.InstrumentHandler*` middleware except `RequestsInFlight`. * Do not filter any specific methods (e.g GET) before middleware. * Pass metric with `method` label name to our middleware. * Not have any firewall/LB/proxy that filters away requests with unknown `method`. ### Patches * https://github.com/prometheus/client_golang/pull/962 * https://github.com/prometheus/client_golang/pull/987 ### Workarounds If you cannot upgrade to [v1.11.1 or above](https://github.com/prometheus/client_golang/releases/tag/v1.11.1), in order to stop being affected you can: * Remove `method` label name from counter/gauge you use in the InstrumentHandler. * Turn off affected promhttp handlers. * Add custom middleware before promhttp handler that will sanitize the request method given by Go http.Request. * Use a reverse proxy or web application firewall, configured to only allow a limited set of methods. ### For more information If you have any questions or comments about this advisory: * Open an issue in https://github.com/prometheus/client_golang * Email us at `prometheus-team@googlegroups.com` | There are no reported fixed by versions. |
|
VCID-g45u-nf13-euee
Aliases: CVE-2022-21703 GHSA-cmf4-h3xc-jw8w |
Grafana Cross Site Request Forgery (CSRF) Today we are releasing Grafana 8.3.5 and 7.5.15. This patch release includes MEDIUM severity security fix for Cross Site Request Forgery for Grafana. Release v.8.3.5, only containing security fixes: - [Download Grafana 8.3.5](https://grafana.com/grafana/download/8.3.5) - [Release notes](https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-3-5/) Release v.7.5.15, only containing security fixes: - [Download Grafana 7.5.15](https://grafana.com/grafana/download/7.5.15) - [Release notes](https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-5-15/) ## CSRF ([CVE-2022-21703](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21703)) ### Summary On Jan. 18, security researchers [jub0bs](https://twitter.com/jub0bs) and [abrahack](https://twitter.com/theabrahack) contacted Grafana to disclose a CSRF vulnerability which allows anonymous attackers to elevate their privileges by mounting cross-origin attacks against authenticated high-privilege Grafana users (for example, Editors or Admins). We believe that this vulnerability is rated at CVSS 6.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N). ### Impact An attacker can exploit this vulnerability for privilege escalation by tricking an authenticated user into inviting the attacker as a new user with high privileges. ### Affected versions with MEDIUM severity All Grafana >=3.0-beta1 versions are affected by this vulnerability. ### Solutions and mitigations All installations after Grafana v3.0-beta1 should be upgraded as soon as possible. Note that if you are running Grafana behind any reverse proxy, you need to make sure that you are passing the original Host and Origin headers from the client request to Grafana. In the case of Apache Server, you need to add `ProxyPreserveHost on` in your proxy [configuration](https://httpd.apache.org/docs/2.4/mod/mod_proxy.html). In case of NGINX, you can need to add `proxy_set_header Host $http_host;` in your [configuration](http://nginx.org/en/docs/http/ngx_http_proxy_module.html). Appropriate patches have been applied to [Grafana Cloud](https://grafana.com/cloud) and as always, we closely coordinated with all cloud providers licensed to offer Grafana Pro. They have received early notification under embargo and confirmed that their offerings are secure at the time of this announcement. This is applicable to Amazon Managed Grafana. ### Timeline and postmortem Here is a detailed timeline starting from when we originally learned of the issue. All times in UTC. - 2022-01-18 03:00 Issue submitted by external researchers - 2022-01-18 17:25 Vulnerability confirmed reproducible - 2022-01-19 07:40 CVSS score confirmed 6.8 at maximum and MEDIUM impact - 2022-01-19 07:40 Begin mitigation for Grafana Cloud - 2022-01-19 17:00 CVE requested - 2022-01-19 19:50 GitHub issues CVE-2022-21703 - 2022-01-21 10:50 PR with fix opened - 2022-01-21 14:13 Private release planned for 2022-01-25, and public release planned for 2022-02-01. - 2022-01-25 12:00 Private release - 2022-02-01 12:00 During the public release process, we realized that private 7.x release was incomplete. Abort public release, send second private release to customers using 7.x - 2022-02-08 12:00 Public release ### Acknowledgement We would like to thank [jub0bs](https://twitter.com/jub0bs) and [abrahack](https://twitter.com/theabrahack) for responsibly disclosing the vulnerability. ### Reporting security issues If you think you have found a security vulnerability, please send a report to security@grafana.com. This address can be used for all of Grafana Labs' open source and commercial products (including, but not limited to Grafana, Grafana Cloud, Grafana Enterprise, and grafana.com). We can accept only vulnerability reports at this address. We would prefer that you encrypt your message to us by using our PGP key. The key fingerprint is F988 7BEA 027A 049F AE8E 5CAA D125 8932 BE24 C5CA The key is available from keyserver.ubuntu.com. ### Security announcements We maintain a [security category](https://community.grafana.com/c/support/security-announcements) on our blog, where we will always post a summary, remediation, and mitigation details for any patch containing security fixes. You can also subscribe to our [RSS feed](https://grafana.com/tags/security/index.xml). | There are no reported fixed by versions. |
|
VCID-g8y7-jdy7-afdh
Aliases: CVE-2022-30632 |
Multiple vulnerabilities have been found in Go, the worst of which could result in remote code execution. | There are no reported fixed by versions. |
|
VCID-kgdc-2fzk-1uc6
Aliases: CVE-2022-21713 GHSA-63g3-9jq3-mccv |
Grafana API IDOR Today we are releasing Grafana 8.3.5 and 7.5.14. This patch release includes MEDIUM severity security fix for Grafana Teams API IDOR. Release v.8.3.5, only containing security fixes: - [Download Grafana 8.3.5](https://grafana.com/grafana/download/8.3.5) - [Release notes](https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-3-5/) Release v.7.5.15, only containing security fixes: - [Download Grafana 7.5.15](https://grafana.com/grafana/download/7.5.15) - [Release notes](https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-5-15/) ## Teams API IDOR([CVE-2022-21713](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21713)) On Jan. 18, an external security researcher, Kürşad ALSAN from [NSPECT.IO](https://www.nspect.io) ([@nspectio](https://twitter.com/nspectio) on Twitter), contacted Grafana to disclose an IDOR (Insecure Direct Object Reference) vulnerability on Grafana Teams APIs. We believe that this vulnerability is rated at CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N). ### Impact This vulnerability only impacts the following API endpoints: - `/teams/:teamId` - an authenticated attacker can view unintended data by querying for the specific team ID. - `/teams/:search` - an authenticated attacker can search for teams and see the total number of available teams, including for those teams that the user does not have access to. - `/teams/:teamId/members` - when editors_can_admin flag is enabled, an authenticated attacker can see unintended data by querying for the specific team ID. ### Affected versions with MEDIUM severity All Grafana >=5.0.0-beta1 versions are affected by this vulnerability. ### Solutions and mitigations All installations after Grafana v5.0.0-beta1 should be upgraded as soon as possible. Appropriate patches have been applied to [Grafana Cloud](https://grafana.com/cloud) and as always, we closely coordinated with all cloud providers licensed to offer Grafana Pro. They have received early notification under embargo and confirmed that their offerings are secure at the time of this announcement. This is applicable to Amazon Managed Grafana. ### Timeline and postmortem Here is a detailed timeline starting from when we originally learned of the issue. All times in UTC. - 2022-01-18 05:000 Issue submitted by external researcher - 2022-01-21 17:45 Issue escalated and the vulnerability confirmed reproducible - 2022-01-24 13:37 CVE requested - 2022-01-24 14:40 Private release planned for 2022-01-25, and public release planned for 2022-02-01. - 2022-01-24 17:00 PR with fix opened - 2022-01-24 19:00 GitHub has issued CVE-2022-21713 - 2022-01-25 12:00 Private release - 2022-02-01 12:00 During public release process, we realized that private 7.x release was incomplete. Abort public release, send second private release to customers using 7.x - 2022-02-08 13:00 Public release ### Acknowledgements We would like to thank Kürşad ALSAN from [NSPECT.IO](https://www.nspect.io) ([@nspectio](https://twitter.com/nspectio) on Twitter) for responsibly disclosing the vulnerability. ### Reporting security issues If you think you have found a security vulnerability, please send a report to security@grafana.com. This address can be used for all of Grafana Labs' open source and commercial products (including, but not limited to Grafana, Grafana Cloud, Grafana Enterprise, and grafana.com). We can accept only vulnerability reports at this address. We would prefer that you encrypt your message to us by using our PGP key. The key fingerprint is F988 7BEA 027A 049F AE8E 5CAA D125 8932 BE24 C5CA The key is available from keyserver.ubuntu.com. ### Security announcements We maintain a [security category](https://community.grafana.com/c/support/security-announcements) on our blog, where we will always post a summary, remediation, and mitigation details for any patch containing security fixes. You can also subscribe to our [RSS feed](https://grafana.com/tags/security/index.xml). | There are no reported fixed by versions. |
|
VCID-ps89-8u5a-kfc8
Aliases: CVE-2022-1705 |
Multiple vulnerabilities have been found in Go, the worst of which could result in remote code execution. | There are no reported fixed by versions. |
|
VCID-v8hn-wm59-kugt
Aliases: CVE-2022-21673 |
grafana: Forward OAuth Identity Token can allow users to access some data sources | There are no reported fixed by versions. |
|
VCID-vxks-1bkp-6bd5
Aliases: CVE-2022-30631 |
Multiple vulnerabilities have been found in Go, the worst of which could result in remote code execution. | There are no reported fixed by versions. |
|
VCID-x4cs-g2jz-eqb5
Aliases: CVE-2021-23648 GHSA-hqq7-2q2v-82xq |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') The package @braintree/sanitize-url before 6.0.0 is vulnerable to Cross-site Scripting (XSS) due to improper sanitization in sanitizeUrl function. | There are no reported fixed by versions. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||