Security update for grafana SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2023:0821-1 Final 1 1 2023-03-20T15:35:12Z current 2023-03-20T15:35:12Z 2023-03-20T15:35:12Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for grafana This update for grafana fixes the following issues: - CVE-2022-23552: Fixed SVG processing by adding a dompurify preprocessor step (bsc#1207749). - CVE-2022-39324: Fixed originalUrl spoof security issue (bsc#1207750). - CVE-2022-41723: Fixed go issue to avoid quadratic complexity in HPACK decoding (bsc#1208293). - CVE-2022-46146: Fixed basic authentication bypass by updating the exporter toolkit (bsc#1208065). - Trim leading and trailing whitespaces from email and username on signup - Fix invitation validation: Check whether the provided email address is the same as where the invitation is sent The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Container ses/7.1/ceph/grafana:latest-2023-821,SUSE-2023-821,SUSE-SLE-Module-Packagehub-Subpackages-15-SP4-2023-821,openSUSE-SLE-15.4-2023-821 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2023/suse-su-20230821-1/ Link for SUSE-SU-2023:0821-1 https://lists.suse.com/pipermail/sle-security-updates/2023-March/014097.html E-Mail link for SUSE-SU-2023:0821-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1207749 SUSE Bug 1207749 https://bugzilla.suse.com/1207750 SUSE Bug 1207750 https://bugzilla.suse.com/1208065 SUSE Bug 1208065 https://bugzilla.suse.com/1208293 SUSE Bug 1208293 https://www.suse.com/security/cve/CVE-2022-23552/ SUSE CVE CVE-2022-23552 page https://www.suse.com/security/cve/CVE-2022-39324/ SUSE CVE CVE-2022-39324 page https://www.suse.com/security/cve/CVE-2022-41723/ SUSE CVE CVE-2022-41723 page https://www.suse.com/security/cve/CVE-2022-46146/ SUSE CVE CVE-2022-46146 page Container ses/7.1/ceph/grafana:latest SUSE Linux Enterprise Module for Package Hub 15 SP4 openSUSE Leap 15.4 grafana-8.5.20-150200.3.35.1 grafana-8.5.20-150200.3.35.1 as a component of Container ses/7.1/ceph/grafana:latest grafana-8.5.20-150200.3.35.1 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP4 grafana-8.5.20-150200.3.35.1 as a component of openSUSE Leap 15.4 Grafana is an open-source platform for monitoring and observability. Starting with the 8.1 branch and prior to versions 8.5.16, 9.2.10, and 9.3.4, Grafana had a stored XSS vulnerability affecting the core plugin GeoMap. The stored XSS vulnerability was possible because SVG files weren't properly sanitized and allowed arbitrary JavaScript to be executed in the context of the currently authorized user of the Grafana instance. An attacker needs to have the Editor role in order to change a panel to include either an external URL to a SVG-file containing JavaScript, or use the `data:` scheme to load an inline SVG-file containing JavaScript. This means that vertical privilege escalation is possible, where a user with Editor role can change to a known password for a user having Admin role if the user with Admin role executes malicious JavaScript viewing a dashboard. Users may upgrade to version 8.5.16, 9.2.10, or 9.3.4 to receive a fix. CVE-2022-23552 Container ses/7.1/ceph/grafana:latest:grafana-8.5.20-150200.3.35.1 SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-8.5.20-150200.3.35.1 openSUSE Leap 15.4:grafana-8.5.20-150200.3.35.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2023/suse-su-20230821-1/ https://www.suse.com/security/cve/CVE-2022-23552.html CVE-2022-23552 https://bugzilla.suse.com/1207749 SUSE Bug 1207749 Grafana is an open-source platform for monitoring and observability. Prior to versions 8.5.16 and 9.2.8, malicious user can create a snapshot and arbitrarily choose the `originalUrl` parameter by editing the query, thanks to a web proxy. When another user opens the URL of the snapshot, they will be presented with the regular web interface delivered by the trusted Grafana server. The `Open original dashboard` button no longer points to the to the real original dashboard but to the attacker's injected URL. This issue is fixed in versions 8.5.16 and 9.2.8. CVE-2022-39324 Container ses/7.1/ceph/grafana:latest:grafana-8.5.20-150200.3.35.1 SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-8.5.20-150200.3.35.1 openSUSE Leap 15.4:grafana-8.5.20-150200.3.35.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2023/suse-su-20230821-1/ https://www.suse.com/security/cve/CVE-2022-39324.html CVE-2022-39324 https://bugzilla.suse.com/1207750 SUSE Bug 1207750 A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests. CVE-2022-41723 Container ses/7.1/ceph/grafana:latest:grafana-8.5.20-150200.3.35.1 SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-8.5.20-150200.3.35.1 openSUSE Leap 15.4:grafana-8.5.20-150200.3.35.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2023/suse-su-20230821-1/ https://www.suse.com/security/cve/CVE-2022-41723.html CVE-2022-41723 https://bugzilla.suse.com/1208270 SUSE Bug 1208270 https://bugzilla.suse.com/1215588 SUSE Bug 1215588 Prometheus Exporter Toolkit is a utility package to build exporters. Prior to versions 0.7.2 and 0.8.2, if someone has access to a Prometheus web.yml file and users' bcrypted passwords, they can bypass security by poisoning the built-in authentication cache. Versions 0.7.2 and 0.8.2 contain a fix for the issue. There is no workaround, but attacker must have access to the hashed password to use this functionality. CVE-2022-46146 Container ses/7.1/ceph/grafana:latest:grafana-8.5.20-150200.3.35.1 SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-8.5.20-150200.3.35.1 openSUSE Leap 15.4:grafana-8.5.20-150200.3.35.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2023/suse-su-20230821-1/ https://www.suse.com/security/cve/CVE-2022-46146.html CVE-2022-46146 https://bugzilla.suse.com/1208046 SUSE Bug 1208046