Security update for grafana SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2023:1904-1 Final 1 1 2023-04-19T03:09:30Z current 2023-04-19T03:09:30Z 2023-04-19T03:09:30Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for grafana This version update from 8.5.20 to 8.5.22 for grafana fixes the following issues: - Security issues fixed: * CVE-2023-1410: Fix XSS in Graphite functions tooltip (bsc#1209645) * CVE-2023-0507: Apply attribute sanitation to GeomapPanel (bsc#1208821) * CVE-2023-0594: Avoid storing XSS in TraceView panel (bsc#1208819) - The following non-security bug was fixed: * Login: Fix panic when UpsertUser is called without ReqContext The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Container ses/7.1/ceph/grafana:latest-2023-1904,SUSE-2023-1904,SUSE-SLE-Module-Packagehub-Subpackages-15-SP4-2023-1904,openSUSE-SLE-15.4-2023-1904 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2023/suse-su-20231904-1/ Link for SUSE-SU-2023:1904-1 https://lists.suse.com/pipermail/sle-updates/2023-April/028873.html E-Mail link for SUSE-SU-2023:1904-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1208819 SUSE Bug 1208819 https://bugzilla.suse.com/1208821 SUSE Bug 1208821 https://bugzilla.suse.com/1209645 SUSE Bug 1209645 https://www.suse.com/security/cve/CVE-2023-0507/ SUSE CVE CVE-2023-0507 page https://www.suse.com/security/cve/CVE-2023-0594/ SUSE CVE CVE-2023-0594 page https://www.suse.com/security/cve/CVE-2023-1410/ SUSE CVE CVE-2023-1410 page Container ses/7.1/ceph/grafana:latest SUSE Linux Enterprise Module for Package Hub 15 SP4 openSUSE Leap 15.4 grafana-8.5.22-150200.3.38.1 grafana-8.5.22-150200.3.38.1 as a component of Container ses/7.1/ceph/grafana:latest grafana-8.5.22-150200.3.38.1 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP4 grafana-8.5.22-150200.3.38.1 as a component of openSUSE Leap 15.4 Grafana is an open-source platform for monitoring and observability. Starting with the 8.1 branch, Grafana had a stored XSS vulnerability affecting the core plugin GeoMap. The stored XSS vulnerability was possible due to map attributions weren't properly sanitized and allowed arbitrary JavaScript to be executed in the context of the currently authorized user of the Grafana instance. An attacker needs to have the Editor role in order to change a panel to include a map attribution containing JavaScript. This means that vertical privilege escalation is possible, where a user with Editor role can change to a known password for a user having Admin role if the user with Admin role executes malicious JavaScript viewing a dashboard. Users may upgrade to version 8.5.21, 9.2.13 and 9.3.8 to receive a fix. CVE-2023-0507 Container ses/7.1/ceph/grafana:latest:grafana-8.5.22-150200.3.38.1 SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-8.5.22-150200.3.38.1 openSUSE Leap 15.4:grafana-8.5.22-150200.3.38.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2023/suse-su-20231904-1/ https://www.suse.com/security/cve/CVE-2023-0507.html CVE-2023-0507 https://bugzilla.suse.com/1208821 SUSE Bug 1208821 Grafana is an open-source platform for monitoring and observability. Starting with the 7.0 branch, Grafana had a stored XSS vulnerability in the trace view visualization. The stored XSS vulnerability was possible due the value of a span's attributes/resources were not properly sanitized and this will be rendered when the span's attributes/resources are expanded. An attacker needs to have the Editor role in order to change the value of a trace view visualization to contain JavaScript. This means that vertical privilege escalation is possible, where a user with Editor role can change to a known password for a user having Admin role if the user with Admin role executes malicious JavaScript viewing a dashboard. Users may upgrade to version 8.5.21, 9.2.13 and 9.3.8 to receive a fix. CVE-2023-0594 Container ses/7.1/ceph/grafana:latest:grafana-8.5.22-150200.3.38.1 SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-8.5.22-150200.3.38.1 openSUSE Leap 15.4:grafana-8.5.22-150200.3.38.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2023/suse-su-20231904-1/ https://www.suse.com/security/cve/CVE-2023-0594.html CVE-2023-0594 https://bugzilla.suse.com/1208819 SUSE Bug 1208819 Grafana is an open-source platform for monitoring and observability. Grafana had a stored XSS vulnerability in the Graphite FunctionDescription tooltip. The stored XSS vulnerability was possible due the value of the Function Description was not properly sanitized. An attacker needs to have control over the Graphite data source in order to manipulate a function description and a Grafana admin needs to configure the data source, later a Grafana user needs to select a tampered function and hover over the description. Users may upgrade to version 8.5.22, 9.2.15 and 9.3.11 to receive a fix. CVE-2023-1410 Container ses/7.1/ceph/grafana:latest:grafana-8.5.22-150200.3.38.1 SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-8.5.22-150200.3.38.1 openSUSE Leap 15.4:grafana-8.5.22-150200.3.38.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2023/suse-su-20231904-1/ https://www.suse.com/security/cve/CVE-2023-1410.html CVE-2023-1410 https://bugzilla.suse.com/1209645 SUSE Bug 1209645