Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-22462: Grafana security release: New versions with security fixes for CVE-2023-0594, CVE-2023-0507, and CVE-2023-22462

Grafana is an open-source platform for monitoring and observability. On 2023-01-01 during an internal audit of Grafana, a member of the security team found a stored XSS vulnerability affecting the core plugin "Text". The stored XSS vulnerability requires several user interactions in order to be fully exploited. The vulnerability was possible due to React’s render cycle that will pass though the unsanitized HTML code, but in the next cycle the HTML is cleaned up and saved in Grafana’s database. An attacker needs to have the Editor role in order to change a Text panel to include JavaScript. Another user needs to edit the same Text panel, and click on “Markdown” or “HTML” for the code to be executed. This means that vertical privilege escalation is possible, where a user with Editor role can change to a known password for a user having Admin role if the user with Admin role executes malicious JavaScript viewing a dashboard. This issue has been patched in versions 9.2.10 and 9.3.4.

CVE
#xss#vulnerability#ubuntu#java#perl#auth

Today we are releasing Grafana 9.4, which includes updates such as enhanced navigation and custom visualization panels. In addition, this release contains security fixes for CVE-2023-0594, CVE-2023-0507, and CVE-2023-22462.

We have also released a security patch for Grafana 9.3.8, 9.2.13, and 8.5.21 to address these issues.

Release 9.4.1, latest release with security patch:

  • Download Grafana 9.4.1

Release 9.3.8, latest 9.3 patch with security fix:

  • Download Grafana 9.3.8

Release 9.2.13, latest 9.2 patch with security fix:

  • Download Grafana 9.2.13

Release 8.5.21 with security fix:

  • Download Grafana 8.5.21

Stored XSS in TraceView panel (CVE-2023-0594)****Summary

During an internal audit of Grafana on January 30, a member of the engineering team found a stored XSS vulnerability affecting the TraceView panel.

The stored XSS vulnerability was possible because the value of a span’s attributes/resources were not properly sanitized, and this will be rendered when the span’s attributes/resources are expanded.

The CVSS score for this vulnerability is 7.3 High (CVSS:7.3/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N).

Appropriate patches have been applied to Grafana Cloud.

Impact

An attacker needs to have the Editor role in order to change the value of a trace view visualization to contain JavaScript. This means that vertical privilege escalation is possible, where a user with an Editor role can change to a known password for a user with an Admin role and, with the Admin role permissions, can execute malicious JavaScript viewing a dashboard.

Impacted versions

All installations for Grafana versions <8.5.21, <9.2.13, and <9.3.8.

Solutions and mitigations

To fully address CVE-2023-0594, please upgrade your Grafana instances. As an alternative, you can enable the Content-Security-Policy option.

Stored XSS in geomap panel plugin via attribution (CVE-2023-0507)****Summary

During an internal audit of Grafana on January 25, a member of the security team found a stored XSS vulnerability affecting the core geomap plugin.

The stored XSS vulnerability was possible because map attributions weren’t properly sanitized, allowing arbitrary JavaScript to be executed in the context of the currently authorized user of the Grafana instance.

The CVSS score for this vulnerability is 7.3 High (CVSS:7.3/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N).

Appropriate patches have been applied to Grafana Cloud.

Impact

An attacker needs to have the Editor role in order to change a panel to include a map attribution containing JavaScript. This means that vertical privilege escalation is possible, where a user with an Editor role can change to a known password for a user with an Admin role and, with the Admin role permissions, can execute malicious JavaScript viewing a dashboard.

Impacted versions

All installations for Grafana versions <8.5.21, <9.2.13, and <9.3.8.

Solutions and mitigations

To fully address CVE-2023-0507, please upgrade your Grafana instances. As an alternative, you can enable the Content-Security-Policy option.

Stored XSS in text panel plugin (CVE-2023-22462)****Summary

During an internal audit of Grafana on January 1, a member of the security team found a stored XSS vulnerability affecting the core text plugin.

The stored XSS vulnerability requires several user interactions in order to be fully exploited. The vulnerability was possible due to React’s render cycle that will pass through the unsanitized HTML code, but in the next cycle, the HTML is cleaned up and saved in Grafana’s database.

The CVSS score for this vulnerability is 6.4 Medium (CVSS:6.4/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N).

Appropriate patches have been applied to Grafana Cloud.

Impact

An attacker needs to have the Editor role in order to change a text panel to include JavaScript. Later, another user needs to edit the same text panel, and click on Markdown or HTML for the code to be executed. This means that vertical privilege escalation is possible, where a user with an Editor role can change to a known password for a user with an Admin role and, with the Admin role permissions, can execute malicious JavaScript viewing a dashboard.

Impacted versions

All installations for Grafana versions <9.2.10 and <9.3.4

Solutions and mitigations

To fully address CVE-2023-22462, please upgrade your Grafana instances. As an alternative, you can enable the Content-Security-Policy option.

Reporting security issues

If you think you have found a security vulnerability, please send a report to [email protected]. This address can be used for all of Grafana Labs’ open source and commercial products (including, but not limited to Grafana, Grafana Cloud, Grafana Enterprise, and grafana.com). We can accept only vulnerability reports at this address. We would prefer that you encrypt your message to us by using our PGP key.

The key fingerprint is 225E 6A9B BB15 A37E 95EB 6312 C66A 51CC B44C 27E0

The key is available from keyserver.ubuntu.com.

Security announcements

We maintain a security category on our blog, where we will always post a summary, remediation, and mitigation details for any patch containing security fixes. You can also subscribe to our RSS feed.

Related news

Red Hat Security Advisory 2024-0746-03

Red Hat Security Advisory 2024-0746-03 - Updated container image for Red Hat Ceph Storage 5.3 is now available in the Red Hat Ecosystem Catalog. Issues addressed include cross site scripting and denial of service vulnerabilities.

GHSA-7rqg-hjwc-6mjf: Grafana vulnerable to Stored Cross-site Scripting in Text plugin

### Description On 2023-01-01 during an internal audit of Grafana, a member of the security team found a stored XSS vulnerability affecting the core plugin "Text". The stored XSS vulnerability requires several user interactions in order to be fully exploited. The vulnerability was possible due to React's render cycle that will pass though the unsanitized HTML code, but in the next cycle the HTML is cleaned up and saved in Grafana's database. ### Impact An attacker needs to have the Editor role in order to change a Text panel to include JavaScript. later, an another user needs to edit the same Text panel, and click on "Markdown" or "HTML" for the code to be executed. This means that vertical privilege escalation is possible, where a user with Editor role can change to a known password for a user having Admin role if the user with Admin role executes malicious JavaScript viewing a dashboard. ### Impacted versions Grafana versions 9.2.x. and 9.3.x ### Solutions and mitigations Up...

GHSA-xw5p-hw8j-xg4q: Grafana vulnerable to Cross-site Scripting

Grafana is an open-source platform for monitoring and observability. Starting with the 7.0 branch, Grafana had a stored XSS vulnerability in the trace view visualization. The stored XSS vulnerability was possible due the value of a span's attributes/resources were not properly sanitized and this will be rendered when the span's attributes/resources are expanded. An attacker needs to have the Editor role in order to change the value of a trace view visualization to contain JavaScript. This means that vertical privilege escalation is possible, where a user with Editor role can change to a known password for a user having Admin role if the user with Admin role executes malicious JavaScript viewing a dashboard. Users may upgrade to version 8.5.21, 9.2.13 and 9.3.8 to receive a fix.

GHSA-hjv9-hm2f-rpcj: Grafana vulnerable to Cross-site Scripting

Grafana is an open-source platform for monitoring and observability. Starting with the 8.1 branch, Grafana had a stored XSS vulnerability affecting the core plugin GeoMap. The stored XSS vulnerability was possible due to map attributions weren't properly sanitized and allowed arbitrary JavaScript to be executed in the context of the currently authorized user of the Grafana instance. An attacker needs to have the Editor role in order to change a panel to include a map attribution containing JavaScript. This means that vertical privilege escalation is possible, where a user with Editor role can change to a known password for a user having Admin role if the user with Admin role executes malicious JavaScript viewing a dashboard. Users may upgrade to version 8.5.21, 9.2.13 and 9.3.8 to receive a fix.

CVE-2023-0594

Grafana is an open-source platform for monitoring and observability. Starting with the 7.0 branch, Grafana had a stored XSS vulnerability in the trace view visualization. The stored XSS vulnerability was possible due the value of a span's attributes/resources were not properly sanitized and this will be rendered when the span's attributes/resources are expanded. An attacker needs to have the Editor role in order to change the value of a trace view visualization to contain JavaScript. This means that vertical privilege escalation is possible, where a user with Editor role can change to a known password for a user having Admin role if the user with Admin role executes malicious JavaScript viewing a dashboard. Users may upgrade to version 8.5.21, 9.2.13 and 9.3.8 to receive a fix.

CVE-2023-0507

Grafana is an open-source platform for monitoring and observability. Starting with the 8.1 branch, Grafana had a stored XSS vulnerability affecting the core plugin GeoMap. The stored XSS vulnerability was possible due to map attributions weren't properly sanitized and allowed arbitrary JavaScript to be executed in the context of the currently authorized user of the Grafana instance. An attacker needs to have the Editor role in order to change a panel to include a map attribution containing JavaScript. This means that vertical privilege escalation is possible, where a user with Editor role can change to a known password for a user having Admin role if the user with Admin role executes malicious JavaScript viewing a dashboard. Users may upgrade to version 8.5.21, 9.2.13 and 9.3.8 to receive a fix.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907