Moderate: grafana security, bug fix, and enhancement update

2020-11-0312:26:41

errata.almalinux.org

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.005 Low

EPSS

Percentile

76.4%

JSON

Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB.

The following packages have been upgraded to a later upstream version: grafana (6.7.4). (BZ#1807323)

Security Fix(es):

grafana: XSS vulnerability via a column style on the “Dashboard > Table Panel” screen (CVE-2018-18624)
grafana: arbitrary file read via MySQL data source (CVE-2019-19499)
grafana: stored XSS (CVE-2020-11110)
grafana: XSS annotation popup vulnerability (CVE-2020-12052)
grafana: XSS via column.title or cellLinkTooltip (CVE-2020-12245)
grafana: information disclosure through world-readable /var/lib/grafana/grafana.db (CVE-2020-12458)
grafana: information disclosure through world-readable grafana configuration files (CVE-2020-12459)
grafana: XSS via the OpenTSDB datasource (CVE-2020-13430)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.

OSVersionArchitecturePackageVersionFilename
almalinux8x86_64grafana-prometheus< 6.7.4-3.el8grafana-prometheus-6.7.4-3.el8.x86_64.rpm
almalinux8x86_64grafana-elasticsearch< 6.7.4-3.el8grafana-elasticsearch-6.7.4-3.el8.x86_64.rpm
almalinux8x86_64grafana-stackdriver< 6.7.4-3.el8grafana-stackdriver-6.7.4-3.el8.x86_64.rpm
almalinux8x86_64grafana-influxdb< 6.7.4-3.el8grafana-influxdb-6.7.4-3.el8.x86_64.rpm
almalinux8x86_64grafana-mysql< 6.7.4-3.el8grafana-mysql-6.7.4-3.el8.x86_64.rpm
almalinux8x86_64grafana-azure-monitor< 6.7.4-3.el8grafana-azure-monitor-6.7.4-3.el8.x86_64.rpm
almalinux8x86_64grafana-cloudwatch< 6.7.4-3.el8grafana-cloudwatch-6.7.4-3.el8.x86_64.rpm
almalinux8x86_64grafana-opentsdb< 6.7.4-3.el8grafana-opentsdb-6.7.4-3.el8.x86_64.rpm
almalinux8x86_64grafana-mssql< 6.7.4-3.el8grafana-mssql-6.7.4-3.el8.x86_64.rpm
almalinux8x86_64grafana-loki< 6.7.4-3.el8grafana-loki-6.7.4-3.el8.x86_64.rpm

OS	Version	Architecture	Package	Version	Filename
almalinux	8	x86_64	grafana-prometheus	< 6.7.4-3.el8	grafana-prometheus-6.7.4-3.el8.x86_64.rpm
almalinux	8	x86_64	grafana-elasticsearch	< 6.7.4-3.el8	grafana-elasticsearch-6.7.4-3.el8.x86_64.rpm
almalinux	8	x86_64	grafana-stackdriver	< 6.7.4-3.el8	grafana-stackdriver-6.7.4-3.el8.x86_64.rpm
almalinux	8	x86_64	grafana-influxdb	< 6.7.4-3.el8	grafana-influxdb-6.7.4-3.el8.x86_64.rpm
almalinux	8	x86_64	grafana-mysql	< 6.7.4-3.el8	grafana-mysql-6.7.4-3.el8.x86_64.rpm
almalinux	8	x86_64	grafana-azure-monitor	< 6.7.4-3.el8	grafana-azure-monitor-6.7.4-3.el8.x86_64.rpm
almalinux	8	x86_64	grafana-cloudwatch	< 6.7.4-3.el8	grafana-cloudwatch-6.7.4-3.el8.x86_64.rpm
almalinux	8	x86_64	grafana-opentsdb	< 6.7.4-3.el8	grafana-opentsdb-6.7.4-3.el8.x86_64.rpm
almalinux	8	x86_64	grafana-mssql	< 6.7.4-3.el8	grafana-mssql-6.7.4-3.el8.x86_64.rpm
almalinux	8	x86_64	grafana-loki	< 6.7.4-3.el8	grafana-loki-6.7.4-3.el8.x86_64.rpm