AlmaLinuxALSA-2023:6420Moderate: grafana security and enhancement update
8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
7.7 High
AI Score
Confidence
Low
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
0.002 Low
EPSS
Percentile
61.6%
Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB.
Security Fix(es):
- grafana: persistent xss in grafana core plugins (CVE-2022-23552)
- grafana: plugin signature bypass (CVE-2022-31123)
- grafana: data source and plugin proxy endpoints leaking authentication tokens to some destination plugins (CVE-2022-31130)
- grafana: Data source and plugin proxy endpoints could leak the authentication cookie to some destination plugins (CVE-2022-39201)
- grafana: email addresses and usernames cannot be trusted (CVE-2022-39306)
- grafana: User enumeration via forget password (CVE-2022-39307)
- grafana: Spoofing of the originalUrl parameter of snapshots (CVE-2022-39324)
- golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717)
- golang: net/http, net/textproto: denial of service from excessive memory allocation (CVE-2023-24534)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| almalinux | 9 | ppc64le | grafana | < 9.2.10-7.el9_3.alma.1 | grafana-9.2.10-7.el9_3.alma.1.ppc64le.rpm |
| almalinux | 9 | aarch64 | grafana | < 9.2.10-7.el9_3.alma.1 | grafana-9.2.10-7.el9_3.alma.1.aarch64.rpm |
| almalinux | 9 | x86_64 | grafana | < 9.2.10-7.el9_3.alma.1 | grafana-9.2.10-7.el9_3.alma.1.x86_64.rpm |
| almalinux | 9 | s390x | grafana | < 9.2.10-7.el9_3.alma.1 | grafana-9.2.10-7.el9_3.alma.1.s390x.rpm |
References
access.redhat.com/errata/RHSA-2023:6420
access.redhat.com/security/cve/CVE-2022-23552
access.redhat.com/security/cve/CVE-2022-31123
access.redhat.com/security/cve/CVE-2022-31130
access.redhat.com/security/cve/CVE-2022-39201
access.redhat.com/security/cve/CVE-2022-39306
access.redhat.com/security/cve/CVE-2022-39307
access.redhat.com/security/cve/CVE-2022-39324
access.redhat.com/security/cve/CVE-2022-41717
access.redhat.com/security/cve/CVE-2023-24534
bugzilla.redhat.com/2131146
bugzilla.redhat.com/2131147
bugzilla.redhat.com/2131148
bugzilla.redhat.com/2138014
bugzilla.redhat.com/2138015
bugzilla.redhat.com/2148252
bugzilla.redhat.com/2158420
bugzilla.redhat.com/2161274
bugzilla.redhat.com/2184483
errata.almalinux.org/9/ALSA-2023-6420.html
Related
8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
7.7 High
AI Score
Confidence
Low
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
0.002 Low
EPSS
Percentile
61.6%