ArchLinuxASA-202111-5[ASA-202111-5] grafana: cross-site scripting
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.964 High
EPSS
Percentile
99.5%
Arch Linux Security Advisory ASA-202111-5
Severity: Medium
Date : 2021-11-05
CVE-ID : CVE-2021-41174
Package : grafana
Type : cross-site scripting
Remote : Yes
Link : https://security.archlinux.org/AVG-2517
Summary
The package grafana before version 8.2.3-1 is vulnerable to cross-site
scripting.
Resolution
Upgrade to 8.2.3-1.
pacman -Syu βgrafana>=8.2.3-1β
The problem has been fixed upstream in version 8.2.3.
Workaround
To mitigate the issue, a reverse proxy or similar can be used to block
access to block the literal string β{{β in the path.
Description
A security issue has been found in Grafana before version 8.2.3. If an
attacker is able to convince a victim to visit a URL referencing a
vulnerable page, arbitrary JavaScript content may be executed within
the context of the victimβs browser.
The user visiting the malicious link must be unauthenticated and the
link must be for a page that contains the login button in the menu bar.
There are two ways an unauthenticated user can open a page in Grafana
that contains the login button:
- Anonymous authentication is enabled. This means all pages in Grafana
would be open for the attack. - The link is to an unauthenticated page. The following pages are
vulnerable:- /dashboard-solo/snapshot/*
- /dashboard/snapshot/*
- /invite/:code
The url has to be crafted to exploit AngularJS rendering and contain
the interpolation binding for AngularJS expressions. AngularJS uses
double curly braces for interpolation binding: {{ }}
An example of an expression would be:
β{{constructor.constructor(βalert(1)β)()}}β. This can be included in
the link URL like this:
https://play.grafana.org/dashboard/snapshot/{{constructor.construct
or(βalert(1)β)()%7D%7D?orgId=1
When the user follows the link and the page renders, the login button
will contain the original link with a query parameter to force a
redirect to the login page. The URL is not validated and the AngularJS
rendering engine will execute the JavaScript expression contained in
the URL.
Impact
A remote attacker could execute arbitrary JavaScript code by tricking
an unauthenticated victim into opening a crafted URL.
References
https://github.com/grafana/grafana/security/advisories/GHSA-3j9m-hcv9-rpj8
https://github.com/grafana/grafana/commit/34eda6123d9b21c2c0b2d0c0e6f2fb38e6cf60d5
https://github.com/grafana/grafana/commit/a3dc30546fce2e437d858c140f1ff307a04365d6
https://github.com/grafana/grafana/commit/8081dc9ee913a1bf4b98f99e78661db88a6dc1ef
https://github.com/grafana/grafana/commit/1c7ce348ce4363c55992ed5772f96981d1a86f7e
https://security.archlinux.org/CVE-2021-41174
References
github.com/grafana/grafana/commit/1c7ce348ce4363c55992ed5772f96981d1a86f7e
github.com/grafana/grafana/commit/34eda6123d9b21c2c0b2d0c0e6f2fb38e6cf60d5
github.com/grafana/grafana/commit/8081dc9ee913a1bf4b98f99e78661db88a6dc1ef
github.com/grafana/grafana/commit/a3dc30546fce2e437d858c140f1ff307a04365d6
github.com/grafana/grafana/security/advisories/GHSA-3j9m-hcv9-rpj8
play.grafana.org/dashboard/snapshot/%7B%7Bconstructor.construct
security.archlinux.org/AVG-2517
security.archlinux.org/CVE-2021-41174
Related
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.964 High
EPSS
Percentile
99.5%