Lucene search

K
redhatcveRedhat.comRH:CVE-2023-0594
HistoryMar 01, 2023 - 6:30 p.m.

CVE-2023-0594

2023-03-0118:30:18
redhat.com
access.redhat.com
48
cve-2023-0594
graflana
flaw
malicious user
admin account
password change
trace data
content-security-policy
mitigation

7.3 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

0.001 Low

EPSS

Percentile

21.0%

A flaw was found in the grafana package. This flaw allows a malicious user with the ability to introduce trace data to provide a JavaScript that changes the password for the user viewing the trace view (this could be an admin) to a known password, thus gaining access to the admin account.

Mitigation

Applying the Content-Security-Policy shipped with Grafana would block inline scripts from executing and would mitigate this.

7.3 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

0.001 Low

EPSS

Percentile

21.0%