SB2020052517 - Multiple vulnerabilities in Grafana
Published: May 25, 2020
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Cross-site scripting (CVE-ID: CVE-2020-13430)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data passed via the OpenTSDB datasource. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
2) Cleartext storage of sensitive information (CVE-ID: CVE-2020-12458)
The vulnerability allows a local user to gain access to sensitive information on the target system.
The vulnerability exists due to the database directory "/var/lib/grafana" and database file "/var/lib/grafana/grafana.db" are world readable. A local user can gain access to sensitive information on the system.
Remediation
Install update from vendor's website.
References
- https://github.com/grafana/grafana/pull/24539
- https://github.com/grafana/grafana/releases/tag/v7.0.0
- https://access.redhat.com/security/cve/CVE-2020-12458
- https://bugzilla.redhat.com/show_bug.cgi?id=1827765
- https://github.com/grafana/grafana/issues/8283
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CTQCKJZZYXMCSHJFZZ3YXEO5NUBANGZS/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WEBCIEVSYIDDCA7FTRS2IFUOYLIQU34A/
- https://security.netapp.com/advisory/ntap-20200518-0001/