SB20231107107 - Red Hat Enterprise Linux 9 update for grafana

Description

This security bulletin contains information about 9 secuirty vulnerabilities.

1) Stored cross-site scripting (CVE-ID: CVE-2022-23552)

The disclosed vulnerability allows a remote user to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote user with the Editor role can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

2) Improper Verification of Cryptographic Signature (CVE-ID: CVE-2022-31123)

The vulnerability allows a remote attacker to compromise the affected instance.

The vulnerability exists due to missing signature verification mechanism. A remote attacker can trick the server admin into installing a malicious plugin even though unsigned plugins are not allowed.

3) Information disclosure (CVE-ID: CVE-2022-31130)

The vulnerability allows a remote user to gain access to potentially sensitive information.

The vulnerability exists due to the GitLab data source plugin leaks the API key to GitLab. A remote privileged user can expose Grafana authentication token to a third-party.

4) Information disclosure (CVE-ID: CVE-2022-39201)

The vulnerability allows a remote user to gain access to potentially sensitive information.

The vulnerability exists due to Grafana leaks the authentication cookie of users to plugins. A remote user can gain unauthorized access to sensitive information.

5) Input validation error (CVE-ID: CVE-2022-39306)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to insufficient validation of user-supplied input. A remote user can use the invitation link to sign up with an arbitrary username/email with a malicious intent.

6) Information disclosure (CVE-ID: CVE-2022-39307)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application when using the forget password on the login page. A remote attacker can gain unauthorized access to sensitive information on the system.

7) Spoofing attack (CVE-ID: CVE-2022-39324)

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to usage of a hidden originalUrl parameter in the shared dashboard. A remote attacker can trick the victim into opening a shared snapshot and click on the button in the Grafana web UI, which will redirect user to an attacker-controlled URL.

8) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2022-41717)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to excessive memory growth when handling HTTP/2 server requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.

9) Resource exhaustion (CVE-ID: CVE-2023-24534)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when parsing HTTP and MIME headers in net/textproto. A remote attacker can cause an HTTP server to allocate large amounts of memory from a small request and perform a denial of service (DoS) attack.

Remediation

Install update from vendor's website.

References

• https://access.redhat.com/errata/RHSA-2023:6420