Branch sisyphus update bulletin.

Package grafana updated to version 6.7.3-alt1 for branch sisyphus in task 251720.

Published: 2020-04-24

BDU:2020-03230

Уязвимость компонентов column.title и cellLinkTooltip веб-инструмента представления данных Grafana, позволяющая нарушителю осуществлять межсайтовые сценарные атаки (XSS)

Severity: MEDIUM (6.1) Vector: AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

CVE-2020-12245

Published: 2020-07-27
Modified: 2024-11-21

CVE-2020-11110

Grafana through 6.7.1 allows stored XSS due to insufficient input protection in the originalUrl field, which allows an attacker to inject JavaScript code that will be executed after clicking on Open Original Dashboard after visiting the snapshot.

Severity: MEDIUM (5.4) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

References:

Published: 2020-04-27
Modified: 2024-11-21

CVE-2020-12052

Grafana version < 6.7.3 is vulnerable for annotation popup XSS.

Severity: MEDIUM (6.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Published: 2020-04-25
Modified: 2024-11-21

CVE-2020-12245

Grafana before 6.7.3 allows table-panel XSS via column.title or cellLinkTooltip.

Severity: MEDIUM (6.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References:

Published: 2020-04-29
Modified: 2024-11-21

CVE-2020-12458

An information-disclosure flaw was found in Grafana through 6.7.3. The database directory /var/lib/grafana and database file /var/lib/grafana/grafana.db are world readable. This can result in exposure of sensitive information (e.g., cleartext or encrypted datasource passwords).

Severity: MEDIUM (5.5) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References:

Version: 2.1.0

Branch sisyphus update on 2020-05-16

ALT-BU-2020-3816-1

ALT-PU-2020-1966-1

Closed vulnerabilities

BDU:2020-03230

CVE-2020-11110

CVE-2020-12052

CVE-2020-12245

CVE-2020-12458