Все бюллетени/sisyphus/ALT-PU-2023-4148-3
ALT-PU-2023-4148-3

Обновление пакета grafana в ветке sisyphus

Версия9.5.5-alt1
Задание#323937
Опубликовано2026-02-05
Макс. серьёзностьCRITICAL
Серьёзность:

Закрытые проблемы (25)

BDU:2023-01605
HIGH7.3

Уязвимость плагина GeoMap веб-инструмента представления данных Grafana, связанная с недостаточной защитой структуры веб-страницы, позволяющая нарушителю повысить свои привилегии

Опубликовано: 2023-03-28Изменено: 2024-04-04
CVSS 3.xВЫСОКАЯ 7.3
CVSS:3.x/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
CVSS 2.0ВЫСОКАЯ 8.5
CVSS:2.0/AV:N/AC:L/Au:S/C:C/I:C/A:N
Ссылки
BDU:2023-01731
MEDIUM6.4

Уязвимость веб-инструмента представления данных Grafana, связанная с недостаточной очисткой пользовательских данныхt, позволяющая нарушителю осуществлять межсайтовые сценарные атаки (XSS)

Опубликовано: 2023-03-29Изменено: 2024-04-05
CVSS 3.xСРЕДНЯЯ 6.4
CVSS:3.x/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N
CVSS 2.0СРЕДНЯЯ 6.6
CVSS:2.0/AV:N/AC:H/Au:S/C:C/I:C/A:N
Ссылки
BDU:2023-01776
HIGH7.3

Уязвимость панели Trace View веб-инструмента представления данных Grafana, позволяющая нарушителю повысить свои привилегии и осуществить межсайтовые сценарные атаки

Опубликовано: 2023-04-02Изменено: 2024-04-05
CVSS 3.xВЫСОКАЯ 7.3
CVSS:3.x/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
CVSS 2.0ВЫСОКАЯ 8.5
CVSS:2.0/AV:N/AC:L/Au:S/C:C/I:C/A:N
Ссылки
BDU:2023-03204
HIGH7.5

Уязвимость веб-инструмента представления данных Grafana, связанная с ошибками синхронизации, позволяющая нарушителю вызвать отказ в обслуживании

Опубликовано: 2023-06-16
CVSS 3.xВЫСОКАЯ 7.5
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 2.0ВЫСОКАЯ 7.8
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:C
Ссылки
BDU:2023-03205
MEDIUM4.1

Уязвимость программного интерфейса веб-инструмента представления данных Grafana, позволяющая нарушителю повысить свои привилегии и проводить фишинг-атаки

Опубликовано: 2023-06-16Изменено: 2024-09-13
CVSS 3.xСРЕДНЯЯ 4.1
CVSS:3.x/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N
CVSS 2.0СРЕДНЯЯ 4.0
CVSS:2.0/AV:N/AC:L/Au:S/C:P/I:N/A:N
Ссылки
BDU:2023-03343
CRITICAL9.4

Уязвимость веб-инструмента представления данных Grafana, связанная с обходом аутентификации посредством спуфинга, позволяющая нарушителю получить полный доступ к учетной записи пользователя

Опубликовано: 2023-06-25Изменено: 2024-04-05
CVSS 3.xКРИТИЧЕСКАЯ 9.4
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
CVSS 2.0КРИТИЧЕСКАЯ 9.7
CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:C/A:P
Ссылки
BDU:2024-02575
MEDIUM4.8

Уязвимость платформы для мониторинга и наблюдения Grafana, связанная с неправильной нейтрализацией ввода во время создания веб-страницы, позволяющая нарушителю позволяющая нарушителю осуществлять межсайтовые сценарные атаки (XSS)

Опубликовано: 2024-04-04
CVSS 3.xСРЕДНЯЯ 4.8
CVSS:3.x/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
CVSS 2.0СРЕДНЯЯ 4.7
CVSS:2.0/AV:N/AC:L/Au:M/C:P/I:P/A:N
Ссылки
BDU:2024-02593
HIGH7.5

Уязвимость платформы для мониторинга и наблюдения Grafana, связанная с раскрытие конфиденциальной информации несанкционированному субъекту, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации

Опубликовано: 2024-04-04Изменено: 2024-09-13
CVSS 3.xВЫСОКАЯ 7.5
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS 2.0ВЫСОКАЯ 7.8
CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:N/A:N
Ссылки
CVE-2023-0507
MEDIUM5.4

Grafana is an open-source platform for monitoring and observability. Starting with the 8.1 branch, Grafana had a stored XSS vulnerability affecting the core plugin GeoMap. The stored XSS vulnerability was possible due to map attributions weren't properly sanitized and allowed arbitrary JavaScript to be executed in the context of the currently authorized user of the Grafana instance. An attacker needs to have the Editor role in order to change a panel to include a map attribution containing JavaScript. This means that vertical privilege escalation is possible, where a user with Editor role can change to a known password for a user having Admin role if the user with Admin role executes malicious JavaScript viewing a dashboard. Users may upgrade to version 8.5.21, 9.2.13 and 9.3.8 to receive a fix.

Опубликовано: 2023-03-01Изменено: 2025-02-13
CVSS 3.xСРЕДНЯЯ 5.4
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Ссылки
CVE-2023-0594
MEDIUM5.4

Grafana is an open-source platform for monitoring and observability. Starting with the 7.0 branch, Grafana had a stored XSS vulnerability in the trace view visualization. The stored XSS vulnerability was possible due the value of a span's attributes/resources were not properly sanitized and this will be rendered when the span's attributes/resources are expanded. An attacker needs to have the Editor role in order to change the value of a trace view visualization to contain JavaScript. This means that vertical privilege escalation is possible, where a user with Editor role can change to a known password for a user having Admin role if the user with Admin role executes malicious JavaScript viewing a dashboard. Users may upgrade to version 8.5.21, 9.2.13 and 9.3.8 to receive a fix.

Опубликовано: 2023-03-01Изменено: 2024-11-21
CVSS 3.xСРЕДНЯЯ 5.4
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Ссылки
CVE-2023-1387
HIGH7.5

Grafana is an open-source platform for monitoring and observability. Starting with the 9.1 branch, Grafana introduced the ability to search for a JWT in the URL query parameter auth_token and use it as the authentication token. By enabling the "url_login" configuration option (disabled by default), a JWT might be sent to data sources. If an attacker has access to the data source, the leaked token could be used to authenticate to Grafana.

Опубликовано: 2023-04-26Изменено: 2025-02-13
CVSS 3.xВЫСОКАЯ 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Ссылки
CVE-2023-1410
MEDIUM4.8

Grafana is an open-source platform for monitoring and observability.  Grafana had a stored XSS vulnerability in the Graphite FunctionDescription tooltip. The stored XSS vulnerability was possible due the value of the Function Description was not properly sanitized. An attacker needs to have control over the Graphite data source in order to manipulate a function description and a Grafana admin needs to configure the data source, later a Grafana user needs to select a tampered function and hover over the description.  Users may upgrade to version 8.5.22, 9.2.15 and 9.3.11 to receive a fix.

Опубликовано: 2023-03-23Изменено: 2025-02-13
CVSS 3.xСРЕДНЯЯ 4.8
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Ссылки
CVE-2023-2183
MEDIUM6.4

Grafana is an open-source platform for monitoring and observability. The option to send a test alert is not available from the user panel UI for users having the Viewer role. It is still possible for a user with the Viewer role to send a test alert using the API as the API does not check access to this function. This might enable malicious users to abuse the functionality by sending multiple alert messages to e-mail and Slack, spamming users, prepare Phishing attack or block SMTP server. Users may upgrade to version 9.5.3, 9.4.12, 9.3.15, 9.2.19 and 8.5.26 to receive a fix.

Опубликовано: 2023-06-06Изменено: 2025-02-13
CVSS 3.xСРЕДНЯЯ 6.4
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Ссылки
CVE-2023-22462
MEDIUM5.4

Grafana is an open-source platform for monitoring and observability. On 2023-01-01 during an internal audit of Grafana, a member of the security team found a stored XSS vulnerability affecting the core plugin "Text". The stored XSS vulnerability requires several user interactions in order to be fully exploited. The vulnerability was possible due to React's render cycle that will pass though the unsanitized HTML code, but in the next cycle the HTML is cleaned up and saved in Grafana's database. An attacker needs to have the Editor role in order to change a Text panel to include JavaScript. Another user needs to edit the same Text panel, and click on "Markdown" or "HTML" for the code to be executed. This means that vertical privilege escalation is possible, where a user with Editor role can change to a known password for a user having Admin role if the user with Admin role executes malicious JavaScript viewing a dashboard. This issue has been patched in versions 9.2.10 and 9.3.4.

Опубликовано: 2023-03-02Изменено: 2024-11-21
CVSS 3.xСРЕДНЯЯ 5.4
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Ссылки
CVE-2023-2801
MEDIUM5.3

Grafana is an open-source platform for monitoring and observability. Using public dashboards users can query multiple distinct data sources using mixed queries. However such query has a possibility of crashing a Grafana instance. The only feature that uses mixed queries at the moment is public dashboards, but it's also possible to cause this by calling the query API directly. This might enable malicious users to crash Grafana instances through that endpoint. Users may upgrade to version 9.4.12 and 9.5.3 to receive a fix.

Опубликовано: 2023-06-06Изменено: 2025-02-13
CVSS 3.xСРЕДНЯЯ 5.3
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Ссылки
CVE-2023-28119
HIGH7.5

The crewjam/saml go library contains a partial implementation of the SAML standard in golang. Prior to version 0.4.13, the package's use of `flate.NewReader` does not limit the size of the input. The user can pass more than 1 MB of data in the HTTP request to the processing functions, which will be decompressed server-side using the Deflate algorithm. Therefore, after repeating the same request multiple times, it is possible to achieve a reliable crash since the operating system kills the process. This issue is patched in version 0.4.13.

Опубликовано: 2023-03-22Изменено: 2024-11-21
CVSS 3.xВЫСОКАЯ 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Ссылки
CVE-2023-3128
CRITICAL9.8

Grafana is validating Azure AD accounts based on the email claim. On Azure AD, the profile email field is not unique and can be easily modified. This leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app.

Опубликовано: 2023-06-22Изменено: 2025-02-13
CVSS 3.xКРИТИЧЕСКАЯ 9.8
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Ссылки
GHSA-5mqj-xc49-246p
HIGH7.5

crewjam/saml vulnerable to Denial Of Service Via Deflate Decompression Bomb

Опубликовано: 2023-03-23Изменено: 2023-03-23
CVSS 3.xВЫСОКАЯ 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Ссылки
GHSA-7rqg-hjwc-6mjf
MEDIUM6.4

Grafana vulnerable to Stored Cross-site Scripting in Text plugin

Опубликовано: 2023-03-01Изменено: 2023-03-02
CVSS 3.xСРЕДНЯЯ 6.4
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N
Ссылки
GHSA-mpv3-g8m3-3fjc
CRITICAL9.4

Grafana vulnerable to Authentication Bypass by Spoofing

Опубликовано: 2023-06-23Изменено: 2025-02-13
CVSS 3.xКРИТИЧЕСКАЯ 9.4
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
Ссылки
GHSA-qrrg-gw7w-vp76
MEDIUM6.2

Grafana Stored Cross-site Scripting in Graphite FunctionDescription tooltip

Опубликовано: 2023-03-23
CVSS 3.xСРЕДНЯЯ 6.2
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:L/A:N
Ссылки