Bug 2160331 (CVE-2022-4729)

Summary: CVE-2022-4729 graphite-web: Cross-site scripting vulnerability
Product: [Other] Security Response Reporter: Avinash Hanwate <ahanwate>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the graphite-web package. Affected versions of this package are vulnerable to Cross-site scripting.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2160332, 2160333, 2160341    
Bug Blocks: 2156345    

Description Avinash Hanwate 2023-01-12 05:20:37 UTC 
A vulnerability was found in Graphite Web and classified as problematic. This issue affects some unknown processing of the component Template Name Handler. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The name of the patch is 2f178f490e10efc03cd1d27c72f64ecab224eb23. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-216743.

https://github.com/graphite-project/graphite-web/commit/2f178f490e10efc03cd1d27c72f64ecab224eb23
https://vuldb.com/?id.216743
https://github.com/graphite-project/graphite-web/issues/2745
https://github.com/graphite-project/graphite-web/pull/2785
Comment 1 Avinash Hanwate 2023-01-12 05:21:39 UTC 
Created graphite-web tracking bugs for this issue:

Affects: epel-all [bug 2160333]
Affects: fedora-all [bug 2160332]