Bug 1848089 (CVE-2020-12052)

Summary: CVE-2020-12052 grafana: XSS annotation popup vulnerability
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: agerstmayr, alegrand, amctagga, anharris, anpicker, bmontgom, bniver, eparis, erooth, flucifre, gmeno, grafana-maint, hvyas, jburrell, jkurik, jokerman, kakkoyun, kconner, lcosic, mbenjamin, mgoodwin, mhackett, mloibl, nathans, nstielau, osoukup, pkrupa, puebele, rcernich, sponnaga, surbania, vbellur, vereddy
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: grafana 6.7.3 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in grafana. The software is vulnerable to an annotation popup XSS.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-07-01 19:27:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1848428, 1848429, 1848430, 1848461, 1848805, 1848806, 1850399    
Bug Blocks: 1848091    

Description Guilherme de Almeida Suckevicz 2020-06-17 16:31:03 UTC 
Grafana version < 6.7.3 is vulnerable for annotation popup XSS.

Reference:
https://community.grafana.com/t/release-notes-v6-7-x/27119
Comment 5 Przemyslaw Roguski 2020-06-18 13:48:34 UTC 
Upstream commit: 
https://github.com/grafana/grafana/pull/23813/commits
Comment 8 Mark Cooper 2020-06-19 02:51:31 UTC 
Statement:

This issue affects the version of the grafana package as shipped with Red Hat Ceph Storage (RHCS) version 2. Ceph-2 has reached End of Extended Life Cycle Support and no longer fixing moderates/lows.
Comment 9 Mark Cooper 2020-06-19 03:05:50 UTC 
Keeping OpenShift and ServiceMesh at Moderate, as I feel even tho the components are behind OAuth a logged in user can still be tricked to perform XSS.

ServiceMesh packages a vulnerable version of grafana:
  - ServiceMesh 1.0.x grafana v6.2.2
  - ServiceMesh 1.1.x grafana v6.4.3

OpenShift packages a vulnerable version of grafana:
  - OpenShift 3.11 grafana v5.4.3
  - OpenShift 4.x  grafana v6.5.3

In addition, have checked source to ensure the patch hasn't be back-ported.
Comment 13 errata-xmlrpc 2020-07-01 18:46:08 UTC 
This issue has been addressed in the following products:

  OpenShift Service Mesh 1.1

Via RHSA-2020:2796 https://access.redhat.com/errata/RHSA-2020:2796
Comment 14 Product Security DevOps Team 2020-07-01 19:27:59 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-12052
Comment 15 errata-xmlrpc 2020-07-07 19:33:44 UTC 
This issue has been addressed in the following products:

  OpenShift Service Mesh 1.0

Via RHSA-2020:2861 https://access.redhat.com/errata/RHSA-2020:2861
Comment 16 errata-xmlrpc 2020-10-27 16:24:07 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.6

Via RHSA-2020:4298 https://access.redhat.com/errata/RHSA-2020:4298
Comment 17 errata-xmlrpc 2020-11-04 02:59:37 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4682 https://access.redhat.com/errata/RHSA-2020:4682