Bug 1861044 (CVE-2020-11110)

Summary: CVE-2020-11110 grafana: stored XSS
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: agerstmayr, alegrand, anpicker, bmontgom, eparis, erooth, grafana-maint, hvyas, jburrell, jkurik, jokerman, kakkoyun, kconner, lcosic, mgoodwin, mloibl, nathans, nstielau, pkrupa, puebele, rcernich, sponnaga, surbania
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: grafana 6.7.2 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in grafana. The lack of URL sanitizing allows for stored XSS.
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-10-27 20:21:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1861782, 1861783, 1865937, 1866350, 1866351, 1866352, 1866353    
Bug Blocks: 1861045    

Description Guilherme de Almeida Suckevicz 2020-07-27 16:59:04 UTC
Grafana through 6.7.1 allows stored XSS.

Reference:
https://github.com/grafana/grafana/blob/master/CHANGELOG.md#672-2020-04-02

Comment 1 Przemyslaw Roguski 2020-07-29 12:56:25 UTC
Upstream patch: https://github.com/grafana/grafana/commit/fb114a75241aaef4c08581b42509c750738b768a

Comment 2 Przemyslaw Roguski 2020-07-29 14:25:56 UTC
Statement:

Both OpenShift 3.11 and 4.x grafana-container's package a vulnerable version of grafana. However the grafana instance is set to read-only meaning that the potential XSS attack cannot be performed because the original url field cannot be modified. Access to the grafana panel is additionally behind OpenShift OAuth proxy and requires admin permissions.
As OpenShift still packages the vulnerable code, the components are affected but the impact is Low.

Comment 6 Mark Cooper 2020-07-30 01:31:53 UTC
OpenShift ServiceMesh packages a vulnerable version of grafana (v6.4.3) in the container, openshift-service-mesh/grafana-rhel8.

Comment 11 errata-xmlrpc 2020-10-27 16:24:49 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.6

Via RHSA-2020:4298 https://access.redhat.com/errata/RHSA-2020:4298

Comment 12 Product Security DevOps Team 2020-10-27 20:21:32 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-11110

Comment 13 errata-xmlrpc 2020-11-04 03:00:07 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4682 https://access.redhat.com/errata/RHSA-2020:4682