Bug 2050648 (CVE-2022-21702)

Summary: CVE-2022-21702 grafana: XSS vulnerability in data source handling
Product: [Other] Security Response Reporter: Mauro Matteo Cascella <mcascell>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: agerstmayr, amackenz, amasferr, amctagga, anharris, anpicker, aos-bugs, avibelli, bgeorges, bmontgom, bniver, chazlett, clement.escoffier, dandread, dkreling, drieden, eparis, flucifre, gmeno, gparvin, grafana-maint, gsmet, hamadhan, hvyas, jburrell, jkurik, jochrist, jokerman, jramanat, jwendell, jwon, lthon, mbenjamin, mhackett, mkudlej, nathans, njean, nstielau, pahickey, peholase, pgallagh, pjindal, probinso, rcernich, rdey, rruss, rsvoboda, sbiarozk, sdouglas, security-response-team, sostapov, spasquie, sponnaga, stcannon, tjochec, twalsh, vereddy, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: grafana 7.5.15, grafana 8.3.5 Doc Type: If docs needed, set a value
Doc Text:
A Cross-site scripting (XSS) vulnerability was found in the way Grafana handles data sources. This flaw allows an attacker to serve HTML content through the Grafana data source or plugin proxy and trick a user to visit this HTML page using a specially crafted link and execute a Cross-site scripting (XSS) attack. Should an existing data source connected to Grafana be compromised, it could be used to inappropriately gain access to other data sources connected to the same Grafana org.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-12-05 00:23:35 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2052664, 2052665, 2053453, 2053461, 2053462, 2053509, 2053510, 2054038, 2055453, 2055455, 2055456    
Bug Blocks: 2050646    

Description Mauro Matteo Cascella 2022-02-04 12:22:47 UTC 
An XSS vulnerability was found in the way Grafana handles data sources. Should an existing data source connected to Grafana be compromised, it could be used to inappropriately gain access to other data sources connected to the same Grafana org.

GitHub security advisory:
https://github.com/grafana/grafana/security/advisories/GHSA-xc3p-28hw-q24g

Grafana blog post:
https://grafana.com/blog/2022/02/08/grafana-7.5.15-and-8.3.5-released-with-moderate-severity-security-fixes/
Comment 2 Mauro Matteo Cascella 2022-02-11 11:03:12 UTC 
Upstream commit:

v7.5.x: https://github.com/grafana/grafana/commit/27726868b3d7c613844b55cd209ca93645c99b85
v8.3.x: https://github.com/grafana/grafana/commit/41c1cd2865fee195a76f4856905077dfff311169
Comment 3 Mauro Matteo Cascella 2022-02-11 11:29:01 UTC 
Created grafana tracking bugs for this issue:

Affects: fedora-all [bug 2053453]
Comment 19 errata-xmlrpc 2022-11-08 09:25:32 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7519 https://access.redhat.com/errata/RHSA-2022:7519
Comment 20 errata-xmlrpc 2022-11-15 10:05:51 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:8057 https://access.redhat.com/errata/RHSA-2022:8057
Comment 21 Product Security DevOps Team 2022-12-05 00:23:30 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-21702