Bug 2066563 (CVE-2022-26148)

Summary: CVE-2022-26148 grafana: An information leak issue was discovered in Grafana through 7.3.4, when integrated with Zabbix
Product: [Other] Security Response Reporter: Rohit Keshri <rkeshri>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: agerstmayr, amackenz, amasferr, anharris, anpicker, aos-bugs, avibelli, bgeorges, bmontgom, bniver, chazlett, clement.escoffier, dandread, dkreling, eclipseo, eparis, flucifre, gmeno, go-sig, gparvin, grafana-maint, gsmet, jburrell, jchaloup, jkurik, jochrist, jokerman, jwendell, jwon, lthon, mbenjamin, mgoodwin, mhackett, mrunge, nathans, njean, nstielau, pahickey, peholase, pgallagh, pjindal, probinso, rcernich, rruss, rsvoboda, sbiarozk, sostapov, spasquie, sponnaga, stcannon, tjochec, twalsh, vereddy, vkumar, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Grafana when integrated with Zabbix. The Zabbix password can be found in the api_jsonrpc.php HTML source code. When the user logs in and allows the user to register, one can right-click to view the source code and use Ctrl-F to search for the password in api_jsonrpc.php to discover the Zabbix account password and URL address.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2068519, 2068520, 2072831, 2072832, 2072833, 2077636, 2077637, 2077638, 2077639    
Bug Blocks: 2066564    

Description Rohit Keshri 2022-03-22 04:50:47 UTC 
An issue was discovered in Grafana through 7.3.4, when integrated with Zabbix. The Zabbix password can be found in the api_jsonrpc.php HTML source code. When the user logs in and allows the user to register, one can right click to view the source code and use Ctrl-F to search for password in api_jsonrpc.php to discover the Zabbix account password and URL address.

https://2k8.org/post-319.html
Comment 27 errata-xmlrpc 2023-06-15 15:59:44 UTC 
This issue has been addressed in the following products:

  Red Hat Ceph Storage 6.1

Via RHSA-2023:3642 https://access.redhat.com/errata/RHSA-2023:3642