Bug 2104365 (CVE-2022-31097)

Summary: CVE-2022-31097 grafana: stored XSS vulnerability
Product: [Other] Security Response Reporter: Avinash Hanwate <ahanwate>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: agerstmayr, anpicker, aoconnor, bmontgom, bniver, eparis, flucifre, gmeno, gparvin, grafana-maint, jburrell, jkurik, jwendell, mbenjamin, mgoodwin, mhackett, nathans, njean, nstielau, pahickey, rcernich, sostapov, spasquie, sponnaga, stcannon, twalsh, vereddy, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Grafana 9.0.3, Grafana 8.5.9, Grafana 8.4.10, Grafana 8.3.10 Doc Type: If docs needed, set a value
Doc Text:
A Cross-site scripting (XSS) vulnerability was found in the Unified Alerting feature of Grafana. This stored XSS can elevate privileges from Editor to Admin.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2106923, 2106924, 2106925, 2106926, 2106927, 2106928, 2106929, 2106930, 2106931, 2106932, 2107181, 2107183, 2107184, 2107185, 2107186, 2107187, 2107188, 2107436, 2109062, 2109063, 2109064    
Bug Blocks: 2104176    

Description Avinash Hanwate 2022-07-06 04:25:46 UTC 
In new alerting, the runbook URL is stored as an annotation for the alert rule and can be used to initiate a stored XSS attack.
Comment 4 Avinash Hanwate 2022-07-15 04:07:46 UTC 
Created grafana tracking bugs for this issue:

Affects: fedora-all [bug 2107436]
Comment 5 Sandipan Roy 2022-07-15 09:23:52 UTC 
$ depcli -svv grafana | grep rhel
rhel-8.1.0.z    grafana-6.2.2-7.el8_1
rhel-8.2.0.z    grafana-6.3.6-3.el8_2
rhel-8.4.0.z    grafana-7.3.6-4.el8_4
rhel-8.6.0.z    grafana-7.5.11-2.el8
rhel-8.7.0      grafana-7.5.15-1.el8
rhel-9.0.0.z    grafana-7.5.11-4.el9_0
rhel-9.1.0      grafana-7.5.15-1.el9

> This CVE only affects Grafana >= 8 [1], Hence our RHEL versions are not affected by this CVE.
[1] https://github.com/grafana/grafana/security/advisories/GHSA-vw7q-p2qg-4m5f
Comment 20 errata-xmlrpc 2023-06-15 16:00:13 UTC 
This issue has been addressed in the following products:

  Red Hat Ceph Storage 6.1

Via RHSA-2023:3642 https://access.redhat.com/errata/RHSA-2023:3642