Bug 2148252 (CVE-2022-39324)
Summary: | CVE-2022-39324 grafana: Spoofing of the originalUrl parameter of snapshots | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> |
Component: | vulnerability | Assignee: | Nobody <nobody> |
Status: | NEW --- | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | agerstmayr, amctagga, anstephe, aoconnor, avibelli, bgeorges, bniver, chazlett, clement.escoffier, dandread, dfreiber, dkreling, ellin, flucifre, gmeno, gparvin, grafana-maint, gsmet, jburrell, jcantril, jkurik, jmartisk, jwendell, jwon, lthon, max.andersen, mbenjamin, mhackett, nathans, njean, owatkins, pahickey, peholase, periklis, pgallagh, pjindal, probinso, rcernich, rgarg, rogbas, rruss, rsvoboda, sbiarozk, scorneli, sdouglas, shbose, sostapov, stcannon, teagle, twalsh, ubhargav, vereddy, vkumar |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | grafana 9.2.6.1, grafana 9.1.8.2, grafana 8.5.16 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in the grafana package. While creating a snapshot, an attacker may manipulate a hidden HTTP parameter to inject a malicious URL in the "Open original dashboard" button.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | Type: | --- | |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2148331, 2148332, 2148355, 2148356, 2148358, 2166179 | ||
Bug Blocks: | 2148254 |
Description
Pedro Sampaio
2022-11-24 17:48:47 UTC
Created grafana tracking bugs for this issue: Affects: fedora-all [bug 2166179] This issue has been addressed in the following products: Red Hat Ceph Storage 6.1 Via RHSA-2023:3642 https://access.redhat.com/errata/RHSA-2023:3642 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:6420 https://access.redhat.com/errata/RHSA-2023:6420 |