Bug 2160334 (CVE-2022-4730)

Summary: CVE-2022-4730 graphite-web: Cross-site scripting vulnerability
Product: [Other] Security Response Reporter: Avinash Hanwate <ahanwate>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the graphite-web package. Affected versions of this package are vulnerable to Cross-site scripting.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2160337, 2160339, 2160342    
Bug Blocks: 2156345    

Description Avinash Hanwate 2023-01-12 05:22:39 UTC 
A vulnerability was found in Graphite Web. It has been classified as problematic. Affected is an unknown function of the component Absolute Time Range Handler. The manipulation leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The name of the patch is 2f178f490e10efc03cd1d27c72f64ecab224eb23. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-216744.

https://github.com/graphite-project/graphite-web/commit/2f178f490e10efc03cd1d27c72f64ecab224eb23
https://vuldb.com/?id.216744
https://github.com/graphite-project/graphite-web/issues/2746
https://github.com/graphite-project/graphite-web/pull/2785
Comment 1 Avinash Hanwate 2023-01-12 05:24:03 UTC 
Created graphite-web tracking bugs for this issue:

Affects: epel-all [bug 2160339]
Affects: fedora-all [bug 2160337]