Bug 2160335 (CVE-2022-4728)

Summary: CVE-2022-4728 graphite-web: Cross-site scripting vulnerability
Product: [Other] Security Response Reporter: Avinash Hanwate <ahanwate>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the graphite-web package. Affected versions of this package are vulnerable to Cross-site scripting.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2160336, 2160338, 2160340    
Bug Blocks: 2156345    

Description Avinash Hanwate 2023-01-12 05:23:37 UTC 
A vulnerability has been found in Graphite Web and classified as problematic. This vulnerability affects unknown code of the component Cookie Handler. The manipulation leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The name of the patch is 2f178f490e10efc03cd1d27c72f64ecab224eb23. It is recommended to apply a patch to fix this issue. VDB-216742 is the identifier assigned to this vulnerability.

https://github.com/graphite-project/graphite-web/commit/2f178f490e10efc03cd1d27c72f64ecab224eb23
https://github.com/graphite-project/graphite-web/issues/2744
https://github.com/graphite-project/graphite-web/pull/2785
https://vuldb.com/?id.216742
Comment 1 Avinash Hanwate 2023-01-12 05:24:00 UTC 
Created graphite-web tracking bugs for this issue:

Affects: epel-all [bug 2160338]
Affects: fedora-all [bug 2160336]