Bug 2181117 (CVE-2023-1410)

Summary: CVE-2023-1410 grafana: Stored XSS in Graphite FunctionDescription tooltip
Product: [Other] Security Response Reporter: Avinash Hanwate <ahanwate>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: amctagga, aoconnor, bniver, dfreiber, flucifre, gmeno, gparvin, grafana-maint, jburrell, jkurik, jwendell, mbenjamin, mhackett, nathans, njean, owatkins, pahickey, rcernich, rogbas, sostapov, stcannon, teagle, twalsh, vereddy, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Grafana 8.5.22, Grafana 9.3.11, Grafana 9.2.15 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Grafana. This flaw allows an attacker to host a Graphite instance with modified Function Descriptions containing XSS payloads. When the victim uses it in a query and accidentally hovers over the Function Description, an attacker-controlled XSS payload will be executed.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2181123, 2181124, 2181438, 2181439, 2254043    
Bug Blocks: 2181118    

Description Avinash Hanwate 2023-03-23 06:48:19 UTC 
When a Graphite data source is added, one can use this data source in a dashboard. This contains a feature to use Functions. Once a function is selected, a small tooltip will be shown when hovering over the name of the function. This tooltip will allow you to delete the selected Function from your query or show the Function Description. However, no sanitization is done when adding this description to the DOM. 

Since it is not uncommon to connect to public data sources, an attacker could host a Graphite instance with modified Function Descriptions containing XSS payloads. When the victim uses it in a query and accidentally hovers over the Function Description, an attacker-controlled XSS payload will be executed.
Comment 2 TEJ RATHI 2023-03-23 12:40:06 UTC 
Reference: 
https://grafana.com/blog/2023/03/22/grafana-security-release-new-versions-with-security-fixes-for-cve-2023-1410/
Comment 3 TEJ RATHI 2023-03-24 06:20:44 UTC 
Created grafana tracking bugs for this issue:

Affects: fedora-all [bug 2181438]
Comment 7 errata-xmlrpc 2023-12-12 13:56:26 UTC 
This issue has been addressed in the following products:

  Red Hat Ceph Storage 6.1

Via RHSA-2023:7741 https://access.redhat.com/errata/RHSA-2023:7741