1850568 – (CVE-2018-18623) CVE-2018-18623 grafana: XSS vulnerability via the "Dashboard > Text Panel" screen

Bug 1850568 (CVE-2018-18623) - CVE-2018-18623 grafana: XSS vulnerability via the "Dashboard > Text Panel" screen

Summary: CVE-2018-18623 grafana: XSS vulnerability via the "Dashboard > Text Panel" sc...

Keywords:
Status:	CLOSED WONTFIX
Alias:	CVE-2018-18623
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1850570 1851999 1852002 1852258
Blocks:	1850581
TreeView+	depends on / blocked

Reported:	2020-06-24 13:47 UTC by Michael Kaplan
Modified:	2021-10-28 08:23 UTC (History)
CC List:	23 users (show)
Fixed In Version:	grafana 6.0.0
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in grafana. An incomplete fix for CVE-2018-12099 allows for a XSS in the "Dashboard > Text Panel" screen.
Clone Of:
Environment:
Last Closed:	2021-10-28 08:23:47 UTC
Embargoed:

Attachments	(Terms of Use)

Description Michael Kaplan 2020-06-24 13:47:10 UTC

Grafana 5.3.1 has XSS via the "Dashboard > Text Panel" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099.

https://github.com/grafana/grafana/pull/11813
https://security.netapp.com/advisory/ntap-20200608-0008/

Comment 1 Michael Kaplan 2020-06-24 13:47:29 UTC

Created grafana tracking bugs for this issue:

Affects: fedora-all [bug 1850570]

Comment 2 Mark Cooper 2020-06-26 00:26:34 UTC

Upstream commit: https://github.com/grafana/grafana/pull/14984/commits/15d560a1c01f5bfb354f83183886881554026bb8

Looks like that is the patch given the comment: https://github.com/grafana/grafana/pull/11813#issuecomment-458045266 

The patch got included in the major release of v6.0.0 as well.

Comment 4 Mark Cooper 2020-06-26 02:54:29 UTC

OpenShift 3.11 grafana-container packages a vulnerable version of grafana 5.4.3, the instance is set to read-only. Meaning the XSS attack cannot be performed as the text panel cannot be modified, or added. As the version still packages the vulnerable code, setting to affected with Low impact. 

Both OpenShift 4.x and ServiceMesh both package grafana versions greater than 6.0.0 and are not affected.

Comment 6 Mauro Matteo Cascella 2020-06-29 10:02:17 UTC

In reply to comment #4:
> Both OpenShift 4.x and ServiceMesh both package grafana versions greater
> than 6.0.0 and are not affected.

Same applies for RHEL-8 -> not affected.

Comment 7 Przemyslaw Roguski 2020-06-29 14:53:37 UTC

upstream PR: https://github.com/grafana/grafana/pull/14984

Comment 9 Mark Cooper 2020-06-29 23:56:12 UTC

Statement:

While OpenShift 3.11 grafana-container packages a vulnerable version of grafana, the dashboard is set to read-only meaning that the vulnerable component cannot be added or modified to contain the potential XSS. As the OpenShift version still packages vulnerable code, the impact is set Low.

Comment 11 Hardik Vyas 2020-06-30 11:41:50 UTC

External References:

https://security.netapp.com/advisory/ntap-20200608-0008/

Note You need to log in before you can comment on or make changes to this bug.

agerstmayr
anpicker
bmontgom
dramseur
eparis
erooth
grafana-maint
hvyas
jburrell
jhunter
jkurik
jokerman
kmitts
lcosic
mcooper
mgala
mgoodwin
mjudeiki
nathans
nstielau
rcernich
sponnaga
surbania