Bug 1861044 (CVE-2020-11110) - CVE-2020-11110 grafana: stored XSS
Summary: CVE-2020-11110 grafana: stored XSS
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-11110
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1861782 1861783 1865937 1866350 1866351 1866352 1866353
Blocks: 1861045
TreeView+ depends on / blocked
 
Reported: 2020-07-27 16:59 UTC by Guilherme de Almeida Suckevicz
Modified: 2021-06-10 16:27 UTC (History)
23 users (show)

Fixed In Version: grafana 6.7.2
Clone Of:
Environment:
Last Closed: 2020-10-27 20:21:32 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:4298 0 None None None 2020-10-27 16:24:52 UTC
Red Hat Product Errata RHSA-2020:4682 0 None None None 2020-11-04 02:59:52 UTC

Description Guilherme de Almeida Suckevicz 2020-07-27 16:59:04 UTC 
Grafana through 6.7.1 allows stored XSS.

Reference:
https://github.com/grafana/grafana/blob/master/CHANGELOG.md#672-2020-04-02
Comment 1 Przemyslaw Roguski 2020-07-29 12:56:25 UTC 
Upstream patch: https://github.com/grafana/grafana/commit/fb114a75241aaef4c08581b42509c750738b768a
Comment 2 Przemyslaw Roguski 2020-07-29 14:25:56 UTC 
Statement:

Both OpenShift 3.11 and 4.x grafana-container's package a vulnerable version of grafana. However the grafana instance is set to read-only meaning that the potential XSS attack cannot be performed because the original url field cannot be modified. Access to the grafana panel is additionally behind OpenShift OAuth proxy and requires admin permissions.
As OpenShift still packages the vulnerable code, the components are affected but the impact is Low.
Comment 6 Mark Cooper 2020-07-30 01:31:53 UTC 
OpenShift ServiceMesh packages a vulnerable version of grafana (v6.4.3) in the container, openshift-service-mesh/grafana-rhel8.
Comment 11 errata-xmlrpc 2020-10-27 16:24:49 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.6

Via RHSA-2020:4298 https://access.redhat.com/errata/RHSA-2020:4298
Comment 12 Product Security DevOps Team 2020-10-27 20:21:32 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-11110
Comment 13 errata-xmlrpc 2020-11-04 03:00:07 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4682 https://access.redhat.com/errata/RHSA-2020:4682
Note You need to log in before you can comment on or make changes to this bug.