Grafana before 7.1.0-beta 1 allows XSS via a query alias for the ElasticSearch datasource. References: https://github.com/grafana/grafana/blob/master/CHANGELOG.md#710-beta-1-2020-07-01 https://github.com/grafana/grafana/pull/25401
Created grafana tracking bugs for this issue: Affects: fedora-all [bug 1892419]
Upstream fix pr: https://github.com/grafana/grafana/pull/25401
External References: https://github.com/grafana/grafana/pull/25401
Statement: A vulnerable version of Grafana is shipped in OpenShift 3.11 - 4.5 and OpenShift ServiceMesh, however Prometheus is used as a data source and modification to Elasticsearch or Testdata requires full control of the grafana component. Access is restricted to authenticated users only by OpenShift OAuth. As OpenShift and OpenShift ServiceMesh still packages the vulnerable code, the components are affected but with impact Low. OpenShift 4.6 uses version 7.2.0 of Grafana in openshift4/ose-grafana-container and is not affected. Red Hat Ceph Storage 3 and 4 ship a vulnerable version of grafana, however, Prometheus is used as the data source., and thus the impact is rated as low. Red Hat Gluster Storage 3 ships vulnerable version of grafana, however Graphite is the only supported data source and hence this issue has been rated as having a security impact of Low.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:1859 https://access.redhat.com/errata/RHSA-2021:1859
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-24303