Fedora Account System
Red Hat Associate
Red Hat Customer
Grafana organization admins can invite other members. The invite link which is sent out allows new users to sign up with whatever username/email address they want, which can be exploited in a social engineering attack. Affected Versions: Grafana <=8.x, Grafana <=9.x
Deptopia refers to version 5.2.3-4.el7cp for ceph 3 (which matches with a manual search of the most recent release's source code), thus affected and OOOS, and uses Grafana container for Ceph 4 and 5. Grafana container: Ceph 4.x uses golang:1.11.4 as the base to get grafana from. This was released significantly prior to the bugs in 9.2.0 and 9.2.1, but 5.x<=8.x to affected and trackers filed. Ceph 5.3 (RC and thus the only potentially affected version) uses Grafana 8.3.5, and all the potential bug fixes are from prior to the http://tracker.ceph.com/issues/48*, which is when the affected timeline begins. Ceph 5.2 (most recent published verison) uses Grafana 8.3.5 and https://pkg.go.dev/github.com/grafana/grafana (from golang olang:1.17.6-alpine3.15), in the grafana container, published in 2019. Thus, affected as 8.3.5 <= 8.x In the case of gluster. Last release was in Feb. I also dug into the source code for gluster, we're running 5.2.4 as Deptopia verifies. 5.x<=8.x, so marked as affected and trackers filed.
Created grafana tracking bugs for this issue: Affects: fedora-all [bug 2141184]
This issue has been addressed in the following products: Red Hat Ceph Storage 6.1 Via RHSA-2023:3642 https://access.redhat.com/errata/RHSA-2023:3642
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:6420 https://access.redhat.com/errata/RHSA-2023:6420