2158420 – (CVE-2022-23552) CVE-2022-23552 grafana: persistent xss in grafana core plugins

Bug 2158420 (CVE-2022-23552) - CVE-2022-23552 grafana: persistent xss in grafana core plugins

Summary: CVE-2022-23552 grafana: persistent xss in grafana core plugins

Keywords:
Status:	NEW
Alias:	CVE-2022-23552
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2158486 2166183
Blocks:	2158263
TreeView+	depends on / blocked

Reported:	2023-01-05 11:22 UTC by Avinash Hanwate
Modified:	2024-03-02 05:32 UTC (History)
CC List:	25 users (show)
Fixed In Version:	Grafana 8.5.19, Grafana 9.2.8.2, Grafana 9.3.2.2
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in The GeoMap and Canvas plugins of Grafana. The GeoMap and Canvas plugins are core plugins in Grafana, which means that all Grafana instances have GeoMap and Canvas installed. These two plugins are vulnerable to Cross-site scripting, where an attacker with an Editor role can add an SVG file containing malicious JavaScript code. The Javascript is executed when a user with an admin role later edits the GeoMap/Canvas panel.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2023:6420	0	None	None	None	2023-11-07 08:16:22 UTC

Description Avinash Hanwate 2023-01-05 11:22:19 UTC

The GeoMap and Canvas plugins are core plugins in Grafana, which means that all Grafana instances have GeoMap and Canvas installed. These two plugins are vulnerable to Cross-Site-Scripting where an attacker with an Editor role can add an SVG file containing malicious JavaScript code. When a user with an admin role later edits the GeoMap/Canvas panel, the Javascript is executed.

Comment 2 Avinash Hanwate 2023-02-01 05:14:33 UTC

Created grafana tracking bugs for this issue:

Affects: fedora-all [bug 2166183]

Comment 6 errata-xmlrpc 2023-11-07 08:16:20 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6420 https://access.redhat.com/errata/RHSA-2023:6420

Note You need to log in before you can comment on or make changes to this bug.

agerstmayr
amctagga
aoconnor
bniver
dfreiber
flucifre
gmeno
gparvin
grafana-maint
jburrell
jkurik
jwendell
mbenjamin
mhackett
nathans
njean
owatkins
pahickey
rcernich
rogbas
sostapov
stcannon
teagle
vereddy
vkumar