Grafana version < 6.7.3 is vulnerable for annotation popup XSS. Reference: https://community.grafana.com/t/release-notes-v6-7-x/27119
Upstream commit: https://github.com/grafana/grafana/pull/23813/commits
Statement: This issue affects the version of the grafana package as shipped with Red Hat Ceph Storage (RHCS) version 2. Ceph-2 has reached End of Extended Life Cycle Support and no longer fixing moderates/lows.
Keeping OpenShift and ServiceMesh at Moderate, as I feel even tho the components are behind OAuth a logged in user can still be tricked to perform XSS. ServiceMesh packages a vulnerable version of grafana: - ServiceMesh 1.0.x grafana v6.2.2 - ServiceMesh 1.1.x grafana v6.4.3 OpenShift packages a vulnerable version of grafana: - OpenShift 3.11 grafana v5.4.3 - OpenShift 4.x grafana v6.5.3 In addition, have checked source to ensure the patch hasn't be back-ported.
This issue has been addressed in the following products: OpenShift Service Mesh 1.1 Via RHSA-2020:2796 https://access.redhat.com/errata/RHSA-2020:2796
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-12052
This issue has been addressed in the following products: OpenShift Service Mesh 1.0 Via RHSA-2020:2861 https://access.redhat.com/errata/RHSA-2020:2861
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.6 Via RHSA-2020:4298 https://access.redhat.com/errata/RHSA-2020:4298
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4682 https://access.redhat.com/errata/RHSA-2020:4682