Grafana before 7.0.0 allows tag value XSS via the OpenTSDB datasource. Reference: https://github.com/grafana/grafana/releases/tag/v7.0.0 Upstream commit: https://github.com/grafana/grafana/pull/24539
Created grafana tracking bugs for this issue: Affects: fedora-all [bug 1848109]
Keeping OpenShift and ServiceMesh at Moderate, as even tho the components are behind OAuth a logged in user can still be tricked to perform XSS. ServiceMesh packages a vulnerable version of grafana: - ServiceMesh 1.0.x grafana v6.2.2 - ServiceMesh 1.1.x grafana v6.4.3 OpenShift packages a vulnerable version of grafana: - OpenShift 3.11 grafana v5.4.3 - OpenShift 4.x grafana v6.5.3
Statement: Red Hat Ceph Storage (RHCS) delivers the affected code of the grafana OpenTSDB plugin. However Red Hat Ceph Storage uses the Prometheus time-series database as a default data source not the OpenTSDB, hence the impact by this vulnerability is set to low. Red Hat Gluster Storage (RHGS) delivers the affected code of the grafana OpenTSDB plugin. However Red Hat Gluster Storage uses the Graphite as a data source not the OpenTSDB, hence the impact by this vulnerability is set to low.
This issue has been addressed in the following products: OpenShift Service Mesh 1.1 Via RHSA-2020:2796 https://access.redhat.com/errata/RHSA-2020:2796
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-13430
This issue has been addressed in the following products: OpenShift Service Mesh 1.0 Via RHSA-2020:2861 https://access.redhat.com/errata/RHSA-2020:2861
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4682 https://access.redhat.com/errata/RHSA-2020:4682