Bug 1848108 (CVE-2020-13430) - CVE-2020-13430 grafana: XSS via the OpenTSDB datasource
Summary: CVE-2020-13430 grafana: XSS via the OpenTSDB datasource
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-13430
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1848109 1848659 1848660 1848661 1848853 1848855 1848924 1850427
Blocks: 1848112
TreeView+ depends on / blocked
 
Reported: 2020-06-17 17:18 UTC by Guilherme de Almeida Suckevicz
Modified: 2021-06-10 14:01 UTC (History)
32 users (show)

Fixed In Version: grafana 7.0.0
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in grafana Tag value XSS via the OpenTSDB datasource are possible. The highest threat from this vulnerability is to data confidentiality and integrity.
Clone Of:
Environment:
Last Closed: 2020-07-01 19:28:06 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:2796 0 None None None 2020-07-01 18:46:16 UTC
Red Hat Product Errata RHSA-2020:2861 0 None None None 2020-07-07 19:33:46 UTC
Red Hat Product Errata RHSA-2020:4682 0 None None None 2020-11-04 02:59:44 UTC

Description Guilherme de Almeida Suckevicz 2020-06-17 17:18:56 UTC 
Grafana before 7.0.0 allows tag value XSS via the OpenTSDB datasource.

Reference:
https://github.com/grafana/grafana/releases/tag/v7.0.0

Upstream commit:
https://github.com/grafana/grafana/pull/24539
Comment 1 Guilherme de Almeida Suckevicz 2020-06-17 17:19:17 UTC 
Created grafana tracking bugs for this issue:

Affects: fedora-all [bug 1848109]
Comment 4 Mark Cooper 2020-06-19 04:40:27 UTC 
Keeping OpenShift and ServiceMesh at Moderate, as even tho the components are behind OAuth a logged in user can still be tricked to perform XSS.

ServiceMesh packages a vulnerable version of grafana:
  - ServiceMesh 1.0.x grafana v6.2.2
  - ServiceMesh 1.1.x grafana v6.4.3

OpenShift packages a vulnerable version of grafana:
  - OpenShift 3.11 grafana v5.4.3
  - OpenShift 4.x  grafana v6.5.3
Comment 9 Przemyslaw Roguski 2020-06-19 11:31:17 UTC 
Statement:

Red Hat Ceph Storage (RHCS) delivers the affected code of the grafana OpenTSDB plugin. However Red Hat Ceph Storage uses the Prometheus time-series database as a default data source not the OpenTSDB, hence the impact by this vulnerability is set to low.

Red Hat Gluster Storage  (RHGS) delivers the affected code of the grafana OpenTSDB plugin. However Red Hat Gluster Storage uses the Graphite as a data source not the OpenTSDB, hence the impact by this vulnerability is set to low.
Comment 12 errata-xmlrpc 2020-07-01 18:46:13 UTC 
This issue has been addressed in the following products:

  OpenShift Service Mesh 1.1

Via RHSA-2020:2796 https://access.redhat.com/errata/RHSA-2020:2796
Comment 13 Product Security DevOps Team 2020-07-01 19:28:06 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-13430
Comment 14 errata-xmlrpc 2020-07-07 19:33:44 UTC 
This issue has been addressed in the following products:

  OpenShift Service Mesh 1.0

Via RHSA-2020:2861 https://access.redhat.com/errata/RHSA-2020:2861
Comment 15 errata-xmlrpc 2020-11-04 02:59:42 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4682 https://access.redhat.com/errata/RHSA-2020:4682
Note You need to log in before you can comment on or make changes to this bug.