2050648 – (CVE-2022-21702) CVE-2022-21702 grafana: XSS vulnerability in data source handling

Bug 2050648 (CVE-2022-21702) - CVE-2022-21702 grafana: XSS vulnerability in data source handling

Summary: CVE-2022-21702 grafana: XSS vulnerability in data source handling

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2022-21702
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2052664 2052665 2053453 2053461 2053462 2053509 2053510 2054038 2055453 2055455 2055456
Blocks:	2050646
TreeView+	depends on / blocked

Reported:	2022-02-04 12:22 UTC by Mauro Matteo Cascella
Modified:	2023-09-01 02:56 UTC (History)
CC List:	58 users (show)
Fixed In Version:	grafana 7.5.15, grafana 8.3.5
Doc Type:	If docs needed, set a value
Doc Text:	A Cross-site scripting (XSS) vulnerability was found in the way Grafana handles data sources. This flaw allows an attacker to serve HTML content through the Grafana data source or plugin proxy and trick a user to visit this HTML page using a specially crafted link and execute a Cross-site scripting (XSS) attack. Should an existing data source connected to Grafana be compromised, it could be used to inappropriately gain access to other data sources connected to the same Grafana org.
Clone Of:
Environment:
Last Closed:	2022-12-05 00:23:35 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2022:7519	0	None	None	None	2022-11-08 09:25:36 UTC
Red Hat Product Errata	RHSA-2022:8057	0	None	None	None	2022-11-15 10:05:54 UTC

Description Mauro Matteo Cascella 2022-02-04 12:22:47 UTC

An XSS vulnerability was found in the way Grafana handles data sources. Should an existing data source connected to Grafana be compromised, it could be used to inappropriately gain access to other data sources connected to the same Grafana org.

GitHub security advisory:
https://github.com/grafana/grafana/security/advisories/GHSA-xc3p-28hw-q24g

Grafana blog post:
https://grafana.com/blog/2022/02/08/grafana-7.5.15-and-8.3.5-released-with-moderate-severity-security-fixes/

Comment 2 Mauro Matteo Cascella 2022-02-11 11:03:12 UTC

Upstream commit:

v7.5.x: https://github.com/grafana/grafana/commit/27726868b3d7c613844b55cd209ca93645c99b85
v8.3.x: https://github.com/grafana/grafana/commit/41c1cd2865fee195a76f4856905077dfff311169

Comment 3 Mauro Matteo Cascella 2022-02-11 11:29:01 UTC

Created grafana tracking bugs for this issue:

Affects: fedora-all [bug 2053453]

Comment 19 errata-xmlrpc 2022-11-08 09:25:32 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7519 https://access.redhat.com/errata/RHSA-2022:7519

Comment 20 errata-xmlrpc 2022-11-15 10:05:51 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:8057 https://access.redhat.com/errata/RHSA-2022:8057

Comment 21 Product Security DevOps Team 2022-12-05 00:23:30 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-21702

Note You need to log in before you can comment on or make changes to this bug.

agerstmayr
amackenz
amasferr
amctagga
anharris
anpicker
aos-bugs
avibelli
bgeorges
bmontgom
bniver
chazlett
clement.escoffier
dandread
dkreling
drieden
eparis
flucifre
gmeno
gparvin
grafana-maint
gsmet
hamadhan
hvyas
jburrell
jkurik
jochrist
jokerman
jramanat
jwendell
jwon
lthon
mbenjamin
mhackett
mkudlej
nathans
njean
nstielau
pahickey
peholase
pgallagh
pjindal
probinso
rcernich
rdey
rruss
rsvoboda
sbiarozk
sdouglas
security-response-team
sostapov
spasquie
sponnaga
stcannon
tjochec
twalsh
vereddy
vkumar