We discovered that when showing data in a trace view visualization, some parts of it are not sanitized. One can provide HTML including JavaScript as the value of a span’s attributes/resources and this will be rendered when the span’s attributes/resources are expanded. A malicious user with the ability to introduce trace data could provide a JavaScript that changes the password for the user viewing the trace view (this could be an admin) to a known password, thus getting access to the admin account.
Created grafana tracking bugs for this issue: Affects: fedora-all [bug 2174476]
This issue has been addressed in the following products: Red Hat Ceph Storage 5.3 Via RHSA-2024:0746 https://access.redhat.com/errata/RHSA-2024:0746