Bug 2168037 (CVE-2023-0594) - CVE-2023-0594 grafana: cross site scripting
Summary: CVE-2023-0594 grafana: cross site scripting
Keywords:
Status: NEW
Alias: CVE-2023-0594
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2172060 2172076 2172077 2172078 2172079 2172080 2172081 2172082 2174476
Blocks: 2168039
TreeView+ depends on / blocked
 
Reported: 2023-02-08 05:07 UTC by Avinash Hanwate
Modified: 2024-03-02 05:32 UTC (History)
25 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the grafana package. This flaw allows a malicious user with the ability to introduce trace data to provide a JavaScript that changes the password for the user viewing the trace view (this could be an admin) to a known password, thus gaining access to the admin account.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2024:0746 0 None None None 2024-02-08 16:58:07 UTC

Description Avinash Hanwate 2023-02-08 05:07:19 UTC 
We discovered that when showing data in a trace view visualization, some parts of it are not sanitized. One can provide HTML including JavaScript as the value of a span’s attributes/resources and this will be rendered when the span’s attributes/resources are expanded.
A malicious user with the ability to introduce trace data could provide a JavaScript that changes the password for the user viewing the trace view (this could be an admin) to a known password, thus getting access to the admin account.
Comment 6 Guilherme de Almeida Suckevicz 2023-03-01 18:24:07 UTC 
Created grafana tracking bugs for this issue:

Affects: fedora-all [bug 2174476]
Comment 8 errata-xmlrpc 2024-02-08 16:58:05 UTC 
This issue has been addressed in the following products:

  Red Hat Ceph Storage 5.3

Via RHSA-2024:0746 https://access.redhat.com/errata/RHSA-2024:0746
Note You need to log in before you can comment on or make changes to this bug.