{
  "threat_severity" : "Moderate",
  "public_date" : "2020-05-24T00:00:00Z",
  "bugzilla" : {
    "description" : "grafana: XSS via the OpenTSDB datasource",
    "id" : "1848108",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1848108"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.1",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-79",
  "details" : [ "Grafana before 7.0.0 allows tag value XSS via the OpenTSDB datasource.", "A flaw was found in grafana Tag value XSS via the OpenTSDB datasource are possible. The highest threat from this vulnerability is to data confidentiality and integrity." ],
  "statement" : "Red Hat Ceph Storage (RHCS) delivers the affected code of the grafana OpenTSDB plugin. However Red Hat Ceph Storage uses the Prometheus time-series database as a default data source not the OpenTSDB, hence the impact by this vulnerability is set to low.\nRed Hat Gluster Storage  (RHGS) delivers the affected code of the grafana OpenTSDB plugin. However Red Hat Gluster Storage uses the Graphite as a data source not the OpenTSDB, hence the impact by this vulnerability is set to low.",
  "affected_release" : [ {
    "product_name" : "OpenShift Service Mesh 1.0",
    "release_date" : "2020-07-07T00:00:00Z",
    "advisory" : "RHSA-2020:2861",
    "cpe" : "cpe:/a:redhat:service_mesh:1.0::el8",
    "package" : "servicemesh-grafana-0:6.2.2-38.el8"
  }, {
    "product_name" : "OpenShift Service Mesh 1.1",
    "release_date" : "2020-07-01T00:00:00Z",
    "advisory" : "RHSA-2020:2796",
    "cpe" : "cpe:/a:redhat:service_mesh:1.1::el8",
    "package" : "servicemesh-grafana-0:6.4.3-11.el8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2020-11-04T00:00:00Z",
    "advisory" : "RHSA-2020:4682",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "grafana-0:6.7.4-3.el8"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Ceph Storage 2",
    "fix_state" : "Out of support scope",
    "package_name" : "grafana",
    "cpe" : "cpe:/a:redhat:ceph_storage:2"
  }, {
    "product_name" : "Red Hat Ceph Storage 3",
    "fix_state" : "Fix deferred",
    "package_name" : "grafana",
    "cpe" : "cpe:/a:redhat:ceph_storage:3",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat Ceph Storage 3",
    "fix_state" : "Fix deferred",
    "package_name" : "grafana-container",
    "cpe" : "cpe:/a:redhat:ceph_storage:3",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat Ceph Storage 4",
    "fix_state" : "Fix deferred",
    "package_name" : "rhceph/rhceph-4-dashboard-rhel8",
    "cpe" : "cpe:/a:redhat:ceph_storage:4",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 3.11",
    "fix_state" : "Will not fix",
    "package_name" : "openshift3/grafana",
    "cpe" : "cpe:/a:redhat:openshift:3.11"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Will not fix",
    "package_name" : "openshift4/ose-grafana",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat Storage 3",
    "fix_state" : "Fix deferred",
    "package_name" : "grafana",
    "cpe" : "cpe:/a:redhat:storage:3",
    "impact" : "low"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2020-13430\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-13430" ],
  "name" : "CVE-2020-13430",
  "csaw" : false
}