{ "threat_severity" : "Moderate", "public_date" : "2023-03-02T00:00:00Z", "bugzilla" : { "description" : "grafana: stored XSS vulnerability affecting the core plugin \"Text\"", "id" : "2164936", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2164936" }, "cvss3" : { "cvss3_base_score" : "6.4", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N", "status" : "verified" }, "cwe" : "CWE-79", "details" : [ "Grafana is an open-source platform for monitoring and observability. On 2023-01-01 during an internal audit of Grafana, a member of the security team found a stored XSS vulnerability affecting the core plugin \"Text\". The stored XSS vulnerability requires several user interactions in order to be fully exploited. The vulnerability was possible due to React's render cycle that will pass though the unsanitized HTML code, but in the next cycle the HTML is cleaned up and saved in Grafana's database. An attacker needs to have the Editor role in order to change a Text panel to include JavaScript. Another user needs to edit the same Text panel, and click on \"Markdown\" or \"HTML\" for the code to be executed. This means that vertical privilege escalation is possible, where a user with Editor role can change to a known password for a user having Admin role if the user with Admin role executes malicious JavaScript viewing a dashboard. This issue has been patched in versions 9.2.10 and 9.3.4.", "A flaw was found in the Grafana core plugin, \"Text.\" The vulnerability was possible due to React's render cycle that will pass through unsanitized HTML code. However, the HTML is cleaned and saved in Grafana's database in the next cycle. An attacker needs the Editor role in changing a Text panel to include JavaScript. Later, another user needs to edit the same Text panel and click \"Markdown\" or \"HTML\" to execute the code. This issue allows possible vertical privilege escalation, where a user with an Editor role can change to a known password for a user having an Admin role if the user with an Admin role executes malicious JavaScript viewing a dashboard." ], "statement" : "OpenShift Service Mesh containers include the grafana RPM from RHEL and consume CVE fixes for grafana from RHEL channels. The servicemesh-grafana RPM shipped in early versions of OpenShift Service Mesh 2.1 is no longer maintained.", "acknowledgement" : "Upstream acknowledges Grafana Security Team as the original reporter.", "affected_release" : [ { "product_name" : "Red Hat Ceph Storage 5.3", "release_date" : "2024-02-08T00:00:00Z", "advisory" : "RHSA-2024:0746", "cpe" : "cpe:/a:redhat:ceph_storage:5.3::el8", "package" : "rhceph/rhceph-5-dashboard-rhel8:5-83" } ], "package_state" : [ { "product_name" : "OpenShift Service Mesh 2.1", "fix_state" : "Will not fix", "package_name" : "servicemesh-grafana", "cpe" : "cpe:/a:redhat:service_mesh:2.1" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Not affected", "package_name" : "rhacm2/acm-grafana-rhel8", "cpe" : "cpe:/a:redhat:acm:2" }, { "product_name" : "Red Hat Ceph Storage 3", "fix_state" : "Out of support scope", "package_name" : "grafana", "cpe" : "cpe:/a:redhat:ceph_storage:3" }, { "product_name" : "Red Hat Ceph Storage 4", "fix_state" : "Affected", "package_name" : "rhceph/rhceph-4-dashboard-rhel8", "cpe" : "cpe:/a:redhat:ceph_storage:4" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Will not fix", "package_name" : "grafana", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Will not fix", "package_name" : "grafana", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Not affected", "package_name" : "openshift4/ose-grafana", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat Storage 3", "fix_state" : "Will not fix", "package_name" : "grafana", "cpe" : "cpe:/a:redhat:storage:3" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-22462\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-22462" ], "name" : "CVE-2023-22462", "csaw" : false }