grafana-6.7.4-3.el8
エラータID: AXSA:2021-1351:01
Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB.
The following packages have been upgraded to a later upstream version: grafana (6.7.4).
Security Fix(es):
grafana: XSS vulnerability via a column style on the "Dashboard > Table Panel" screen (CVE-2018-18624)
grafana: arbitrary file read via MySQL data source (CVE-2019-19499)
grafana: stored XSS (CVE-2020-11110)
grafana: XSS annotation popup vulnerability (CVE-2020-12052)
grafana: XSS via column.title or cellLinkTooltip (CVE-2020-12245)
grafana: information disclosure through world-readable /var/lib/grafana/grafana.db (CVE-2020-12458)
grafana: information disclosure through world-readable grafana configuration files (CVE-2020-12459)
grafana: XSS via the OpenTSDB datasource (CVE-2020-13430)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
CVE-2018-18624
Grafana 5.3.1 has XSS via a column style on the "Dashboard > Table Panel" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099.
CVE-2019-19499
Grafana <= 6.4.3 has an Arbitrary File Read vulnerability, which could be exploited by an authenticated attacker that has privileges to modify the data source configurations.
CVE-2020-11110
Grafana through 6.7.1 allows stored XSS due to insufficient input protection in the originalUrl field, which allows an attacker to inject JavaScript code that will be executed after clicking on Open Original Dashboard after visiting the snapshot.
CVE-2020-12052
Grafana version < 6.7.3 is vulnerable for annotation popup XSS.
CVE-2020-12245
Grafana before 6.7.3 allows table-panel XSS via column.title or cellLinkTooltip.
CVE-2020-12458
An information-disclosure flaw was found in Grafana through 6.7.3. The database directory /var/lib/grafana and database file /var/lib/grafana/grafana.db are world readable. This can result in exposure of sensitive information (e.g., cleartext or encrypted datasource passwords).
CVE-2020-12459
In certain Red Hat packages for Grafana 6.x through 6.3.6, the configuration files /etc/grafana/grafana.ini and /etc/grafana/ldap.toml (which contain a secret_key and a bind_password) are world readable.
CVE-2020-13430
Grafana before 7.0.0 allows tag value XSS via the OpenTSDB datasource.
Update packages.
Grafana 5.3.1 has XSS via a column style on the "Dashboard > Table Panel" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099.
Grafana <= 6.4.3 has an Arbitrary File Read vulnerability, which could be exploited by an authenticated attacker that has privileges to modify the data source configurations.
Grafana through 6.7.1 allows stored XSS due to insufficient input protection in the originalUrl field, which allows an attacker to inject JavaScript code that will be executed after clicking on Open Original Dashboard after visiting the snapshot.
An information-disclosure flaw was found in Grafana through 6.7.3. The database directory /var/lib/grafana and database file /var/lib/grafana/grafana.db are world readable. This can result in exposure of sensitive information (e.g., cleartext or encrypted datasource passwords).
In certain Red Hat packages for Grafana 6.x through 6.3.6, the configuration files /etc/grafana/grafana.ini and /etc/grafana/ldap.toml (which contain a secret_key and a bind_password) are world readable.
N/A
SRPMS
- grafana-6.7.4-3.el8.src.rpm
MD5: 758e4d47bc4747a7f28b7b40f5d0c328
SHA-256: 326b4df899c753692d6ae8abfd81d6dd288b236bfda5e0aefa12d391fde13eab
Size: 23.77 MB
Asianux Server 8 for x86_64
- grafana-6.7.4-3.el8.x86_64.rpm
MD5: b0673c47791c1ed95f813ceacc2c59e2
SHA-256: e8c767d724f42a1468581cc0451f607692b7423a31c24700b38a758b909d0307
Size: 28.24 MB - grafana-azure-monitor-6.7.4-3.el8.x86_64.rpm
MD5: 57a246aa5a9e4eff6c24e36780c6a51b
SHA-256: 55545db3b96bf21db2e2bc5a77da5035e4ae23fb179f01556c2b9433750e35b5
Size: 973.77 kB - grafana-cloudwatch-6.7.4-3.el8.x86_64.rpm
MD5: 398106232191f76da60296683a21561d
SHA-256: 5824fadfd8e4b1983c404b4a348005e045ac4feb2190ce92db3878efe73c9d24
Size: 51.30 kB - grafana-elasticsearch-6.7.4-3.el8.x86_64.rpm
MD5: 8c6da29281288e62ed9db7681aa792b9
SHA-256: 1ef5f3dc9f22c106fd88e9da579b81fb81918a74282761a37ee931f8799eb562
Size: 52.73 kB - grafana-graphite-6.7.4-3.el8.x86_64.rpm
MD5: 85224c0f392e732a2f7ab7a8255acb72
SHA-256: 05c8780fdf90027cd450039ec95b7bb0205b213278099645c2a3a7bec5adf110
Size: 63.84 kB - grafana-influxdb-6.7.4-3.el8.x86_64.rpm
MD5: bf4ff5c6e15cb4c5135fa038c1599625
SHA-256: 41a91e434f6904b37be16dae60e1bd3aad51cb68a6958b11a707c84000b17289
Size: 43.30 kB - grafana-loki-6.7.4-3.el8.x86_64.rpm
MD5: 0ff16ad48beef2ffebfa67e718ffdb5d
SHA-256: 89bde4b26df7e96b28d950f60940f2c1702a830e7c1b99526c820378afd7d95e
Size: 60.18 kB - grafana-mssql-6.7.4-3.el8.x86_64.rpm
MD5: fd19593e87f536a4a4a881214e4296ca
SHA-256: 93b5d25d9eefea5d8842eaa03a75f47debe4e7baa972ffba036d6366e406eb33
Size: 33.67 kB - grafana-mysql-6.7.4-3.el8.x86_64.rpm
MD5: 5ee5094669cae06d288b753676569f78
SHA-256: 8a84e919e9b28418f05ae7a39ab26c8ba2d836e05422cb5fb47d01a735e2b949
Size: 34.45 kB - grafana-opentsdb-6.7.4-3.el8.x86_64.rpm
MD5: fc387e58448a4c893c44ff7e72d119f2
SHA-256: dc9465cfdb2f0326365a7fb508209d92a20f90771ab64f1a2800e21027ec3cba
Size: 33.98 kB - grafana-postgres-6.7.4-3.el8.x86_64.rpm
MD5: 94be1fcbdd7975423eccf01e5183e4a4
SHA-256: 45ea0bd372608d1f7b9c887cc9b7b37daf3919ada342ffd0695576228f22d2c3
Size: 36.26 kB - grafana-prometheus-6.7.4-3.el8.x86_64.rpm
MD5: d3219f5df0a763eeffc643e47f24435a
SHA-256: ca853c7f9dc59dfe63fa1ca1a1e7de5d3adbdfc63e0ed2439f89f4e032493b04
Size: 70.98 kB - grafana-stackdriver-6.7.4-3.el8.x86_64.rpm
MD5: 45730e494d5f59146d7e781e363b4255
SHA-256: 3a466253afefd2022c19848edaa730368318056652e8652a6d10122d95159694
Size: 41.62 kB
日本語