AXSA:2021-1351:01

Release date: 
Monday, February 1, 2021 - 04:40
Subject: 
grafana-6.7.4-3.el8
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
Low
Description: 

Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB.

The following packages have been upgraded to a later upstream version: grafana (6.7.4).

Security Fix(es):

grafana: XSS vulnerability via a column style on the "Dashboard > Table Panel" screen (CVE-2018-18624)
grafana: arbitrary file read via MySQL data source (CVE-2019-19499)
grafana: stored XSS (CVE-2020-11110)
grafana: XSS annotation popup vulnerability (CVE-2020-12052)
grafana: XSS via column.title or cellLinkTooltip (CVE-2020-12245)
grafana: information disclosure through world-readable /var/lib/grafana/grafana.db (CVE-2020-12458)
grafana: information disclosure through world-readable grafana configuration files (CVE-2020-12459)
grafana: XSS via the OpenTSDB datasource (CVE-2020-13430)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2018-18624
Grafana 5.3.1 has XSS via a column style on the "Dashboard > Table Panel" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099.
CVE-2019-19499
Grafana <= 6.4.3 has an Arbitrary File Read vulnerability, which could be exploited by an authenticated attacker that has privileges to modify the data source configurations.
CVE-2020-11110
Grafana through 6.7.1 allows stored XSS due to insufficient input protection in the originalUrl field, which allows an attacker to inject JavaScript code that will be executed after clicking on Open Original Dashboard after visiting the snapshot.
CVE-2020-12052
Grafana version < 6.7.3 is vulnerable for annotation popup XSS.
CVE-2020-12245
Grafana before 6.7.3 allows table-panel XSS via column.title or cellLinkTooltip.
CVE-2020-12458
An information-disclosure flaw was found in Grafana through 6.7.3. The database directory /var/lib/grafana and database file /var/lib/grafana/grafana.db are world readable. This can result in exposure of sensitive information (e.g., cleartext or encrypted datasource passwords).
CVE-2020-12459
In certain Red Hat packages for Grafana 6.x through 6.3.6, the configuration files /etc/grafana/grafana.ini and /etc/grafana/ldap.toml (which contain a secret_key and a bind_password) are world readable.
CVE-2020-13430
Grafana before 7.0.0 allows tag value XSS via the OpenTSDB datasource.

Solution: 

Update packages.

Additional Info: 

N/A

Download: 

SRPMS
  1. grafana-6.7.4-3.el8.src.rpm
    MD5: 758e4d47bc4747a7f28b7b40f5d0c328
    SHA-256: 326b4df899c753692d6ae8abfd81d6dd288b236bfda5e0aefa12d391fde13eab
    Size: 23.77 MB

Asianux Server 8 for x86_64
  1. grafana-6.7.4-3.el8.x86_64.rpm
    MD5: b0673c47791c1ed95f813ceacc2c59e2
    SHA-256: e8c767d724f42a1468581cc0451f607692b7423a31c24700b38a758b909d0307
    Size: 28.24 MB
  2. grafana-azure-monitor-6.7.4-3.el8.x86_64.rpm
    MD5: 57a246aa5a9e4eff6c24e36780c6a51b
    SHA-256: 55545db3b96bf21db2e2bc5a77da5035e4ae23fb179f01556c2b9433750e35b5
    Size: 973.77 kB
  3. grafana-cloudwatch-6.7.4-3.el8.x86_64.rpm
    MD5: 398106232191f76da60296683a21561d
    SHA-256: 5824fadfd8e4b1983c404b4a348005e045ac4feb2190ce92db3878efe73c9d24
    Size: 51.30 kB
  4. grafana-elasticsearch-6.7.4-3.el8.x86_64.rpm
    MD5: 8c6da29281288e62ed9db7681aa792b9
    SHA-256: 1ef5f3dc9f22c106fd88e9da579b81fb81918a74282761a37ee931f8799eb562
    Size: 52.73 kB
  5. grafana-graphite-6.7.4-3.el8.x86_64.rpm
    MD5: 85224c0f392e732a2f7ab7a8255acb72
    SHA-256: 05c8780fdf90027cd450039ec95b7bb0205b213278099645c2a3a7bec5adf110
    Size: 63.84 kB
  6. grafana-influxdb-6.7.4-3.el8.x86_64.rpm
    MD5: bf4ff5c6e15cb4c5135fa038c1599625
    SHA-256: 41a91e434f6904b37be16dae60e1bd3aad51cb68a6958b11a707c84000b17289
    Size: 43.30 kB
  7. grafana-loki-6.7.4-3.el8.x86_64.rpm
    MD5: 0ff16ad48beef2ffebfa67e718ffdb5d
    SHA-256: 89bde4b26df7e96b28d950f60940f2c1702a830e7c1b99526c820378afd7d95e
    Size: 60.18 kB
  8. grafana-mssql-6.7.4-3.el8.x86_64.rpm
    MD5: fd19593e87f536a4a4a881214e4296ca
    SHA-256: 93b5d25d9eefea5d8842eaa03a75f47debe4e7baa972ffba036d6366e406eb33
    Size: 33.67 kB
  9. grafana-mysql-6.7.4-3.el8.x86_64.rpm
    MD5: 5ee5094669cae06d288b753676569f78
    SHA-256: 8a84e919e9b28418f05ae7a39ab26c8ba2d836e05422cb5fb47d01a735e2b949
    Size: 34.45 kB
  10. grafana-opentsdb-6.7.4-3.el8.x86_64.rpm
    MD5: fc387e58448a4c893c44ff7e72d119f2
    SHA-256: dc9465cfdb2f0326365a7fb508209d92a20f90771ab64f1a2800e21027ec3cba
    Size: 33.98 kB
  11. grafana-postgres-6.7.4-3.el8.x86_64.rpm
    MD5: 94be1fcbdd7975423eccf01e5183e4a4
    SHA-256: 45ea0bd372608d1f7b9c887cc9b7b37daf3919ada342ffd0695576228f22d2c3
    Size: 36.26 kB
  12. grafana-prometheus-6.7.4-3.el8.x86_64.rpm
    MD5: d3219f5df0a763eeffc643e47f24435a
    SHA-256: ca853c7f9dc59dfe63fa1ca1a1e7de5d3adbdfc63e0ed2439f89f4e032493b04
    Size: 70.98 kB
  13. grafana-stackdriver-6.7.4-3.el8.x86_64.rpm
    MD5: 45730e494d5f59146d7e781e363b4255
    SHA-256: 3a466253afefd2022c19848edaa730368318056652e8652a6d10122d95159694
    Size: 41.62 kB
Copyright© 2007-2015 Asianux. All rights reserved.