grafana-9.2.10-23.el8_10

エラータID: AXSA:2025-9968:05

Release date: 
Thursday, May 29, 2025 - 21:50
Subject: 
grafana-9.2.10-23.el8_10
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
High
Description: 

Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB.

Security Fix(es):

* grafana: Cross-site Scripting (XSS) in Grafana via Custom Frontend Plugins and Open Redirect (CVE-2025-4123)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2025-4123
A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect. This allows attackers to redirect users to a website that hosts a frontend plugin that will execute arbitrary JavaScript. This vulnerability does not require editor permissions and if anonymous access is enabled, the XSS will work. If the Grafana Image Renderer plugin is installed, it is possible to exploit the open redirect to achieve a full read SSRF. The default Content-Security-Policy (CSP) in Grafana will block the XSS though the `connect-src` directive.

Solution: 

Update packages.

CVEs: 
CVE-2025-4123
A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect. This allows attackers to redirect users to a website that hosts a frontend plugin that will execute arbitrary JavaScript. This vulnerability does not require editor permissions and if anonymous access is enabled, the XSS will work. If the Grafana Image Renderer plugin is installed, it is possible to exploit the open redirect to achieve a full read SSRF. The default Content-Security-Policy (CSP) in Grafana will block the XSS though the `connect-src` directive.
Additional Info: 

N/A

Download: 

SRPMS
  1. grafana-9.2.10-23.el8_10.src.rpm
    MD5: 32edba7b623f98925e5c77f732b2966f
    SHA-256: 713b5f8c7571083b60a89da68b55489d5a74e27a3a59767720475955bdd8c8e8
    Size: 327.50 MB

Asianux Server 8 for x86_64
  1. grafana-9.2.10-23.el8_10.x86_64.rpm
    MD5: de6a80b6884e9a37168a47e1503543d2
    SHA-256: 5e565cdfa5c13b97dd80e281a0867dbc677a82c1da0592236809e42003c93ffb
    Size: 76.30 MB
  2. grafana-selinux-9.2.10-23.el8_10.x86_64.rpm
    MD5: ef9d9146c4f79fafebdde393a459dffb
    SHA-256: 1155cf31074813ed4215dca83d8e84a64db9198afe30e97515a4cbeac4854bb4
    Size: 34.80 kB