grafana-9.2.10-7.el9.ML.1
エラータID: AXSA:2023-6884:10
リリース日:
2023/12/12 Tuesday - 09:07
題名:
grafana-9.2.10-7.el9.ML.1
影響のあるチャネル:
MIRACLE LINUX 9 for x86_64
Severity:
Moderate
Description:
以下項目について対処しました。
[Security Fix]
- Grafana の GeoMap プラグインには、SVG 形式のファイルを適切
にサニタイズしていない問題があるため、リモートの攻撃者により、
細工された SVG 形式のデータを介して、任意の JavaScript コード
の実行、およびこれに起因するクロスサイトスクリプティング攻撃
を可能とする脆弱性が存在します。(CVE-2022-23552)
- Grafana には、署名されていないプラグインが許可されていない
場合でもプラグインのダウンロードとインストールが可能となる
問題があるため、ローカルの攻撃者により、サーバー管理者を
誤誘導させることを介して、細工されたプラグインの実行を可能
とする脆弱性が存在します。(CVE-2022-31123)
- Grafana の一部のプラグインには、リモートの攻撃者により、
プラグインの通信先への認証トークンの漏洩を可能とする脆弱性
が存在します。(CVE-2022-31130)
- Grafana には、Cookie 上の認証情報を Grafana のプラグインに
意図せず送信してしまう問題があるため、リモートの攻撃者により、
情報の漏洩を可能とする脆弱性が存在します。(CVE-2022-39201)
- Grafana には、組織外のメンバーを招待できてしまう問題がある
ため、管理者が組織外のメンバーを誤って招待してしまうことを
介して、意図しないシステムの利用を可能とする脆弱性が存在
します。(CVE-2022-39306)
- Grafana には、ユーザー名や電子メールが登録されていない場合、
ユーザーが存在しないことを示す JSON を応答してしまう問題が
あるため、リモートの攻撃者により、ログインページのパスワード
を失念した場合のリンクを用いた総当たり攻撃を介して、システム
に登録されているユーザーの特定を可能とする脆弱性が存在します。
(CVE-2022-39307)
- Grafana には、[Open Original Dashboard] ボタンのリンク先に
任意の URL を挿入できる問題があるため、リモートの攻撃者に
より、細工されたクエリによる "originalUrl" パラメーターの編集
を介して、不正なサイトへの誘導を可能とする脆弱性が存在します。
(CVE-2022-39324)
- golang の net/http ライブラリには、大量のメモリを消費して
しまう問題があるため、リモートの攻撃者により、細工した
HTTP/2 リクエストの送信を介して、サービス拒否攻撃を可能
とする脆弱性が存在します。(CVE-2022-41717)
- Go の HTTP および MIME ヘッダーの解析処理には、必要以上
の大量のメモリを割り当ててしまう問題があるため、リモート
の攻撃者により、細工された HTTP もしくは MIME ヘッダーの
入力を介して、サービス拒否攻撃 (メモリ枯渇) を可能とする
脆弱性が存在します。(CVE-2023-24534)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2022-23552
Grafana is an open-source platform for monitoring and observability. Starting with the 8.1 branch and prior to versions 8.5.16, 9.2.10, and 9.3.4, Grafana had a stored XSS vulnerability affecting the core plugin GeoMap. The stored XSS vulnerability was possible because SVG files weren't properly sanitized and allowed arbitrary JavaScript to be executed in the context of the currently authorized user of the Grafana instance. An attacker needs to have the Editor role in order to change a panel to include either an external URL to a SVG-file containing JavaScript, or use the `data:` scheme to load an inline SVG-file containing JavaScript. This means that vertical privilege escalation is possible, where a user with Editor role can change to a known password for a user having Admin role if the user with Admin role executes malicious JavaScript viewing a dashboard. Users may upgrade to version 8.5.16, 9.2.10, or 9.3.4 to receive a fix.
Grafana is an open-source platform for monitoring and observability. Starting with the 8.1 branch and prior to versions 8.5.16, 9.2.10, and 9.3.4, Grafana had a stored XSS vulnerability affecting the core plugin GeoMap. The stored XSS vulnerability was possible because SVG files weren't properly sanitized and allowed arbitrary JavaScript to be executed in the context of the currently authorized user of the Grafana instance. An attacker needs to have the Editor role in order to change a panel to include either an external URL to a SVG-file containing JavaScript, or use the `data:` scheme to load an inline SVG-file containing JavaScript. This means that vertical privilege escalation is possible, where a user with Editor role can change to a known password for a user having Admin role if the user with Admin role executes malicious JavaScript viewing a dashboard. Users may upgrade to version 8.5.16, 9.2.10, or 9.3.4 to receive a fix.
CVE-2022-31123
Grafana is an open source observability and data visualization platform. Versions prior to 9.1.8 and 8.5.14 are vulnerable to a bypass in the plugin signature verification. An attacker can convince a server admin to download and successfully run a malicious plugin even though unsigned plugins are not allowed. Versions 9.1.8 and 8.5.14 contain a patch for this issue. As a workaround, do not install plugins downloaded from untrusted sources.
Grafana is an open source observability and data visualization platform. Versions prior to 9.1.8 and 8.5.14 are vulnerable to a bypass in the plugin signature verification. An attacker can convince a server admin to download and successfully run a malicious plugin even though unsigned plugins are not allowed. Versions 9.1.8 and 8.5.14 contain a patch for this issue. As a workaround, do not install plugins downloaded from untrusted sources.
CVE-2022-31130
Grafana is an open source observability and data visualization platform. Versions of Grafana for endpoints prior to 9.1.8 and 8.5.14 could leak authentication tokens to some destination plugins under some conditions. The vulnerability impacts data source and plugin proxy endpoints with authentication tokens. The destination plugin could receive a user's Grafana authentication token. Versions 9.1.8 and 8.5.14 contain a patch for this issue. As a workaround, do not use API keys, JWT authentication, or any HTTP Header based authentication.
Grafana is an open source observability and data visualization platform. Versions of Grafana for endpoints prior to 9.1.8 and 8.5.14 could leak authentication tokens to some destination plugins under some conditions. The vulnerability impacts data source and plugin proxy endpoints with authentication tokens. The destination plugin could receive a user's Grafana authentication token. Versions 9.1.8 and 8.5.14 contain a patch for this issue. As a workaround, do not use API keys, JWT authentication, or any HTTP Header based authentication.
CVE-2022-39201
Grafana is an open source observability and data visualization platform. Starting with version 5.0.0-beta1 and prior to versions 8.5.14 and 9.1.8, Grafana could leak the authentication cookie of users to plugins. The vulnerability impacts data source and plugin proxy endpoints under certain conditions. The destination plugin could receive a user's Grafana authentication cookie. Versions 9.1.8 and 8.5.14 contain a patch for this issue. There are no known workarounds.
Grafana is an open source observability and data visualization platform. Starting with version 5.0.0-beta1 and prior to versions 8.5.14 and 9.1.8, Grafana could leak the authentication cookie of users to plugins. The vulnerability impacts data source and plugin proxy endpoints under certain conditions. The destination plugin could receive a user's Grafana authentication cookie. Versions 9.1.8 and 8.5.14 contain a patch for this issue. There are no known workarounds.
CVE-2022-39306
Grafana is an open-source platform for monitoring and observability. Versions prior to 9.2.4, or 8.5.15 on the 8.X branch, are subject to Improper Input Validation. Grafana admins can invite other members to the organization they are an admin for. When admins add members to the organization, non existing users get an email invite, existing members are added directly to the organization. When an invite link is sent, it allows users to sign up with whatever username/email address the user chooses and become a member of the organization. This introduces a vulnerability which can be used with malicious intent. This issue is patched in version 9.2.4, and has been backported to 8.5.15. There are no known workarounds.
Grafana is an open-source platform for monitoring and observability. Versions prior to 9.2.4, or 8.5.15 on the 8.X branch, are subject to Improper Input Validation. Grafana admins can invite other members to the organization they are an admin for. When admins add members to the organization, non existing users get an email invite, existing members are added directly to the organization. When an invite link is sent, it allows users to sign up with whatever username/email address the user chooses and become a member of the organization. This introduces a vulnerability which can be used with malicious intent. This issue is patched in version 9.2.4, and has been backported to 8.5.15. There are no known workarounds.
CVE-2022-39307
Grafana is an open-source platform for monitoring and observability. When using the forget password on the login page, a POST request is made to the `/api/user/password/sent-reset-email` URL. When the username or email does not exist, a JSON response contains a “user not found” message. This leaks information to unauthenticated users and introduces a security risk. This issue has been patched in 9.2.4 and backported to 8.5.15. There are no known workarounds.
Grafana is an open-source platform for monitoring and observability. When using the forget password on the login page, a POST request is made to the `/api/user/password/sent-reset-email` URL. When the username or email does not exist, a JSON response contains a “user not found” message. This leaks information to unauthenticated users and introduces a security risk. This issue has been patched in 9.2.4 and backported to 8.5.15. There are no known workarounds.
CVE-2022-39324
Grafana is an open-source platform for monitoring and observability. Prior to versions 8.5.16 and 9.2.8, malicious user can create a snapshot and arbitrarily choose the `originalUrl` parameter by editing the query, thanks to a web proxy. When another user opens the URL of the snapshot, they will be presented with the regular web interface delivered by the trusted Grafana server. The `Open original dashboard` button no longer points to the to the real original dashboard but to the attacker’s injected URL. This issue is fixed in versions 8.5.16 and 9.2.8.
Grafana is an open-source platform for monitoring and observability. Prior to versions 8.5.16 and 9.2.8, malicious user can create a snapshot and arbitrarily choose the `originalUrl` parameter by editing the query, thanks to a web proxy. When another user opens the URL of the snapshot, they will be presented with the regular web interface delivered by the trusted Grafana server. The `Open original dashboard` button no longer points to the to the real original dashboard but to the attacker’s injected URL. This issue is fixed in versions 8.5.16 and 9.2.8.
CVE-2022-41717
An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.
An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.
CVE-2023-24534
HTTP and MIME header parsing can allocate large amounts of memory, even when parsing small inputs, potentially leading to a denial of service. Certain unusual patterns of input data can cause the common function used to parse HTTP and MIME headers to allocate substantially more memory than required to hold the parsed headers. An attacker can exploit this behavior to cause an HTTP server to allocate large amounts of memory from a small request, potentially leading to memory exhaustion and a denial of service. With fix, header parsing now correctly allocates only the memory required to hold parsed headers.
HTTP and MIME header parsing can allocate large amounts of memory, even when parsing small inputs, potentially leading to a denial of service. Certain unusual patterns of input data can cause the common function used to parse HTTP and MIME headers to allocate substantially more memory than required to hold the parsed headers. An attacker can exploit this behavior to cause an HTTP server to allocate large amounts of memory from a small request, potentially leading to memory exhaustion and a denial of service. With fix, header parsing now correctly allocates only the memory required to hold parsed headers.
追加情報:
N/A
ダウンロード:
SRPMS
- grafana-9.2.10-7.el9.ML.1.src.rpm
MD5: 77473cf12da1c675388cbc7123a9a6f1
SHA-256: 6e1d7982b5d20cbebbeb18a8f6dcc7877d072d7ea1de20d8be412d2c413f11cf
Size: 321.65 MB
Asianux Server 9 for x86_64
- grafana-9.2.10-7.el9.ML.1.x86_64.rpm
MD5: ac21023e3e0fb89ba81d551b2e859ab6
SHA-256: 9fd70fa5c552841a285a40f1e9ce774dec09efab91310847726d6cefaf332adc
Size: 72.92 MB
English