Vulnerability CVE-2023-0594: Information
Description
Grafana is an open-source platform for monitoring and observability. Starting with the 7.0 branch, Grafana had a stored XSS vulnerability in the trace view visualization. The stored XSS vulnerability was possible due the value of a span's attributes/resources were not properly sanitized and this will be rendered when the span's attributes/resources are expanded. An attacker needs to have the Editor role in order to change the value of a trace view visualization to contain JavaScript. This means that vertical privilege escalation is possible, where a user with Editor role can change to a known password for a user having Admin role if the user with Admin role executes malicious JavaScript viewing a dashboard. Users may upgrade to version 8.5.21, 9.2.13 and 9.3.8 to receive a fix.
Severity: MEDIUM (5.4) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Fixed packages
Package name | Branch | Fixed in version | Version from repository | Errata ID | Task # | State |
---|---|---|---|---|---|---|
grafana | sisyphus | 9.5.5-alt1 | 10.2.2-alt1.1 | ALT-PU-2023-4148-1 | 323937 | Fixed |
grafana | p10 | 9.5.5-alt1 | 10.2.2-alt1.1 | ALT-PU-2023-4133-1 | 323967 | Fixed |
grafana | c10f1 | 9.5.5-alt1 | 10.2.2-alt1.1 | ALT-PU-2023-4346-2 | 324663 | Fixed |
grafana | c9f2 | 9.5.5-alt1 | 9.5.5-alt1 | ALT-PU-2023-4567-3 | 323137 | Fixed |
References to Advisories, Solutions, and Tools
Hyperlink | Resource |
---|---|
https://grafana.com/security/security-advisories/cve-2023-0594/ |
|