Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2023-1387 (GCVE-0-2023-1387)
Vulnerability from cvelistv5 – Published: 2023-04-26 13:47 – Updated: 2025-02-13 16:39
VLAI
EPSS
Summary
Grafana is an open-source platform for monitoring and observability.
Starting with the 9.1 branch, Grafana introduced the ability to search for a JWT in the URL query parameter auth_token and use it as the authentication token.
By enabling the "url_login" configuration option (disabled by default), a JWT might be sent to data sources. If an attacker has access to the data source, the leaked token could be used to authenticate to Grafana.
Severity
4.2 (Medium)
CWE
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Grafana | Grafana |
Affected:
9.1.0 , < 9.2.17
(semver)
Affected: 9.3.0 , < 9.3.13 (semver) Affected: 9.4.0 , < 9.5.0 (semver) |
|
| Grafana | Grafana Enterprise |
Affected:
9.1.0 , < 9.2.17
(semver)
Affected: 9.3.0 , < 9.3.13 (semver) Affected: 9.4.0 , < 9.5.0 (semver) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T05:49:11.313Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://grafana.com/security/security-advisories/cve-2023-1387/"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/grafana/bugbounty/security/advisories/GHSA-5585-m9r5-p86j"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20230609-0003/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-1387",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-31T16:11:53.656123Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-31T16:12:05.145Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Grafana",
"vendor": "Grafana",
"versions": [
{
"lessThan": "9.2.17",
"status": "affected",
"version": "9.1.0",
"versionType": "semver"
},
{
"lessThan": "9.3.13",
"status": "affected",
"version": "9.3.0",
"versionType": "semver"
},
{
"lessThan": "9.5.0",
"status": "affected",
"version": "9.4.0",
"versionType": "semver"
}
]
},
{
"product": "Grafana Enterprise",
"vendor": "Grafana",
"versions": [
{
"lessThan": "9.2.17",
"status": "affected",
"version": "9.1.0",
"versionType": "semver"
},
{
"lessThan": "9.3.13",
"status": "affected",
"version": "9.3.0",
"versionType": "semver"
},
{
"lessThan": "9.5.0",
"status": "affected",
"version": "9.4.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eGrafana is an open-source platform for monitoring and observability. \u003c/p\u003e\u003cp\u003eStarting with the 9.1 branch, Grafana introduced the ability to search for a JWT in the URL query parameter auth_token and use it as the authentication token. \u003c/p\u003e\u003cp\u003eBy enabling the \"url_login\" configuration option (disabled by default), a JWT might be sent to data sources. If an attacker has access to the data source, the leaked token could be used to authenticate to Grafana.\u003c/p\u003e"
}
],
"value": "Grafana is an open-source platform for monitoring and observability. \n\nStarting with the 9.1 branch, Grafana introduced the ability to search for a JWT in the URL query parameter auth_token and use it as the authentication token. \n\nBy enabling the \"url_login\" configuration option (disabled by default), a JWT might be sent to data sources. If an attacker has access to the data source, the leaked token could be used to authenticate to Grafana."
}
],
"impacts": [
{
"capecId": "CAPEC-116",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-116"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-09T07:06:35.623Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"url": "https://grafana.com/security/security-advisories/cve-2023-1387/"
},
{
"url": "https://github.com/grafana/bugbounty/security/advisories/GHSA-5585-m9r5-p86j"
},
{
"url": "https://security.netapp.com/advisory/ntap-20230609-0003/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2023-1387",
"datePublished": "2023-04-26T13:47:16.914Z",
"dateReserved": "2023-03-14T11:11:01.304Z",
"dateUpdated": "2025-02-13T16:39:22.007Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2023-1387",
"date": "2026-05-27",
"epss": "0.00291",
"percentile": "0.52586"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2023-1387\",\"sourceIdentifier\":\"security@grafana.com\",\"published\":\"2023-04-26T14:15:09.430\",\"lastModified\":\"2025-02-13T17:15:58.360\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Grafana is an open-source platform for monitoring and observability. \\n\\nStarting with the 9.1 branch, Grafana introduced the ability to search for a JWT in the URL query parameter auth_token and use it as the authentication token. \\n\\nBy enabling the \\\"url_login\\\" configuration option (disabled by default), a JWT might be sent to data sources. If an attacker has access to the data source, the leaked token could be used to authenticate to Grafana.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security@grafana.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N\",\"baseScore\":4.2,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":0.5,\"impactScore\":3.6},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security@grafana.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-200\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"9.1.0\",\"versionEndExcluding\":\"9.2.17\",\"matchCriteriaId\":\"5664FC02-E4AA-41EC-8EAA-300AD2272CC2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"9.3.0\",\"versionEndExcluding\":\"9.3.13\",\"matchCriteriaId\":\"5A544263-545D-4D86-B29F-F7FC12E9A34F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"9.4.0\",\"versionEndExcluding\":\"9.4.9\",\"matchCriteriaId\":\"99EBCA47-A3CD-4C20-B151-300D43426EB2\"}]}]}],\"references\":[{\"url\":\"https://github.com/grafana/bugbounty/security/advisories/GHSA-5585-m9r5-p86j\",\"source\":\"security@grafana.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://grafana.com/security/security-advisories/cve-2023-1387/\",\"source\":\"security@grafana.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://security.netapp.com/advisory/ntap-20230609-0003/\",\"source\":\"security@grafana.com\"},{\"url\":\"https://github.com/grafana/bugbounty/security/advisories/GHSA-5585-m9r5-p86j\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://grafana.com/security/security-advisories/cve-2023-1387/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://security.netapp.com/advisory/ntap-20230609-0003/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://grafana.com/security/security-advisories/cve-2023-1387/\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://github.com/grafana/bugbounty/security/advisories/GHSA-5585-m9r5-p86j\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://security.netapp.com/advisory/ntap-20230609-0003/\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T05:49:11.313Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-1387\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-01-31T16:11:53.656123Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-01-31T16:11:39.486Z\"}}], \"cna\": {\"impacts\": [{\"capecId\": \"CAPEC-116\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-116\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 4.2, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Grafana\", \"product\": \"Grafana\", \"versions\": [{\"status\": \"affected\", \"version\": \"9.1.0\", \"lessThan\": \"9.2.17\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"9.3.0\", \"lessThan\": \"9.3.13\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"9.4.0\", \"lessThan\": \"9.5.0\", \"versionType\": \"semver\"}]}, {\"vendor\": \"Grafana\", \"product\": \"Grafana Enterprise\", \"versions\": [{\"status\": \"affected\", \"version\": \"9.1.0\", \"lessThan\": \"9.2.17\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"9.3.0\", \"lessThan\": \"9.3.13\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"9.4.0\", \"lessThan\": \"9.5.0\", \"versionType\": \"semver\"}]}], \"references\": [{\"url\": \"https://grafana.com/security/security-advisories/cve-2023-1387/\"}, {\"url\": \"https://github.com/grafana/bugbounty/security/advisories/GHSA-5585-m9r5-p86j\"}, {\"url\": \"https://security.netapp.com/advisory/ntap-20230609-0003/\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Grafana is an open-source platform for monitoring and observability. \\n\\nStarting with the 9.1 branch, Grafana introduced the ability to search for a JWT in the URL query parameter auth_token and use it as the authentication token. \\n\\nBy enabling the \\\"url_login\\\" configuration option (disabled by default), a JWT might be sent to data sources. If an attacker has access to the data source, the leaked token could be used to authenticate to Grafana.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eGrafana is an open-source platform for monitoring and observability. \u003c/p\u003e\u003cp\u003eStarting with the 9.1 branch, Grafana introduced the ability to search for a JWT in the URL query parameter auth_token and use it as the authentication token. \u003c/p\u003e\u003cp\u003eBy enabling the \\\"url_login\\\" configuration option (disabled by default), a JWT might be sent to data sources. If an attacker has access to the data source, the leaked token could be used to authenticate to Grafana.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-200\", \"description\": \"CWE-200\"}]}], \"providerMetadata\": {\"orgId\": \"57da9224-a3e2-4646-9d0e-c4dc2e05e7da\", \"shortName\": \"GRAFANA\", \"dateUpdated\": \"2023-06-09T07:06:35.623Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2023-1387\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-02-13T16:39:22.007Z\", \"dateReserved\": \"2023-03-14T11:11:01.304Z\", \"assignerOrgId\": \"57da9224-a3e2-4646-9d0e-c4dc2e05e7da\", \"datePublished\": \"2023-04-26T13:47:16.914Z\", \"assignerShortName\": \"GRAFANA\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
BDU:2024-02593
Vulnerability from fstec - Published: 26.04.2023
VLAI
Title
Уязвимость платформы для мониторинга и наблюдения Grafana, связанная с раскрытие конфиденциальной информации несанкционированному субъекту, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации
Description
Уязвимость платформы для мониторинга и наблюдения Grafana связана с возможностью искать JWT в параметре URL-запроса auth_token и использовать его в качестве токена аутентификации. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, получить несанкционированный доступ к защищаемой информации
Severity
Vendor
ООО «Ред Софт», Grafana Labs
Software Name
РЕД ОС (запись в едином реестре российских программ №3751), Grafana
Software Version
7.3 (РЕД ОС), от 9.1.0 до 9.2.17 (Grafana), от 9.3.0 до 9.3.13 (Grafana), от 9.4.0 до 9.4.9 (Grafana)
Possible Mitigations
Для grafana:
https://github.com/grafana/bugbounty/security/advisories/GHSA-5585-m9r5-p86j
https://grafana.com/security/security-advisories/cve-2023-1387/
Для РедОС: http://repo.red-soft.ru/redos/7.3c/x86_64/updates/
Reference
https://github.com/grafana/bugbounty/security/advisories/GHSA-5585-m9r5-p86j
https://grafana.com/security/security-advisories/cve-2023-1387/
https://redos.red-soft.ru/support/secure/
CWE
CWE-200
{
"CVSS 2.0": "AV:N/AC:L/Au:N/C:C/I:N/A:N",
"CVSS 3.0": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"CVSS 4.0": null,
"remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
"remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
"\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "\u041e\u041e\u041e \u00ab\u0420\u0435\u0434 \u0421\u043e\u0444\u0442\u00bb, Grafana Labs",
"\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "7.3 (\u0420\u0415\u0414 \u041e\u0421), \u043e\u0442 9.1.0 \u0434\u043e 9.2.17 (Grafana), \u043e\u0442 9.3.0 \u0434\u043e 9.3.13 (Grafana), \u043e\u0442 9.4.0 \u0434\u043e 9.4.9 (Grafana)",
"\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0414\u043b\u044f grafana:\nhttps://github.com/grafana/bugbounty/security/advisories/GHSA-5585-m9r5-p86j \nhttps://grafana.com/security/security-advisories/cve-2023-1387/\n\n\u0414\u043b\u044f \u0420\u0435\u0434\u041e\u0421: http://repo.red-soft.ru/redos/7.3c/x86_64/updates/",
"\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "26.04.2023",
"\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "13.09.2024",
"\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "04.04.2024",
"\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2024-02593",
"\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2023-1387",
"\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
"\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u0434\u0430",
"\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "\u0420\u0415\u0414 \u041e\u0421 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21163751), Grafana",
"\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": "\u041e\u041e\u041e \u00ab\u0420\u0435\u0434 \u0421\u043e\u0444\u0442\u00bb \u0420\u0415\u0414 \u041e\u0421 7.3 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21163751)",
"\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b \u0434\u043b\u044f \u043c\u043e\u043d\u0438\u0442\u043e\u0440\u0438\u043d\u0433\u0430 \u0438 \u043d\u0430\u0431\u043b\u044e\u0434\u0435\u043d\u0438\u044f Grafana, \u0441\u0432\u044f\u0437\u0430\u043d\u043d\u0430\u044f \u0441 \u0440\u0430\u0441\u043a\u0440\u044b\u0442\u0438\u0435 \u043a\u043e\u043d\u0444\u0438\u0434\u0435\u043d\u0446\u0438\u0430\u043b\u044c\u043d\u043e\u0439 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438 \u043d\u0435\u0441\u0430\u043d\u043a\u0446\u0438\u043e\u043d\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u043e\u043c\u0443 \u0441\u0443\u0431\u044a\u0435\u043a\u0442\u0443, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u043f\u043e\u043b\u0443\u0447\u0438\u0442\u044c \u043d\u0435\u0441\u0430\u043d\u043a\u0446\u0438\u043e\u043d\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u0439 \u0434\u043e\u0441\u0442\u0443\u043f \u043a \u0437\u0430\u0449\u0438\u0449\u0430\u0435\u043c\u043e\u0439 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438",
"\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0421\u0443\u0449\u0435\u0441\u0442\u0432\u0443\u0435\u0442 \u0432 \u043e\u0442\u043a\u0440\u044b\u0442\u043e\u043c \u0434\u043e\u0441\u0442\u0443\u043f\u0435",
"\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u0420\u0430\u0441\u043a\u0440\u044b\u0442\u0438\u0435 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438 (CWE-200)",
"\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b \u0434\u043b\u044f \u043c\u043e\u043d\u0438\u0442\u043e\u0440\u0438\u043d\u0433\u0430 \u0438 \u043d\u0430\u0431\u043b\u044e\u0434\u0435\u043d\u0438\u044f Grafana \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u0432\u043e\u0437\u043c\u043e\u0436\u043d\u043e\u0441\u0442\u044c\u044e \u0438\u0441\u043a\u0430\u0442\u044c JWT \u0432 \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u0435 URL-\u0437\u0430\u043f\u0440\u043e\u0441\u0430 auth_token \u0438 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u044c \u0435\u0433\u043e \u0432 \u043a\u0430\u0447\u0435\u0441\u0442\u0432\u0435 \u0442\u043e\u043a\u0435\u043d\u0430 \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e, \u043f\u043e\u043b\u0443\u0447\u0438\u0442\u044c \u043d\u0435\u0441\u0430\u043d\u043a\u0446\u0438\u043e\u043d\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u0439 \u0434\u043e\u0441\u0442\u0443\u043f \u043a \u0437\u0430\u0449\u0438\u0449\u0430\u0435\u043c\u043e\u0439 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438",
"\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
"\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
"\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
"\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
"\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
"\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u041d\u0435\u0441\u0430\u043d\u043a\u0446\u0438\u043e\u043d\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u0439 \u0441\u0431\u043e\u0440 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438",
"\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://github.com/grafana/bugbounty/security/advisories/GHSA-5585-m9r5-p86j\nhttps://grafana.com/security/security-advisories/cve-2023-1387/\nhttps://redos.red-soft.ru/support/secure/",
"\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
"\u0422\u0438\u043f \u041f\u041e": "\u041e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u0430\u044f \u0441\u0438\u0441\u0442\u0435\u043c\u0430, \u041f\u0440\u0438\u043a\u043b\u0430\u0434\u043d\u043e\u0435 \u041f\u041e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c",
"\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-200",
"\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0412\u044b\u0441\u043e\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 7,8)\n\u0412\u044b\u0441\u043e\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 7,5)"
}
bit-grafana-2023-1387
Vulnerability from bitnami_vulndb
Published
2024-03-06 10:53
Modified
2025-04-03 14:40
Summary
Details
Grafana is an open-source platform for monitoring and observability.
Starting with the 9.1 branch, Grafana introduced the ability to search for a JWT in the URL query parameter auth_token and use it as the authentication token.
By enabling the "url_login" configuration option (disabled by default), a JWT might be sent to data sources. If an attacker has access to the data source, the leaked token could be used to authenticate to Grafana.
{
"affected": [
{
"package": {
"ecosystem": "Bitnami",
"name": "grafana",
"purl": "pkg:bitnami/grafana"
},
"ranges": [
{
"events": [
{
"introduced": "9.1.0"
},
{
"fixed": "9.2.17"
},
{
"introduced": "9.3.0"
},
{
"fixed": "9.3.13"
},
{
"introduced": "9.4.0"
},
{
"fixed": "9.4.9"
}
],
"type": "SEMVER"
}
],
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
],
"aliases": [
"CVE-2023-1387"
],
"database_specific": {
"cpes": [
"cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*"
],
"severity": "High"
},
"details": "Grafana is an open-source platform for monitoring and observability. \n\nStarting with the 9.1 branch, Grafana introduced the ability to search for a JWT in the URL query parameter auth_token and use it as the authentication token. \n\nBy enabling the \"url_login\" configuration option (disabled by default), a JWT might be sent to data sources. If an attacker has access to the data source, the leaked token could be used to authenticate to Grafana.",
"id": "BIT-grafana-2023-1387",
"modified": "2025-04-03T14:40:37.652Z",
"published": "2024-03-06T10:53:58.577Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/grafana/bugbounty/security/advisories/GHSA-5585-m9r5-p86j"
},
{
"type": "WEB",
"url": "https://grafana.com/security/security-advisories/cve-2023-1387/"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20230609-0003/"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1387"
}
],
"schema_version": "1.5.0"
}
CNVD-2023-36311
Vulnerability from cnvd - Published: 2023-05-06
VLAI
Title
Grafana信息泄露漏洞(CNVD-2023-36311)
Description
Grafana是Grafana开源的一套提供可视化监控界面的开源监控工具。该工具主要用于监控和分析Graphite、InfluxDB和Prometheus等。
Grafana存在信息泄露漏洞,该漏洞源于通过启用url_login配置选项,可以将JWT发送到数据源。攻击者可利用该漏洞获取敏感信息。
Severity
中
Patch Name
Grafana信息泄露漏洞(CNVD-2023-36311)的补丁
Patch Description
Grafana是Grafana开源的一套提供可视化监控界面的开源监控工具。该工具主要用于监控和分析Graphite、InfluxDB和Prometheus等。
Grafana存在信息泄露漏洞,该漏洞源于通过启用url_login配置选项,可以将JWT发送到数据源。攻击者可利用该漏洞获取敏感信息。目前,供应商发布了安全公告及相关补丁信息,修复了此漏洞。
Formal description
厂商已发布了漏洞修复程序,请及时关注更新: https://grafana.com/security/security-advisories/cve-2023-1387/
Reference
https://nvd.nist.gov/vuln/detail/CVE-2023-1387
Impacted products
| Name | Grafana Grafana |
|---|
{
"cves": {
"cve": {
"cveNumber": "CVE-2023-1387",
"cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2023-1387"
}
},
"description": "Grafana\u662fGrafana\u5f00\u6e90\u7684\u4e00\u5957\u63d0\u4f9b\u53ef\u89c6\u5316\u76d1\u63a7\u754c\u9762\u7684\u5f00\u6e90\u76d1\u63a7\u5de5\u5177\u3002\u8be5\u5de5\u5177\u4e3b\u8981\u7528\u4e8e\u76d1\u63a7\u548c\u5206\u6790Graphite\u3001InfluxDB\u548cPrometheus\u7b49\u3002\n\nGrafana\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u901a\u8fc7\u542f\u7528url_login\u914d\u7f6e\u9009\u9879\uff0c\u53ef\u4ee5\u5c06JWT\u53d1\u9001\u5230\u6570\u636e\u6e90\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6\u654f\u611f\u4fe1\u606f\u3002",
"formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://grafana.com/security/security-advisories/cve-2023-1387/",
"isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
"number": "CNVD-2023-36311",
"openTime": "2023-05-06",
"patchDescription": "Grafana\u662fGrafana\u5f00\u6e90\u7684\u4e00\u5957\u63d0\u4f9b\u53ef\u89c6\u5316\u76d1\u63a7\u754c\u9762\u7684\u5f00\u6e90\u76d1\u63a7\u5de5\u5177\u3002\u8be5\u5de5\u5177\u4e3b\u8981\u7528\u4e8e\u76d1\u63a7\u548c\u5206\u6790Graphite\u3001InfluxDB\u548cPrometheus\u7b49\u3002\r\n\r\nGrafana\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u901a\u8fc7\u542f\u7528url_login\u914d\u7f6e\u9009\u9879\uff0c\u53ef\u4ee5\u5c06JWT\u53d1\u9001\u5230\u6570\u636e\u6e90\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6\u654f\u611f\u4fe1\u606f\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
"patchName": "Grafana\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff08CNVD-2023-36311\uff09\u7684\u8865\u4e01",
"products": {
"product": "Grafana Grafana"
},
"referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2023-1387",
"serverity": "\u4e2d",
"submitTime": "2023-05-04",
"title": "Grafana\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff08CNVD-2023-36311\uff09"
}
FKIE_CVE-2023-1387
Vulnerability from fkie_nvd - Published: 2023-04-26 14:15 - Updated: 2025-02-13 17:15
Severity
4.2 (Medium) - CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
Grafana is an open-source platform for monitoring and observability.
Starting with the 9.1 branch, Grafana introduced the ability to search for a JWT in the URL query parameter auth_token and use it as the authentication token.
By enabling the "url_login" configuration option (disabled by default), a JWT might be sent to data sources. If an attacker has access to the data source, the leaked token could be used to authenticate to Grafana.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5664FC02-E4AA-41EC-8EAA-300AD2272CC2",
"versionEndExcluding": "9.2.17",
"versionStartIncluding": "9.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5A544263-545D-4D86-B29F-F7FC12E9A34F",
"versionEndExcluding": "9.3.13",
"versionStartIncluding": "9.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*",
"matchCriteriaId": "99EBCA47-A3CD-4C20-B151-300D43426EB2",
"versionEndExcluding": "9.4.9",
"versionStartIncluding": "9.4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Grafana is an open-source platform for monitoring and observability. \n\nStarting with the 9.1 branch, Grafana introduced the ability to search for a JWT in the URL query parameter auth_token and use it as the authentication token. \n\nBy enabling the \"url_login\" configuration option (disabled by default), a JWT might be sent to data sources. If an attacker has access to the data source, the leaked token could be used to authenticate to Grafana."
}
],
"id": "CVE-2023-1387",
"lastModified": "2025-02-13T17:15:58.360",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 0.5,
"impactScore": 3.6,
"source": "security@grafana.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-04-26T14:15:09.430",
"references": [
{
"source": "security@grafana.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/grafana/bugbounty/security/advisories/GHSA-5585-m9r5-p86j"
},
{
"source": "security@grafana.com",
"tags": [
"Vendor Advisory"
],
"url": "https://grafana.com/security/security-advisories/cve-2023-1387/"
},
{
"source": "security@grafana.com",
"url": "https://security.netapp.com/advisory/ntap-20230609-0003/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/grafana/bugbounty/security/advisories/GHSA-5585-m9r5-p86j"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://grafana.com/security/security-advisories/cve-2023-1387/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://security.netapp.com/advisory/ntap-20230609-0003/"
}
],
"sourceIdentifier": "security@grafana.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "security@grafana.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
GHSA-C3H9-VPFV-3X4M
Vulnerability from github – Published: 2023-04-26 15:30 – Updated: 2025-02-13 18:31
VLAI
Details
Grafana is an open-source platform for monitoring and observability.
Starting with the 9.1 branch, Grafana introduced the ability to search for a JWT in the URL query parameter auth_token and use it as the authentication token.
By enabling the "url_login" configuration option (disabled by default), a JWT might be sent to data sources. If an attacker has access to the data source, the leaked token could be used to authenticate to Grafana.
Severity
4.2 (Medium)
{
"affected": [],
"aliases": [
"CVE-2023-1387"
],
"database_specific": {
"cwe_ids": [
"CWE-200"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-04-26T14:15:09Z",
"severity": "HIGH"
},
"details": "Grafana is an open-source platform for monitoring and observability. \n\nStarting with the 9.1 branch, Grafana introduced the ability to search for a JWT in the URL query parameter auth_token and use it as the authentication token. \n\nBy enabling the \"url_login\" configuration option (disabled by default), a JWT might be sent to data sources. If an attacker has access to the data source, the leaked token could be used to authenticate to Grafana.",
"id": "GHSA-c3h9-vpfv-3x4m",
"modified": "2025-02-13T18:31:34Z",
"published": "2023-04-26T15:30:21Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/grafana/bugbounty/security/advisories/GHSA-5585-m9r5-p86j"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1387"
},
{
"type": "WEB",
"url": "https://grafana.com/security/security-advisories/cve-2023-1387"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20230609-0003"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GSD-2023-1387
Vulnerability from gsd - Updated: 2023-12-13 01:20Details
Grafana is an open-source platform for monitoring and observability.
Starting with the 9.1 branch, Grafana introduced the ability to search for a JWT in the URL query parameter auth_token and use it as the authentication token.
By enabling the "url_login" configuration option (disabled by default), a JWT might be sent to data sources. If an attacker has access to the data source, the leaked token could be used to authenticate to Grafana.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2023-1387",
"id": "GSD-2023-1387"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2023-1387"
],
"details": "Grafana is an open-source platform for monitoring and observability. \n\nStarting with the 9.1 branch, Grafana introduced the ability to search for a JWT in the URL query parameter auth_token and use it as the authentication token. \n\nBy enabling the \"url_login\" configuration option (disabled by default), a JWT might be sent to data sources. If an attacker has access to the data source, the leaked token could be used to authenticate to Grafana.\n\n",
"id": "GSD-2023-1387",
"modified": "2023-12-13T01:20:41.957154Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "security@grafana.com",
"ID": "CVE-2023-1387",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Grafana",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "9.1.0",
"version_value": "9.2.17"
},
{
"version_affected": "\u003c",
"version_name": "9.3.0",
"version_value": "9.3.13"
},
{
"version_affected": "\u003c",
"version_name": "9.4.0",
"version_value": "9.5.0"
}
]
}
},
{
"product_name": "Grafana Enterprise",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "9.1.0",
"version_value": "9.2.17"
},
{
"version_affected": "\u003c",
"version_name": "9.3.0",
"version_value": "9.3.13"
},
{
"version_affected": "\u003c",
"version_name": "9.4.0",
"version_value": "9.5.0"
}
]
}
}
]
},
"vendor_name": "Grafana"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Grafana is an open-source platform for monitoring and observability. \n\nStarting with the 9.1 branch, Grafana introduced the ability to search for a JWT in the URL query parameter auth_token and use it as the authentication token. \n\nBy enabling the \"url_login\" configuration option (disabled by default), a JWT might be sent to data sources. If an attacker has access to the data source, the leaked token could be used to authenticate to Grafana.\n\n"
}
]
},
"impact": {
"cvss": [
{
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"cweId": "CWE-200",
"lang": "eng",
"value": "CWE-200"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://grafana.com/security/security-advisories/cve-2023-1387/",
"refsource": "MISC",
"url": "https://grafana.com/security/security-advisories/cve-2023-1387/"
},
{
"name": "https://github.com/grafana/bugbounty/security/advisories/GHSA-5585-m9r5-p86j",
"refsource": "MISC",
"url": "https://github.com/grafana/bugbounty/security/advisories/GHSA-5585-m9r5-p86j"
},
{
"name": "https://security.netapp.com/advisory/ntap-20230609-0003/",
"refsource": "MISC",
"url": "https://security.netapp.com/advisory/ntap-20230609-0003/"
}
]
}
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "9.4.9",
"versionStartIncluding": "9.4.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "9.3.13",
"versionStartIncluding": "9.3.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "9.2.17",
"versionStartIncluding": "9.1.0",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "security@grafana.com",
"ID": "CVE-2023-1387"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "Grafana is an open-source platform for monitoring and observability. \n\nStarting with the 9.1 branch, Grafana introduced the ability to search for a JWT in the URL query parameter auth_token and use it as the authentication token. \n\nBy enabling the \"url_login\" configuration option (disabled by default), a JWT might be sent to data sources. If an attacker has access to the data source, the leaked token could be used to authenticate to Grafana.\n\n"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://grafana.com/security/security-advisories/cve-2023-1387/",
"refsource": "MISC",
"tags": [
"Vendor Advisory"
],
"url": "https://grafana.com/security/security-advisories/cve-2023-1387/"
},
{
"name": "https://github.com/grafana/bugbounty/security/advisories/GHSA-5585-m9r5-p86j",
"refsource": "MISC",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/grafana/bugbounty/security/advisories/GHSA-5585-m9r5-p86j"
},
{
"name": "https://security.netapp.com/advisory/ntap-20230609-0003/",
"refsource": "MISC",
"tags": [],
"url": "https://security.netapp.com/advisory/ntap-20230609-0003/"
}
]
}
},
"impact": {
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6
}
},
"lastModifiedDate": "2023-06-09T08:15Z",
"publishedDate": "2023-04-26T14:15Z"
}
}
}
OPENSUSE-SU-2024:12890-1
Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00Summary
grafana-9.5.1-1.1 on GA media
Severity
Moderate
Notes
Title of the patch: grafana-9.5.1-1.1 on GA media
Description of the patch: These are all security issues fixed in the grafana-9.5.1-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2024-12890
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
4.2 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:grafana-9.5.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-9.5.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-9.5.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-9.5.1-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
5 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "grafana-9.5.1-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the grafana-9.5.1-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-12890",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_12890-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-1387 page",
"url": "https://www.suse.com/security/cve/CVE-2023-1387/"
}
],
"title": "grafana-9.5.1-1.1 on GA media",
"tracking": {
"current_release_date": "2024-06-15T00:00:00Z",
"generator": {
"date": "2024-06-15T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:12890-1",
"initial_release_date": "2024-06-15T00:00:00Z",
"revision_history": [
{
"date": "2024-06-15T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "grafana-9.5.1-1.1.aarch64",
"product": {
"name": "grafana-9.5.1-1.1.aarch64",
"product_id": "grafana-9.5.1-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-9.5.1-1.1.ppc64le",
"product": {
"name": "grafana-9.5.1-1.1.ppc64le",
"product_id": "grafana-9.5.1-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-9.5.1-1.1.s390x",
"product": {
"name": "grafana-9.5.1-1.1.s390x",
"product_id": "grafana-9.5.1-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-9.5.1-1.1.x86_64",
"product": {
"name": "grafana-9.5.1-1.1.x86_64",
"product_id": "grafana-9.5.1-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-9.5.1-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:grafana-9.5.1-1.1.aarch64"
},
"product_reference": "grafana-9.5.1-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-9.5.1-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:grafana-9.5.1-1.1.ppc64le"
},
"product_reference": "grafana-9.5.1-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-9.5.1-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:grafana-9.5.1-1.1.s390x"
},
"product_reference": "grafana-9.5.1-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-9.5.1-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:grafana-9.5.1-1.1.x86_64"
},
"product_reference": "grafana-9.5.1-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-1387",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-1387"
}
],
"notes": [
{
"category": "general",
"text": "Grafana is an open-source platform for monitoring and observability. \n\nStarting with the 9.1 branch, Grafana introduced the ability to search for a JWT in the URL query parameter auth_token and use it as the authentication token. \n\nBy enabling the \"url_login\" configuration option (disabled by default), a JWT might be sent to data sources. If an attacker has access to the data source, the leaked token could be used to authenticate to Grafana.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:grafana-9.5.1-1.1.aarch64",
"openSUSE Tumbleweed:grafana-9.5.1-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-9.5.1-1.1.s390x",
"openSUSE Tumbleweed:grafana-9.5.1-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-1387",
"url": "https://www.suse.com/security/cve/CVE-2023-1387"
},
{
"category": "external",
"summary": "SUSE Bug 1210907 for CVE-2023-1387",
"url": "https://bugzilla.suse.com/1210907"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:grafana-9.5.1-1.1.aarch64",
"openSUSE Tumbleweed:grafana-9.5.1-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-9.5.1-1.1.s390x",
"openSUSE Tumbleweed:grafana-9.5.1-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:grafana-9.5.1-1.1.aarch64",
"openSUSE Tumbleweed:grafana-9.5.1-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-9.5.1-1.1.s390x",
"openSUSE Tumbleweed:grafana-9.5.1-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2023-1387"
}
]
}
RHSA-2023:7741
Vulnerability from csaf_redhat - Published: 2023-12-12 13:55 - Updated: 2026-05-28 09:47Summary
Red Hat Security Advisory: Red Hat Ceph Storage 6.1 security, enhancements, and bug fix update
Severity
Important
Notes
Topic: Updated container image for Red Hat Ceph Storage 6.1 is now available in the Red Hat Ecosystem Catalog.
Details: Red Hat Ceph Storage is a scalable, open, software-defined storage platform that combines the most stable version of the Ceph storage system with a Ceph management platform, deployment utilities, and support services.
This updated container image is based on Red Hat Ceph Storage 6.1 and Red Hat Enterprise Linux.
Space precludes documenting all of these changes in this advisory. Users are directed to the Red Hat Ceph Storage Release Notes for information on the most significant of these changes:
https://access.redhat.com/documentation/en-us/red_hat_ceph_storage/6.1/html/release_notes/index
All users of Red Hat Ceph Storage are advised to pull these new images from the Red Hat Ecosystem catalog.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in Grafana. This flaw allows a remote, authenticated attacker to obtain sensitive information caused by an issue when enabling the "url_login" configuration option. By sending a specially crafted request, an attacker can obtain JWT information and use this to launch further attacks against the affected system.
7.5 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:4dc1e2ace5946178fae29c87e2f86467594833e27ddfef8a005273eb9a1bee45_s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:72ebf29aa3a85cf49949379958744a699e1f572f79abf75e7cb8094ceecf074e_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:ba574717bd9890dcf1677c9b56d45a2047bb1f6a72a0bb5b8e38c6f3f2db4884_amd64 | — |
Vendor Fix
fix
|
Known not affected
15 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:49e943d69210eb9f4218272f64cc2b9a100bb52416784c417b241c7dcd0eeb23_amd64 | — | ||
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:561fba3667ff302316ecef3dc7a80202ec5b854b347e4cbc5d2d4a2ad4419ed3_s390x | — | ||
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:e12cb06f04ac2870d5c387612f4aab65438c4b8044337ab8c55e924dc273ee6b_ppc64le | — | ||
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:0809ac10fd225656d8fec0002f71c41f7a07d9c5be0c0affd5740cdae43efcf8_amd64 | — | ||
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:6c58ed8e6779027d62bca2dab2de0336ee630257dc903c0ff8069ec986395f47_ppc64le | — | ||
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:f3eb950ff155132b8d113853d05a917a4e949fa80156bbbdda8e61a5a7d18799_s390x | — | ||
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:04e7e7a046da793f667daa0d1eb8dc90ea984dcd1bdefc8a7b96441a6251b280_amd64 | — | ||
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:6f6ed4e34b8450b5af74cab6bab790013006269cb997883fc50f5c20c1f5dd8d_s390x | — | ||
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:fd567a237640c49c3cb5d392aa995069eb6d7398bffb2fe982f57563b640d630_ppc64le | — | ||
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:9276234cb0599b75d0adc88c7b1882ff3da6742306a30f26dade3f9bde06ec7e_ppc64le | — | ||
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:93b546b7d97fd7fdaf9aef486218350817697a6237cbc3ff512eef40ef772a3a_s390x | — | ||
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:d6233ee14663867808ca616c9327278af99e0439f0781b548be35e6ab5777de2_amd64 | — | ||
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:39e1eb86a6cc6eaa31018a13f86bbb676ec26250d5daf116e3be6d6d194bfe42_ppc64le | — | ||
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:a47193626427bfe8f686c9f591248d082271c0d20aed96aa268bf7a03b9123d8_s390x | — | ||
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:ca759591794df7f94b67bf798d7d27dd6d2b45d49b8ef8511e2bf51f78672d7e_amd64 | — |
Threats
Impact
Moderate
A flaw was found in Grafana. This flaw allows an attacker to host a Graphite instance with modified Function Descriptions containing XSS payloads. When the victim uses it in a query and accidentally hovers over the Function Description, an attacker-controlled XSS payload will be executed.
4.8 (Medium)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:4dc1e2ace5946178fae29c87e2f86467594833e27ddfef8a005273eb9a1bee45_s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:72ebf29aa3a85cf49949379958744a699e1f572f79abf75e7cb8094ceecf074e_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:ba574717bd9890dcf1677c9b56d45a2047bb1f6a72a0bb5b8e38c6f3f2db4884_amd64 | — |
Vendor Fix
fix
|
Known not affected
15 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:49e943d69210eb9f4218272f64cc2b9a100bb52416784c417b241c7dcd0eeb23_amd64 | — | ||
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:561fba3667ff302316ecef3dc7a80202ec5b854b347e4cbc5d2d4a2ad4419ed3_s390x | — | ||
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:e12cb06f04ac2870d5c387612f4aab65438c4b8044337ab8c55e924dc273ee6b_ppc64le | — | ||
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:0809ac10fd225656d8fec0002f71c41f7a07d9c5be0c0affd5740cdae43efcf8_amd64 | — | ||
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:6c58ed8e6779027d62bca2dab2de0336ee630257dc903c0ff8069ec986395f47_ppc64le | — | ||
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:f3eb950ff155132b8d113853d05a917a4e949fa80156bbbdda8e61a5a7d18799_s390x | — | ||
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:04e7e7a046da793f667daa0d1eb8dc90ea984dcd1bdefc8a7b96441a6251b280_amd64 | — | ||
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:6f6ed4e34b8450b5af74cab6bab790013006269cb997883fc50f5c20c1f5dd8d_s390x | — | ||
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:fd567a237640c49c3cb5d392aa995069eb6d7398bffb2fe982f57563b640d630_ppc64le | — | ||
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:9276234cb0599b75d0adc88c7b1882ff3da6742306a30f26dade3f9bde06ec7e_ppc64le | — | ||
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:93b546b7d97fd7fdaf9aef486218350817697a6237cbc3ff512eef40ef772a3a_s390x | — | ||
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:d6233ee14663867808ca616c9327278af99e0439f0781b548be35e6ab5777de2_amd64 | — | ||
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:39e1eb86a6cc6eaa31018a13f86bbb676ec26250d5daf116e3be6d6d194bfe42_ppc64le | — | ||
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:a47193626427bfe8f686c9f591248d082271c0d20aed96aa268bf7a03b9123d8_s390x | — | ||
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:ca759591794df7f94b67bf798d7d27dd6d2b45d49b8ef8511e2bf51f78672d7e_amd64 | — |
Threats
Impact
Moderate
A flaw was found in grafana. This issue may allow a malicious user to craft a request to the API that enables them to send alert messages via the "API Alert - Test".
4.3 (Medium)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:4dc1e2ace5946178fae29c87e2f86467594833e27ddfef8a005273eb9a1bee45_s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:72ebf29aa3a85cf49949379958744a699e1f572f79abf75e7cb8094ceecf074e_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:ba574717bd9890dcf1677c9b56d45a2047bb1f6a72a0bb5b8e38c6f3f2db4884_amd64 | — |
Vendor Fix
fix
|
Known not affected
15 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:49e943d69210eb9f4218272f64cc2b9a100bb52416784c417b241c7dcd0eeb23_amd64 | — | ||
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:561fba3667ff302316ecef3dc7a80202ec5b854b347e4cbc5d2d4a2ad4419ed3_s390x | — | ||
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:e12cb06f04ac2870d5c387612f4aab65438c4b8044337ab8c55e924dc273ee6b_ppc64le | — | ||
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:0809ac10fd225656d8fec0002f71c41f7a07d9c5be0c0affd5740cdae43efcf8_amd64 | — | ||
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:6c58ed8e6779027d62bca2dab2de0336ee630257dc903c0ff8069ec986395f47_ppc64le | — | ||
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:f3eb950ff155132b8d113853d05a917a4e949fa80156bbbdda8e61a5a7d18799_s390x | — | ||
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:04e7e7a046da793f667daa0d1eb8dc90ea984dcd1bdefc8a7b96441a6251b280_amd64 | — | ||
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:6f6ed4e34b8450b5af74cab6bab790013006269cb997883fc50f5c20c1f5dd8d_s390x | — | ||
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:fd567a237640c49c3cb5d392aa995069eb6d7398bffb2fe982f57563b640d630_ppc64le | — | ||
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:9276234cb0599b75d0adc88c7b1882ff3da6742306a30f26dade3f9bde06ec7e_ppc64le | — | ||
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:93b546b7d97fd7fdaf9aef486218350817697a6237cbc3ff512eef40ef772a3a_s390x | — | ||
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:d6233ee14663867808ca616c9327278af99e0439f0781b548be35e6ab5777de2_amd64 | — | ||
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:39e1eb86a6cc6eaa31018a13f86bbb676ec26250d5daf116e3be6d6d194bfe42_ppc64le | — | ||
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:a47193626427bfe8f686c9f591248d082271c0d20aed96aa268bf7a03b9123d8_s390x | — | ||
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:ca759591794df7f94b67bf798d7d27dd6d2b45d49b8ef8511e2bf51f78672d7e_amd64 | — |
Threats
Impact
Moderate
A flaw was found in grafana. This issue occurs when sending an API call to the /ds/query or public dashboard query endpoint that has mixed queries, such as having two or more distinct data sources in one API call. As a result, the Grafana instance will crash. Currently, the only feature that uses mixed queries within Grafana is public dashboards, but it is also possible to trigger this issue by calling the API directly. If public dashboards are enabled, reproduction requires a public dashboard to be under a heavy load. If public dashboards are disabled, reproduction only occurs when the /ds/query endpoint with a mixed query payload is under a heavy load with a load testing script.
7.5 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:4dc1e2ace5946178fae29c87e2f86467594833e27ddfef8a005273eb9a1bee45_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:72ebf29aa3a85cf49949379958744a699e1f572f79abf75e7cb8094ceecf074e_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:ba574717bd9890dcf1677c9b56d45a2047bb1f6a72a0bb5b8e38c6f3f2db4884_amd64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
15 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:49e943d69210eb9f4218272f64cc2b9a100bb52416784c417b241c7dcd0eeb23_amd64 | — |
Workaround
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:561fba3667ff302316ecef3dc7a80202ec5b854b347e4cbc5d2d4a2ad4419ed3_s390x | — |
Workaround
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:e12cb06f04ac2870d5c387612f4aab65438c4b8044337ab8c55e924dc273ee6b_ppc64le | — |
Workaround
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:0809ac10fd225656d8fec0002f71c41f7a07d9c5be0c0affd5740cdae43efcf8_amd64 | — |
Workaround
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:6c58ed8e6779027d62bca2dab2de0336ee630257dc903c0ff8069ec986395f47_ppc64le | — |
Workaround
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:f3eb950ff155132b8d113853d05a917a4e949fa80156bbbdda8e61a5a7d18799_s390x | — |
Workaround
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:04e7e7a046da793f667daa0d1eb8dc90ea984dcd1bdefc8a7b96441a6251b280_amd64 | — |
Workaround
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:6f6ed4e34b8450b5af74cab6bab790013006269cb997883fc50f5c20c1f5dd8d_s390x | — |
Workaround
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:fd567a237640c49c3cb5d392aa995069eb6d7398bffb2fe982f57563b640d630_ppc64le | — |
Workaround
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:9276234cb0599b75d0adc88c7b1882ff3da6742306a30f26dade3f9bde06ec7e_ppc64le | — |
Workaround
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:93b546b7d97fd7fdaf9aef486218350817697a6237cbc3ff512eef40ef772a3a_s390x | — |
Workaround
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:d6233ee14663867808ca616c9327278af99e0439f0781b548be35e6ab5777de2_amd64 | — |
Workaround
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:39e1eb86a6cc6eaa31018a13f86bbb676ec26250d5daf116e3be6d6d194bfe42_ppc64le | — |
Workaround
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:a47193626427bfe8f686c9f591248d082271c0d20aed96aa268bf7a03b9123d8_s390x | — |
Workaround
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:ca759591794df7f94b67bf798d7d27dd6d2b45d49b8ef8511e2bf51f78672d7e_amd64 | — |
Workaround
|
Threats
Impact
Moderate
A flaw was found in handling multiplexed streams in the HTTP/2 protocol. A client can repeatedly make a request for a new multiplex stream and immediately send an RST_STREAM frame to cancel it. This creates extra work for the server setting up and tearing down the streams while not hitting any server-side limit for the maximum number of active streams per connection, resulting in a denial of service due to server resource consumption. Red Hat has rated the severity of this flaw as 'Important' as the US Cybersecurity and Infrastructure Security Agency (CISA) declared this vulnerability an active exploit. CVE-2023-39325 was assigned for the `Rapid Reset Attack` in the Go language packages.
7.5 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:4dc1e2ace5946178fae29c87e2f86467594833e27ddfef8a005273eb9a1bee45_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:72ebf29aa3a85cf49949379958744a699e1f572f79abf75e7cb8094ceecf074e_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:ba574717bd9890dcf1677c9b56d45a2047bb1f6a72a0bb5b8e38c6f3f2db4884_amd64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
15 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:49e943d69210eb9f4218272f64cc2b9a100bb52416784c417b241c7dcd0eeb23_amd64 | — |
Workaround
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:561fba3667ff302316ecef3dc7a80202ec5b854b347e4cbc5d2d4a2ad4419ed3_s390x | — |
Workaround
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:e12cb06f04ac2870d5c387612f4aab65438c4b8044337ab8c55e924dc273ee6b_ppc64le | — |
Workaround
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:0809ac10fd225656d8fec0002f71c41f7a07d9c5be0c0affd5740cdae43efcf8_amd64 | — |
Workaround
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:6c58ed8e6779027d62bca2dab2de0336ee630257dc903c0ff8069ec986395f47_ppc64le | — |
Workaround
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:f3eb950ff155132b8d113853d05a917a4e949fa80156bbbdda8e61a5a7d18799_s390x | — |
Workaround
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:04e7e7a046da793f667daa0d1eb8dc90ea984dcd1bdefc8a7b96441a6251b280_amd64 | — |
Workaround
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:6f6ed4e34b8450b5af74cab6bab790013006269cb997883fc50f5c20c1f5dd8d_s390x | — |
Workaround
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:fd567a237640c49c3cb5d392aa995069eb6d7398bffb2fe982f57563b640d630_ppc64le | — |
Workaround
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:9276234cb0599b75d0adc88c7b1882ff3da6742306a30f26dade3f9bde06ec7e_ppc64le | — |
Workaround
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:93b546b7d97fd7fdaf9aef486218350817697a6237cbc3ff512eef40ef772a3a_s390x | — |
Workaround
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:d6233ee14663867808ca616c9327278af99e0439f0781b548be35e6ab5777de2_amd64 | — |
Workaround
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:39e1eb86a6cc6eaa31018a13f86bbb676ec26250d5daf116e3be6d6d194bfe42_ppc64le | — |
Workaround
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:a47193626427bfe8f686c9f591248d082271c0d20aed96aa268bf7a03b9123d8_s390x | — |
Workaround
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:ca759591794df7f94b67bf798d7d27dd6d2b45d49b8ef8511e2bf51f78672d7e_amd64 | — |
Workaround
|
Threats
Impact
Important
A flaw was found in handling multiplexed streams in the HTTP/2 protocol. A client can repeatedly make a request for a new multiplex stream and immediately send an RST_STREAM frame to cancel it. This creates extra work for the server setting up and tearing down the streams while not hitting any server-side limit for the maximum number of active streams per connection, resulting in a denial of service due to server resource consumption. Red Hat has rated the severity of this flaw as 'Important' as the US Cybersecurity and Infrastructure Security Agency (CISA) declared this vulnerability an active exploit. CVE-2023-39325 was assigned for the Rapid Reset Attack in the Go language packages. Security Bulletin https://access.redhat.com/security/vulnerabilities/RHSB-2023-003
7.5 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:4dc1e2ace5946178fae29c87e2f86467594833e27ddfef8a005273eb9a1bee45_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:72ebf29aa3a85cf49949379958744a699e1f572f79abf75e7cb8094ceecf074e_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:ba574717bd9890dcf1677c9b56d45a2047bb1f6a72a0bb5b8e38c6f3f2db4884_amd64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
15 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:49e943d69210eb9f4218272f64cc2b9a100bb52416784c417b241c7dcd0eeb23_amd64 | — |
Workaround
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:561fba3667ff302316ecef3dc7a80202ec5b854b347e4cbc5d2d4a2ad4419ed3_s390x | — |
Workaround
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:e12cb06f04ac2870d5c387612f4aab65438c4b8044337ab8c55e924dc273ee6b_ppc64le | — |
Workaround
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:0809ac10fd225656d8fec0002f71c41f7a07d9c5be0c0affd5740cdae43efcf8_amd64 | — |
Workaround
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:6c58ed8e6779027d62bca2dab2de0336ee630257dc903c0ff8069ec986395f47_ppc64le | — |
Workaround
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:f3eb950ff155132b8d113853d05a917a4e949fa80156bbbdda8e61a5a7d18799_s390x | — |
Workaround
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:04e7e7a046da793f667daa0d1eb8dc90ea984dcd1bdefc8a7b96441a6251b280_amd64 | — |
Workaround
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:6f6ed4e34b8450b5af74cab6bab790013006269cb997883fc50f5c20c1f5dd8d_s390x | — |
Workaround
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:fd567a237640c49c3cb5d392aa995069eb6d7398bffb2fe982f57563b640d630_ppc64le | — |
Workaround
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:9276234cb0599b75d0adc88c7b1882ff3da6742306a30f26dade3f9bde06ec7e_ppc64le | — |
Workaround
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:93b546b7d97fd7fdaf9aef486218350817697a6237cbc3ff512eef40ef772a3a_s390x | — |
Workaround
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:d6233ee14663867808ca616c9327278af99e0439f0781b548be35e6ab5777de2_amd64 | — |
Workaround
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:39e1eb86a6cc6eaa31018a13f86bbb676ec26250d5daf116e3be6d6d194bfe42_ppc64le | — |
Workaround
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:a47193626427bfe8f686c9f591248d082271c0d20aed96aa268bf7a03b9123d8_s390x | — |
Workaround
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:ca759591794df7f94b67bf798d7d27dd6d2b45d49b8ef8511e2bf51f78672d7e_amd64 | — |
Workaround
|
Threats
Exploit Status
CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
Impact
Important
References
49 references
Acknowledgments
Grafana Security Team
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated container image for Red Hat Ceph Storage 6.1 is now available in the Red Hat Ecosystem Catalog.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat Ceph Storage is a scalable, open, software-defined storage platform that combines the most stable version of the Ceph storage system with a Ceph management platform, deployment utilities, and support services.\n\nThis updated container image is based on Red Hat Ceph Storage 6.1 and Red Hat Enterprise Linux.\n\nSpace precludes documenting all of these changes in this advisory. Users are directed to the Red Hat Ceph Storage Release Notes for information on the most significant of these changes:\n\nhttps://access.redhat.com/documentation/en-us/red_hat_ceph_storage/6.1/html/release_notes/index\n\nAll users of Red Hat Ceph Storage are advised to pull these new images from the Red Hat Ecosystem catalog.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2023:7741",
"url": "https://access.redhat.com/errata/RHSA-2023:7741"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/vulnerabilities/RHSB-2023-003",
"url": "https://access.redhat.com/security/vulnerabilities/RHSB-2023-003"
},
{
"category": "external",
"summary": "2181117",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2181117"
},
{
"category": "external",
"summary": "2186322",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2186322"
},
{
"category": "external",
"summary": "2210840",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2210840"
},
{
"category": "external",
"summary": "2210848",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2210848"
},
{
"category": "external",
"summary": "2242803",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242803"
},
{
"category": "external",
"summary": "2243296",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2243296"
},
{
"category": "external",
"summary": "2254041",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2254041"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_7741.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Ceph Storage 6.1 security, enhancements, and bug fix update",
"tracking": {
"current_release_date": "2026-05-28T09:47:12+00:00",
"generator": {
"date": "2026-05-28T09:47:12+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.1"
}
},
"id": "RHSA-2023:7741",
"initial_release_date": "2023-12-12T13:55:37+00:00",
"revision_history": [
{
"date": "2023-12-12T13:55:37+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2023-12-12T13:55:38+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-28T09:47:12+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Ceph Storage 6.1 Tools",
"product": {
"name": "Red Hat Ceph Storage 6.1 Tools",
"product_id": "9Base-RHCEPH-6.1-Tools",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:ceph_storage:6.1::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat Ceph Storage"
},
{
"branches": [
{
"category": "product_version",
"name": "rhceph/rhceph-6-dashboard-rhel9@sha256:4dc1e2ace5946178fae29c87e2f86467594833e27ddfef8a005273eb9a1bee45_s390x",
"product": {
"name": "rhceph/rhceph-6-dashboard-rhel9@sha256:4dc1e2ace5946178fae29c87e2f86467594833e27ddfef8a005273eb9a1bee45_s390x",
"product_id": "rhceph/rhceph-6-dashboard-rhel9@sha256:4dc1e2ace5946178fae29c87e2f86467594833e27ddfef8a005273eb9a1bee45_s390x",
"product_identification_helper": {
"purl": "pkg:oci/rhceph-6-dashboard-rhel9@sha256:4dc1e2ace5946178fae29c87e2f86467594833e27ddfef8a005273eb9a1bee45?arch=s390x\u0026repository_url=registry.redhat.io/rhceph/rhceph-6-dashboard-rhel9\u0026tag=6-82"
}
}
},
{
"category": "product_version",
"name": "rhceph/keepalived-rhel9@sha256:561fba3667ff302316ecef3dc7a80202ec5b854b347e4cbc5d2d4a2ad4419ed3_s390x",
"product": {
"name": "rhceph/keepalived-rhel9@sha256:561fba3667ff302316ecef3dc7a80202ec5b854b347e4cbc5d2d4a2ad4419ed3_s390x",
"product_id": "rhceph/keepalived-rhel9@sha256:561fba3667ff302316ecef3dc7a80202ec5b854b347e4cbc5d2d4a2ad4419ed3_s390x",
"product_identification_helper": {
"purl": "pkg:oci/keepalived-rhel9@sha256:561fba3667ff302316ecef3dc7a80202ec5b854b347e4cbc5d2d4a2ad4419ed3?arch=s390x\u0026repository_url=registry.redhat.io/rhceph/keepalived-rhel9\u0026tag=2.2.8-4"
}
}
},
{
"category": "product_version",
"name": "rhceph/rhceph-promtail-rhel9@sha256:93b546b7d97fd7fdaf9aef486218350817697a6237cbc3ff512eef40ef772a3a_s390x",
"product": {
"name": "rhceph/rhceph-promtail-rhel9@sha256:93b546b7d97fd7fdaf9aef486218350817697a6237cbc3ff512eef40ef772a3a_s390x",
"product_id": "rhceph/rhceph-promtail-rhel9@sha256:93b546b7d97fd7fdaf9aef486218350817697a6237cbc3ff512eef40ef772a3a_s390x",
"product_identification_helper": {
"purl": "pkg:oci/rhceph-promtail-rhel9@sha256:93b546b7d97fd7fdaf9aef486218350817697a6237cbc3ff512eef40ef772a3a?arch=s390x\u0026repository_url=registry.redhat.io/rhceph/rhceph-promtail-rhel9\u0026tag=v2.4.0-12"
}
}
},
{
"category": "product_version",
"name": "rhceph/rhceph-6-rhel9@sha256:f3eb950ff155132b8d113853d05a917a4e949fa80156bbbdda8e61a5a7d18799_s390x",
"product": {
"name": "rhceph/rhceph-6-rhel9@sha256:f3eb950ff155132b8d113853d05a917a4e949fa80156bbbdda8e61a5a7d18799_s390x",
"product_id": "rhceph/rhceph-6-rhel9@sha256:f3eb950ff155132b8d113853d05a917a4e949fa80156bbbdda8e61a5a7d18799_s390x",
"product_identification_helper": {
"purl": "pkg:oci/rhceph-6-rhel9@sha256:f3eb950ff155132b8d113853d05a917a4e949fa80156bbbdda8e61a5a7d18799?arch=s390x\u0026repository_url=registry.redhat.io/rhceph/rhceph-6-rhel9\u0026tag=6-263"
}
}
},
{
"category": "product_version",
"name": "rhceph/rhceph-haproxy-rhel9@sha256:6f6ed4e34b8450b5af74cab6bab790013006269cb997883fc50f5c20c1f5dd8d_s390x",
"product": {
"name": "rhceph/rhceph-haproxy-rhel9@sha256:6f6ed4e34b8450b5af74cab6bab790013006269cb997883fc50f5c20c1f5dd8d_s390x",
"product_id": "rhceph/rhceph-haproxy-rhel9@sha256:6f6ed4e34b8450b5af74cab6bab790013006269cb997883fc50f5c20c1f5dd8d_s390x",
"product_identification_helper": {
"purl": "pkg:oci/rhceph-haproxy-rhel9@sha256:6f6ed4e34b8450b5af74cab6bab790013006269cb997883fc50f5c20c1f5dd8d?arch=s390x\u0026repository_url=registry.redhat.io/rhceph/rhceph-haproxy-rhel9\u0026tag=2.4.22-5"
}
}
},
{
"category": "product_version",
"name": "rhceph/snmp-notifier-rhel9@sha256:a47193626427bfe8f686c9f591248d082271c0d20aed96aa268bf7a03b9123d8_s390x",
"product": {
"name": "rhceph/snmp-notifier-rhel9@sha256:a47193626427bfe8f686c9f591248d082271c0d20aed96aa268bf7a03b9123d8_s390x",
"product_id": "rhceph/snmp-notifier-rhel9@sha256:a47193626427bfe8f686c9f591248d082271c0d20aed96aa268bf7a03b9123d8_s390x",
"product_identification_helper": {
"purl": "pkg:oci/snmp-notifier-rhel9@sha256:a47193626427bfe8f686c9f591248d082271c0d20aed96aa268bf7a03b9123d8?arch=s390x\u0026repository_url=registry.redhat.io/rhceph/snmp-notifier-rhel9\u0026tag=1.2.1-48"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "rhceph/rhceph-6-dashboard-rhel9@sha256:ba574717bd9890dcf1677c9b56d45a2047bb1f6a72a0bb5b8e38c6f3f2db4884_amd64",
"product": {
"name": "rhceph/rhceph-6-dashboard-rhel9@sha256:ba574717bd9890dcf1677c9b56d45a2047bb1f6a72a0bb5b8e38c6f3f2db4884_amd64",
"product_id": "rhceph/rhceph-6-dashboard-rhel9@sha256:ba574717bd9890dcf1677c9b56d45a2047bb1f6a72a0bb5b8e38c6f3f2db4884_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhceph-6-dashboard-rhel9@sha256:ba574717bd9890dcf1677c9b56d45a2047bb1f6a72a0bb5b8e38c6f3f2db4884?arch=amd64\u0026repository_url=registry.redhat.io/rhceph/rhceph-6-dashboard-rhel9\u0026tag=6-82"
}
}
},
{
"category": "product_version",
"name": "rhceph/keepalived-rhel9@sha256:49e943d69210eb9f4218272f64cc2b9a100bb52416784c417b241c7dcd0eeb23_amd64",
"product": {
"name": "rhceph/keepalived-rhel9@sha256:49e943d69210eb9f4218272f64cc2b9a100bb52416784c417b241c7dcd0eeb23_amd64",
"product_id": "rhceph/keepalived-rhel9@sha256:49e943d69210eb9f4218272f64cc2b9a100bb52416784c417b241c7dcd0eeb23_amd64",
"product_identification_helper": {
"purl": "pkg:oci/keepalived-rhel9@sha256:49e943d69210eb9f4218272f64cc2b9a100bb52416784c417b241c7dcd0eeb23?arch=amd64\u0026repository_url=registry.redhat.io/rhceph/keepalived-rhel9\u0026tag=2.2.8-4"
}
}
},
{
"category": "product_version",
"name": "rhceph/rhceph-promtail-rhel9@sha256:d6233ee14663867808ca616c9327278af99e0439f0781b548be35e6ab5777de2_amd64",
"product": {
"name": "rhceph/rhceph-promtail-rhel9@sha256:d6233ee14663867808ca616c9327278af99e0439f0781b548be35e6ab5777de2_amd64",
"product_id": "rhceph/rhceph-promtail-rhel9@sha256:d6233ee14663867808ca616c9327278af99e0439f0781b548be35e6ab5777de2_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhceph-promtail-rhel9@sha256:d6233ee14663867808ca616c9327278af99e0439f0781b548be35e6ab5777de2?arch=amd64\u0026repository_url=registry.redhat.io/rhceph/rhceph-promtail-rhel9\u0026tag=v2.4.0-12"
}
}
},
{
"category": "product_version",
"name": "rhceph/rhceph-6-rhel9@sha256:0809ac10fd225656d8fec0002f71c41f7a07d9c5be0c0affd5740cdae43efcf8_amd64",
"product": {
"name": "rhceph/rhceph-6-rhel9@sha256:0809ac10fd225656d8fec0002f71c41f7a07d9c5be0c0affd5740cdae43efcf8_amd64",
"product_id": "rhceph/rhceph-6-rhel9@sha256:0809ac10fd225656d8fec0002f71c41f7a07d9c5be0c0affd5740cdae43efcf8_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhceph-6-rhel9@sha256:0809ac10fd225656d8fec0002f71c41f7a07d9c5be0c0affd5740cdae43efcf8?arch=amd64\u0026repository_url=registry.redhat.io/rhceph/rhceph-6-rhel9\u0026tag=6-263"
}
}
},
{
"category": "product_version",
"name": "rhceph/rhceph-haproxy-rhel9@sha256:04e7e7a046da793f667daa0d1eb8dc90ea984dcd1bdefc8a7b96441a6251b280_amd64",
"product": {
"name": "rhceph/rhceph-haproxy-rhel9@sha256:04e7e7a046da793f667daa0d1eb8dc90ea984dcd1bdefc8a7b96441a6251b280_amd64",
"product_id": "rhceph/rhceph-haproxy-rhel9@sha256:04e7e7a046da793f667daa0d1eb8dc90ea984dcd1bdefc8a7b96441a6251b280_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhceph-haproxy-rhel9@sha256:04e7e7a046da793f667daa0d1eb8dc90ea984dcd1bdefc8a7b96441a6251b280?arch=amd64\u0026repository_url=registry.redhat.io/rhceph/rhceph-haproxy-rhel9\u0026tag=2.4.22-5"
}
}
},
{
"category": "product_version",
"name": "rhceph/snmp-notifier-rhel9@sha256:ca759591794df7f94b67bf798d7d27dd6d2b45d49b8ef8511e2bf51f78672d7e_amd64",
"product": {
"name": "rhceph/snmp-notifier-rhel9@sha256:ca759591794df7f94b67bf798d7d27dd6d2b45d49b8ef8511e2bf51f78672d7e_amd64",
"product_id": "rhceph/snmp-notifier-rhel9@sha256:ca759591794df7f94b67bf798d7d27dd6d2b45d49b8ef8511e2bf51f78672d7e_amd64",
"product_identification_helper": {
"purl": "pkg:oci/snmp-notifier-rhel9@sha256:ca759591794df7f94b67bf798d7d27dd6d2b45d49b8ef8511e2bf51f78672d7e?arch=amd64\u0026repository_url=registry.redhat.io/rhceph/snmp-notifier-rhel9\u0026tag=1.2.1-48"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "rhceph/rhceph-6-dashboard-rhel9@sha256:72ebf29aa3a85cf49949379958744a699e1f572f79abf75e7cb8094ceecf074e_ppc64le",
"product": {
"name": "rhceph/rhceph-6-dashboard-rhel9@sha256:72ebf29aa3a85cf49949379958744a699e1f572f79abf75e7cb8094ceecf074e_ppc64le",
"product_id": "rhceph/rhceph-6-dashboard-rhel9@sha256:72ebf29aa3a85cf49949379958744a699e1f572f79abf75e7cb8094ceecf074e_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/rhceph-6-dashboard-rhel9@sha256:72ebf29aa3a85cf49949379958744a699e1f572f79abf75e7cb8094ceecf074e?arch=ppc64le\u0026repository_url=registry.redhat.io/rhceph/rhceph-6-dashboard-rhel9\u0026tag=6-82"
}
}
},
{
"category": "product_version",
"name": "rhceph/keepalived-rhel9@sha256:e12cb06f04ac2870d5c387612f4aab65438c4b8044337ab8c55e924dc273ee6b_ppc64le",
"product": {
"name": "rhceph/keepalived-rhel9@sha256:e12cb06f04ac2870d5c387612f4aab65438c4b8044337ab8c55e924dc273ee6b_ppc64le",
"product_id": "rhceph/keepalived-rhel9@sha256:e12cb06f04ac2870d5c387612f4aab65438c4b8044337ab8c55e924dc273ee6b_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/keepalived-rhel9@sha256:e12cb06f04ac2870d5c387612f4aab65438c4b8044337ab8c55e924dc273ee6b?arch=ppc64le\u0026repository_url=registry.redhat.io/rhceph/keepalived-rhel9\u0026tag=2.2.8-4"
}
}
},
{
"category": "product_version",
"name": "rhceph/rhceph-promtail-rhel9@sha256:9276234cb0599b75d0adc88c7b1882ff3da6742306a30f26dade3f9bde06ec7e_ppc64le",
"product": {
"name": "rhceph/rhceph-promtail-rhel9@sha256:9276234cb0599b75d0adc88c7b1882ff3da6742306a30f26dade3f9bde06ec7e_ppc64le",
"product_id": "rhceph/rhceph-promtail-rhel9@sha256:9276234cb0599b75d0adc88c7b1882ff3da6742306a30f26dade3f9bde06ec7e_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/rhceph-promtail-rhel9@sha256:9276234cb0599b75d0adc88c7b1882ff3da6742306a30f26dade3f9bde06ec7e?arch=ppc64le\u0026repository_url=registry.redhat.io/rhceph/rhceph-promtail-rhel9\u0026tag=v2.4.0-12"
}
}
},
{
"category": "product_version",
"name": "rhceph/rhceph-6-rhel9@sha256:6c58ed8e6779027d62bca2dab2de0336ee630257dc903c0ff8069ec986395f47_ppc64le",
"product": {
"name": "rhceph/rhceph-6-rhel9@sha256:6c58ed8e6779027d62bca2dab2de0336ee630257dc903c0ff8069ec986395f47_ppc64le",
"product_id": "rhceph/rhceph-6-rhel9@sha256:6c58ed8e6779027d62bca2dab2de0336ee630257dc903c0ff8069ec986395f47_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/rhceph-6-rhel9@sha256:6c58ed8e6779027d62bca2dab2de0336ee630257dc903c0ff8069ec986395f47?arch=ppc64le\u0026repository_url=registry.redhat.io/rhceph/rhceph-6-rhel9\u0026tag=6-263"
}
}
},
{
"category": "product_version",
"name": "rhceph/rhceph-haproxy-rhel9@sha256:fd567a237640c49c3cb5d392aa995069eb6d7398bffb2fe982f57563b640d630_ppc64le",
"product": {
"name": "rhceph/rhceph-haproxy-rhel9@sha256:fd567a237640c49c3cb5d392aa995069eb6d7398bffb2fe982f57563b640d630_ppc64le",
"product_id": "rhceph/rhceph-haproxy-rhel9@sha256:fd567a237640c49c3cb5d392aa995069eb6d7398bffb2fe982f57563b640d630_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/rhceph-haproxy-rhel9@sha256:fd567a237640c49c3cb5d392aa995069eb6d7398bffb2fe982f57563b640d630?arch=ppc64le\u0026repository_url=registry.redhat.io/rhceph/rhceph-haproxy-rhel9\u0026tag=2.4.22-5"
}
}
},
{
"category": "product_version",
"name": "rhceph/snmp-notifier-rhel9@sha256:39e1eb86a6cc6eaa31018a13f86bbb676ec26250d5daf116e3be6d6d194bfe42_ppc64le",
"product": {
"name": "rhceph/snmp-notifier-rhel9@sha256:39e1eb86a6cc6eaa31018a13f86bbb676ec26250d5daf116e3be6d6d194bfe42_ppc64le",
"product_id": "rhceph/snmp-notifier-rhel9@sha256:39e1eb86a6cc6eaa31018a13f86bbb676ec26250d5daf116e3be6d6d194bfe42_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/snmp-notifier-rhel9@sha256:39e1eb86a6cc6eaa31018a13f86bbb676ec26250d5daf116e3be6d6d194bfe42?arch=ppc64le\u0026repository_url=registry.redhat.io/rhceph/snmp-notifier-rhel9\u0026tag=1.2.1-48"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "rhceph/keepalived-rhel9@sha256:49e943d69210eb9f4218272f64cc2b9a100bb52416784c417b241c7dcd0eeb23_amd64 as a component of Red Hat Ceph Storage 6.1 Tools",
"product_id": "9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:49e943d69210eb9f4218272f64cc2b9a100bb52416784c417b241c7dcd0eeb23_amd64"
},
"product_reference": "rhceph/keepalived-rhel9@sha256:49e943d69210eb9f4218272f64cc2b9a100bb52416784c417b241c7dcd0eeb23_amd64",
"relates_to_product_reference": "9Base-RHCEPH-6.1-Tools"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhceph/keepalived-rhel9@sha256:561fba3667ff302316ecef3dc7a80202ec5b854b347e4cbc5d2d4a2ad4419ed3_s390x as a component of Red Hat Ceph Storage 6.1 Tools",
"product_id": "9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:561fba3667ff302316ecef3dc7a80202ec5b854b347e4cbc5d2d4a2ad4419ed3_s390x"
},
"product_reference": "rhceph/keepalived-rhel9@sha256:561fba3667ff302316ecef3dc7a80202ec5b854b347e4cbc5d2d4a2ad4419ed3_s390x",
"relates_to_product_reference": "9Base-RHCEPH-6.1-Tools"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhceph/keepalived-rhel9@sha256:e12cb06f04ac2870d5c387612f4aab65438c4b8044337ab8c55e924dc273ee6b_ppc64le as a component of Red Hat Ceph Storage 6.1 Tools",
"product_id": "9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:e12cb06f04ac2870d5c387612f4aab65438c4b8044337ab8c55e924dc273ee6b_ppc64le"
},
"product_reference": "rhceph/keepalived-rhel9@sha256:e12cb06f04ac2870d5c387612f4aab65438c4b8044337ab8c55e924dc273ee6b_ppc64le",
"relates_to_product_reference": "9Base-RHCEPH-6.1-Tools"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhceph/rhceph-6-dashboard-rhel9@sha256:4dc1e2ace5946178fae29c87e2f86467594833e27ddfef8a005273eb9a1bee45_s390x as a component of Red Hat Ceph Storage 6.1 Tools",
"product_id": "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:4dc1e2ace5946178fae29c87e2f86467594833e27ddfef8a005273eb9a1bee45_s390x"
},
"product_reference": "rhceph/rhceph-6-dashboard-rhel9@sha256:4dc1e2ace5946178fae29c87e2f86467594833e27ddfef8a005273eb9a1bee45_s390x",
"relates_to_product_reference": "9Base-RHCEPH-6.1-Tools"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhceph/rhceph-6-dashboard-rhel9@sha256:72ebf29aa3a85cf49949379958744a699e1f572f79abf75e7cb8094ceecf074e_ppc64le as a component of Red Hat Ceph Storage 6.1 Tools",
"product_id": "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:72ebf29aa3a85cf49949379958744a699e1f572f79abf75e7cb8094ceecf074e_ppc64le"
},
"product_reference": "rhceph/rhceph-6-dashboard-rhel9@sha256:72ebf29aa3a85cf49949379958744a699e1f572f79abf75e7cb8094ceecf074e_ppc64le",
"relates_to_product_reference": "9Base-RHCEPH-6.1-Tools"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhceph/rhceph-6-dashboard-rhel9@sha256:ba574717bd9890dcf1677c9b56d45a2047bb1f6a72a0bb5b8e38c6f3f2db4884_amd64 as a component of Red Hat Ceph Storage 6.1 Tools",
"product_id": "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:ba574717bd9890dcf1677c9b56d45a2047bb1f6a72a0bb5b8e38c6f3f2db4884_amd64"
},
"product_reference": "rhceph/rhceph-6-dashboard-rhel9@sha256:ba574717bd9890dcf1677c9b56d45a2047bb1f6a72a0bb5b8e38c6f3f2db4884_amd64",
"relates_to_product_reference": "9Base-RHCEPH-6.1-Tools"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhceph/rhceph-6-rhel9@sha256:0809ac10fd225656d8fec0002f71c41f7a07d9c5be0c0affd5740cdae43efcf8_amd64 as a component of Red Hat Ceph Storage 6.1 Tools",
"product_id": "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:0809ac10fd225656d8fec0002f71c41f7a07d9c5be0c0affd5740cdae43efcf8_amd64"
},
"product_reference": "rhceph/rhceph-6-rhel9@sha256:0809ac10fd225656d8fec0002f71c41f7a07d9c5be0c0affd5740cdae43efcf8_amd64",
"relates_to_product_reference": "9Base-RHCEPH-6.1-Tools"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhceph/rhceph-6-rhel9@sha256:6c58ed8e6779027d62bca2dab2de0336ee630257dc903c0ff8069ec986395f47_ppc64le as a component of Red Hat Ceph Storage 6.1 Tools",
"product_id": "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:6c58ed8e6779027d62bca2dab2de0336ee630257dc903c0ff8069ec986395f47_ppc64le"
},
"product_reference": "rhceph/rhceph-6-rhel9@sha256:6c58ed8e6779027d62bca2dab2de0336ee630257dc903c0ff8069ec986395f47_ppc64le",
"relates_to_product_reference": "9Base-RHCEPH-6.1-Tools"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhceph/rhceph-6-rhel9@sha256:f3eb950ff155132b8d113853d05a917a4e949fa80156bbbdda8e61a5a7d18799_s390x as a component of Red Hat Ceph Storage 6.1 Tools",
"product_id": "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:f3eb950ff155132b8d113853d05a917a4e949fa80156bbbdda8e61a5a7d18799_s390x"
},
"product_reference": "rhceph/rhceph-6-rhel9@sha256:f3eb950ff155132b8d113853d05a917a4e949fa80156bbbdda8e61a5a7d18799_s390x",
"relates_to_product_reference": "9Base-RHCEPH-6.1-Tools"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhceph/rhceph-haproxy-rhel9@sha256:04e7e7a046da793f667daa0d1eb8dc90ea984dcd1bdefc8a7b96441a6251b280_amd64 as a component of Red Hat Ceph Storage 6.1 Tools",
"product_id": "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:04e7e7a046da793f667daa0d1eb8dc90ea984dcd1bdefc8a7b96441a6251b280_amd64"
},
"product_reference": "rhceph/rhceph-haproxy-rhel9@sha256:04e7e7a046da793f667daa0d1eb8dc90ea984dcd1bdefc8a7b96441a6251b280_amd64",
"relates_to_product_reference": "9Base-RHCEPH-6.1-Tools"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhceph/rhceph-haproxy-rhel9@sha256:6f6ed4e34b8450b5af74cab6bab790013006269cb997883fc50f5c20c1f5dd8d_s390x as a component of Red Hat Ceph Storage 6.1 Tools",
"product_id": "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:6f6ed4e34b8450b5af74cab6bab790013006269cb997883fc50f5c20c1f5dd8d_s390x"
},
"product_reference": "rhceph/rhceph-haproxy-rhel9@sha256:6f6ed4e34b8450b5af74cab6bab790013006269cb997883fc50f5c20c1f5dd8d_s390x",
"relates_to_product_reference": "9Base-RHCEPH-6.1-Tools"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhceph/rhceph-haproxy-rhel9@sha256:fd567a237640c49c3cb5d392aa995069eb6d7398bffb2fe982f57563b640d630_ppc64le as a component of Red Hat Ceph Storage 6.1 Tools",
"product_id": "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:fd567a237640c49c3cb5d392aa995069eb6d7398bffb2fe982f57563b640d630_ppc64le"
},
"product_reference": "rhceph/rhceph-haproxy-rhel9@sha256:fd567a237640c49c3cb5d392aa995069eb6d7398bffb2fe982f57563b640d630_ppc64le",
"relates_to_product_reference": "9Base-RHCEPH-6.1-Tools"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhceph/rhceph-promtail-rhel9@sha256:9276234cb0599b75d0adc88c7b1882ff3da6742306a30f26dade3f9bde06ec7e_ppc64le as a component of Red Hat Ceph Storage 6.1 Tools",
"product_id": "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:9276234cb0599b75d0adc88c7b1882ff3da6742306a30f26dade3f9bde06ec7e_ppc64le"
},
"product_reference": "rhceph/rhceph-promtail-rhel9@sha256:9276234cb0599b75d0adc88c7b1882ff3da6742306a30f26dade3f9bde06ec7e_ppc64le",
"relates_to_product_reference": "9Base-RHCEPH-6.1-Tools"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhceph/rhceph-promtail-rhel9@sha256:93b546b7d97fd7fdaf9aef486218350817697a6237cbc3ff512eef40ef772a3a_s390x as a component of Red Hat Ceph Storage 6.1 Tools",
"product_id": "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:93b546b7d97fd7fdaf9aef486218350817697a6237cbc3ff512eef40ef772a3a_s390x"
},
"product_reference": "rhceph/rhceph-promtail-rhel9@sha256:93b546b7d97fd7fdaf9aef486218350817697a6237cbc3ff512eef40ef772a3a_s390x",
"relates_to_product_reference": "9Base-RHCEPH-6.1-Tools"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhceph/rhceph-promtail-rhel9@sha256:d6233ee14663867808ca616c9327278af99e0439f0781b548be35e6ab5777de2_amd64 as a component of Red Hat Ceph Storage 6.1 Tools",
"product_id": "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:d6233ee14663867808ca616c9327278af99e0439f0781b548be35e6ab5777de2_amd64"
},
"product_reference": "rhceph/rhceph-promtail-rhel9@sha256:d6233ee14663867808ca616c9327278af99e0439f0781b548be35e6ab5777de2_amd64",
"relates_to_product_reference": "9Base-RHCEPH-6.1-Tools"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhceph/snmp-notifier-rhel9@sha256:39e1eb86a6cc6eaa31018a13f86bbb676ec26250d5daf116e3be6d6d194bfe42_ppc64le as a component of Red Hat Ceph Storage 6.1 Tools",
"product_id": "9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:39e1eb86a6cc6eaa31018a13f86bbb676ec26250d5daf116e3be6d6d194bfe42_ppc64le"
},
"product_reference": "rhceph/snmp-notifier-rhel9@sha256:39e1eb86a6cc6eaa31018a13f86bbb676ec26250d5daf116e3be6d6d194bfe42_ppc64le",
"relates_to_product_reference": "9Base-RHCEPH-6.1-Tools"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhceph/snmp-notifier-rhel9@sha256:a47193626427bfe8f686c9f591248d082271c0d20aed96aa268bf7a03b9123d8_s390x as a component of Red Hat Ceph Storage 6.1 Tools",
"product_id": "9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:a47193626427bfe8f686c9f591248d082271c0d20aed96aa268bf7a03b9123d8_s390x"
},
"product_reference": "rhceph/snmp-notifier-rhel9@sha256:a47193626427bfe8f686c9f591248d082271c0d20aed96aa268bf7a03b9123d8_s390x",
"relates_to_product_reference": "9Base-RHCEPH-6.1-Tools"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhceph/snmp-notifier-rhel9@sha256:ca759591794df7f94b67bf798d7d27dd6d2b45d49b8ef8511e2bf51f78672d7e_amd64 as a component of Red Hat Ceph Storage 6.1 Tools",
"product_id": "9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:ca759591794df7f94b67bf798d7d27dd6d2b45d49b8ef8511e2bf51f78672d7e_amd64"
},
"product_reference": "rhceph/snmp-notifier-rhel9@sha256:ca759591794df7f94b67bf798d7d27dd6d2b45d49b8ef8511e2bf51f78672d7e_amd64",
"relates_to_product_reference": "9Base-RHCEPH-6.1-Tools"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Grafana Security Team"
],
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2023-1387",
"cwe": {
"id": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor"
},
"discovery_date": "2023-04-12T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:49e943d69210eb9f4218272f64cc2b9a100bb52416784c417b241c7dcd0eeb23_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:561fba3667ff302316ecef3dc7a80202ec5b854b347e4cbc5d2d4a2ad4419ed3_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:e12cb06f04ac2870d5c387612f4aab65438c4b8044337ab8c55e924dc273ee6b_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:0809ac10fd225656d8fec0002f71c41f7a07d9c5be0c0affd5740cdae43efcf8_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:6c58ed8e6779027d62bca2dab2de0336ee630257dc903c0ff8069ec986395f47_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:f3eb950ff155132b8d113853d05a917a4e949fa80156bbbdda8e61a5a7d18799_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:04e7e7a046da793f667daa0d1eb8dc90ea984dcd1bdefc8a7b96441a6251b280_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:6f6ed4e34b8450b5af74cab6bab790013006269cb997883fc50f5c20c1f5dd8d_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:fd567a237640c49c3cb5d392aa995069eb6d7398bffb2fe982f57563b640d630_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:9276234cb0599b75d0adc88c7b1882ff3da6742306a30f26dade3f9bde06ec7e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:93b546b7d97fd7fdaf9aef486218350817697a6237cbc3ff512eef40ef772a3a_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:d6233ee14663867808ca616c9327278af99e0439f0781b548be35e6ab5777de2_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:39e1eb86a6cc6eaa31018a13f86bbb676ec26250d5daf116e3be6d6d194bfe42_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:a47193626427bfe8f686c9f591248d082271c0d20aed96aa268bf7a03b9123d8_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:ca759591794df7f94b67bf798d7d27dd6d2b45d49b8ef8511e2bf51f78672d7e_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2186322"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Grafana. This flaw allows a remote, authenticated attacker to obtain sensitive information caused by an issue when enabling the \"url_login\" configuration option. By sending a specially crafted request, an attacker can obtain JWT information and use this to launch further attacks against the affected system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "grafana: JWT token leak to data source",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:4dc1e2ace5946178fae29c87e2f86467594833e27ddfef8a005273eb9a1bee45_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:72ebf29aa3a85cf49949379958744a699e1f572f79abf75e7cb8094ceecf074e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:ba574717bd9890dcf1677c9b56d45a2047bb1f6a72a0bb5b8e38c6f3f2db4884_amd64"
],
"known_not_affected": [
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:49e943d69210eb9f4218272f64cc2b9a100bb52416784c417b241c7dcd0eeb23_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:561fba3667ff302316ecef3dc7a80202ec5b854b347e4cbc5d2d4a2ad4419ed3_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:e12cb06f04ac2870d5c387612f4aab65438c4b8044337ab8c55e924dc273ee6b_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:0809ac10fd225656d8fec0002f71c41f7a07d9c5be0c0affd5740cdae43efcf8_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:6c58ed8e6779027d62bca2dab2de0336ee630257dc903c0ff8069ec986395f47_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:f3eb950ff155132b8d113853d05a917a4e949fa80156bbbdda8e61a5a7d18799_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:04e7e7a046da793f667daa0d1eb8dc90ea984dcd1bdefc8a7b96441a6251b280_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:6f6ed4e34b8450b5af74cab6bab790013006269cb997883fc50f5c20c1f5dd8d_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:fd567a237640c49c3cb5d392aa995069eb6d7398bffb2fe982f57563b640d630_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:9276234cb0599b75d0adc88c7b1882ff3da6742306a30f26dade3f9bde06ec7e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:93b546b7d97fd7fdaf9aef486218350817697a6237cbc3ff512eef40ef772a3a_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:d6233ee14663867808ca616c9327278af99e0439f0781b548be35e6ab5777de2_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:39e1eb86a6cc6eaa31018a13f86bbb676ec26250d5daf116e3be6d6d194bfe42_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:a47193626427bfe8f686c9f591248d082271c0d20aed96aa268bf7a03b9123d8_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:ca759591794df7f94b67bf798d7d27dd6d2b45d49b8ef8511e2bf51f78672d7e_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-1387"
},
{
"category": "external",
"summary": "RHBZ#2186322",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2186322"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-1387",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-1387"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-1387",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1387"
},
{
"category": "external",
"summary": "https://grafana.com/blog/2023/04/26/grafana-security-release-new-versions-of-grafana-with-security-fixes-for-cve-2023-28119-and-cve-2023-1387/",
"url": "https://grafana.com/blog/2023/04/26/grafana-security-release-new-versions-of-grafana-with-security-fixes-for-cve-2023-28119-and-cve-2023-1387/"
},
{
"category": "external",
"summary": "https://grafana.com/security/security-advisories/cve-2023-1387/",
"url": "https://grafana.com/security/security-advisories/cve-2023-1387/"
}
],
"release_date": "2023-04-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-12-12T13:55:37+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/documentation/en-us/red_hat_ceph_storage/6\n\nFor supported configurations, refer to:\n\nhttps://access.redhat.com/articles/1548993",
"product_ids": [
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:4dc1e2ace5946178fae29c87e2f86467594833e27ddfef8a005273eb9a1bee45_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:72ebf29aa3a85cf49949379958744a699e1f572f79abf75e7cb8094ceecf074e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:ba574717bd9890dcf1677c9b56d45a2047bb1f6a72a0bb5b8e38c6f3f2db4884_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:7741"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:49e943d69210eb9f4218272f64cc2b9a100bb52416784c417b241c7dcd0eeb23_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:561fba3667ff302316ecef3dc7a80202ec5b854b347e4cbc5d2d4a2ad4419ed3_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:e12cb06f04ac2870d5c387612f4aab65438c4b8044337ab8c55e924dc273ee6b_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:4dc1e2ace5946178fae29c87e2f86467594833e27ddfef8a005273eb9a1bee45_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:72ebf29aa3a85cf49949379958744a699e1f572f79abf75e7cb8094ceecf074e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:ba574717bd9890dcf1677c9b56d45a2047bb1f6a72a0bb5b8e38c6f3f2db4884_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:0809ac10fd225656d8fec0002f71c41f7a07d9c5be0c0affd5740cdae43efcf8_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:6c58ed8e6779027d62bca2dab2de0336ee630257dc903c0ff8069ec986395f47_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:f3eb950ff155132b8d113853d05a917a4e949fa80156bbbdda8e61a5a7d18799_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:04e7e7a046da793f667daa0d1eb8dc90ea984dcd1bdefc8a7b96441a6251b280_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:6f6ed4e34b8450b5af74cab6bab790013006269cb997883fc50f5c20c1f5dd8d_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:fd567a237640c49c3cb5d392aa995069eb6d7398bffb2fe982f57563b640d630_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:9276234cb0599b75d0adc88c7b1882ff3da6742306a30f26dade3f9bde06ec7e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:93b546b7d97fd7fdaf9aef486218350817697a6237cbc3ff512eef40ef772a3a_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:d6233ee14663867808ca616c9327278af99e0439f0781b548be35e6ab5777de2_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:39e1eb86a6cc6eaa31018a13f86bbb676ec26250d5daf116e3be6d6d194bfe42_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:a47193626427bfe8f686c9f591248d082271c0d20aed96aa268bf7a03b9123d8_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:ca759591794df7f94b67bf798d7d27dd6d2b45d49b8ef8511e2bf51f78672d7e_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "grafana: JWT token leak to data source"
},
{
"cve": "CVE-2023-1410",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2023-03-23T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:49e943d69210eb9f4218272f64cc2b9a100bb52416784c417b241c7dcd0eeb23_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:561fba3667ff302316ecef3dc7a80202ec5b854b347e4cbc5d2d4a2ad4419ed3_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:e12cb06f04ac2870d5c387612f4aab65438c4b8044337ab8c55e924dc273ee6b_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:0809ac10fd225656d8fec0002f71c41f7a07d9c5be0c0affd5740cdae43efcf8_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:6c58ed8e6779027d62bca2dab2de0336ee630257dc903c0ff8069ec986395f47_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:f3eb950ff155132b8d113853d05a917a4e949fa80156bbbdda8e61a5a7d18799_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:04e7e7a046da793f667daa0d1eb8dc90ea984dcd1bdefc8a7b96441a6251b280_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:6f6ed4e34b8450b5af74cab6bab790013006269cb997883fc50f5c20c1f5dd8d_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:fd567a237640c49c3cb5d392aa995069eb6d7398bffb2fe982f57563b640d630_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:9276234cb0599b75d0adc88c7b1882ff3da6742306a30f26dade3f9bde06ec7e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:93b546b7d97fd7fdaf9aef486218350817697a6237cbc3ff512eef40ef772a3a_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:d6233ee14663867808ca616c9327278af99e0439f0781b548be35e6ab5777de2_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:39e1eb86a6cc6eaa31018a13f86bbb676ec26250d5daf116e3be6d6d194bfe42_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:a47193626427bfe8f686c9f591248d082271c0d20aed96aa268bf7a03b9123d8_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:ca759591794df7f94b67bf798d7d27dd6d2b45d49b8ef8511e2bf51f78672d7e_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2181117"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Grafana. This flaw allows an attacker to host a Graphite instance with modified Function Descriptions containing XSS payloads. When the victim uses it in a query and accidentally hovers over the Function Description, an attacker-controlled XSS payload will be executed.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "grafana: Stored XSS in Graphite FunctionDescription tooltip",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:4dc1e2ace5946178fae29c87e2f86467594833e27ddfef8a005273eb9a1bee45_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:72ebf29aa3a85cf49949379958744a699e1f572f79abf75e7cb8094ceecf074e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:ba574717bd9890dcf1677c9b56d45a2047bb1f6a72a0bb5b8e38c6f3f2db4884_amd64"
],
"known_not_affected": [
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:49e943d69210eb9f4218272f64cc2b9a100bb52416784c417b241c7dcd0eeb23_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:561fba3667ff302316ecef3dc7a80202ec5b854b347e4cbc5d2d4a2ad4419ed3_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:e12cb06f04ac2870d5c387612f4aab65438c4b8044337ab8c55e924dc273ee6b_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:0809ac10fd225656d8fec0002f71c41f7a07d9c5be0c0affd5740cdae43efcf8_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:6c58ed8e6779027d62bca2dab2de0336ee630257dc903c0ff8069ec986395f47_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:f3eb950ff155132b8d113853d05a917a4e949fa80156bbbdda8e61a5a7d18799_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:04e7e7a046da793f667daa0d1eb8dc90ea984dcd1bdefc8a7b96441a6251b280_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:6f6ed4e34b8450b5af74cab6bab790013006269cb997883fc50f5c20c1f5dd8d_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:fd567a237640c49c3cb5d392aa995069eb6d7398bffb2fe982f57563b640d630_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:9276234cb0599b75d0adc88c7b1882ff3da6742306a30f26dade3f9bde06ec7e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:93b546b7d97fd7fdaf9aef486218350817697a6237cbc3ff512eef40ef772a3a_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:d6233ee14663867808ca616c9327278af99e0439f0781b548be35e6ab5777de2_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:39e1eb86a6cc6eaa31018a13f86bbb676ec26250d5daf116e3be6d6d194bfe42_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:a47193626427bfe8f686c9f591248d082271c0d20aed96aa268bf7a03b9123d8_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:ca759591794df7f94b67bf798d7d27dd6d2b45d49b8ef8511e2bf51f78672d7e_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-1410"
},
{
"category": "external",
"summary": "RHBZ#2181117",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2181117"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-1410",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-1410"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-1410",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1410"
},
{
"category": "external",
"summary": "https://github.com/grafana/bugbounty/security/advisories/GHSA-qrrg-gw7w-vp76",
"url": "https://github.com/grafana/bugbounty/security/advisories/GHSA-qrrg-gw7w-vp76"
},
{
"category": "external",
"summary": "https://grafana.com/blog/2023/03/22/grafana-security-release-new-versions-with-security-fixes-for-cve-2023-1410/",
"url": "https://grafana.com/blog/2023/03/22/grafana-security-release-new-versions-with-security-fixes-for-cve-2023-1410/"
}
],
"release_date": "2023-03-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-12-12T13:55:37+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/documentation/en-us/red_hat_ceph_storage/6\n\nFor supported configurations, refer to:\n\nhttps://access.redhat.com/articles/1548993",
"product_ids": [
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:4dc1e2ace5946178fae29c87e2f86467594833e27ddfef8a005273eb9a1bee45_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:72ebf29aa3a85cf49949379958744a699e1f572f79abf75e7cb8094ceecf074e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:ba574717bd9890dcf1677c9b56d45a2047bb1f6a72a0bb5b8e38c6f3f2db4884_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:7741"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:49e943d69210eb9f4218272f64cc2b9a100bb52416784c417b241c7dcd0eeb23_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:561fba3667ff302316ecef3dc7a80202ec5b854b347e4cbc5d2d4a2ad4419ed3_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:e12cb06f04ac2870d5c387612f4aab65438c4b8044337ab8c55e924dc273ee6b_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:4dc1e2ace5946178fae29c87e2f86467594833e27ddfef8a005273eb9a1bee45_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:72ebf29aa3a85cf49949379958744a699e1f572f79abf75e7cb8094ceecf074e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:ba574717bd9890dcf1677c9b56d45a2047bb1f6a72a0bb5b8e38c6f3f2db4884_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:0809ac10fd225656d8fec0002f71c41f7a07d9c5be0c0affd5740cdae43efcf8_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:6c58ed8e6779027d62bca2dab2de0336ee630257dc903c0ff8069ec986395f47_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:f3eb950ff155132b8d113853d05a917a4e949fa80156bbbdda8e61a5a7d18799_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:04e7e7a046da793f667daa0d1eb8dc90ea984dcd1bdefc8a7b96441a6251b280_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:6f6ed4e34b8450b5af74cab6bab790013006269cb997883fc50f5c20c1f5dd8d_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:fd567a237640c49c3cb5d392aa995069eb6d7398bffb2fe982f57563b640d630_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:9276234cb0599b75d0adc88c7b1882ff3da6742306a30f26dade3f9bde06ec7e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:93b546b7d97fd7fdaf9aef486218350817697a6237cbc3ff512eef40ef772a3a_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:d6233ee14663867808ca616c9327278af99e0439f0781b548be35e6ab5777de2_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:39e1eb86a6cc6eaa31018a13f86bbb676ec26250d5daf116e3be6d6d194bfe42_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:a47193626427bfe8f686c9f591248d082271c0d20aed96aa268bf7a03b9123d8_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:ca759591794df7f94b67bf798d7d27dd6d2b45d49b8ef8511e2bf51f78672d7e_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "grafana: Stored XSS in Graphite FunctionDescription tooltip"
},
{
"acknowledgments": [
{
"names": [
"Grafana Security Team"
],
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2023-2183",
"cwe": {
"id": "CWE-284",
"name": "Improper Access Control"
},
"discovery_date": "2023-05-29T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:49e943d69210eb9f4218272f64cc2b9a100bb52416784c417b241c7dcd0eeb23_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:561fba3667ff302316ecef3dc7a80202ec5b854b347e4cbc5d2d4a2ad4419ed3_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:e12cb06f04ac2870d5c387612f4aab65438c4b8044337ab8c55e924dc273ee6b_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:0809ac10fd225656d8fec0002f71c41f7a07d9c5be0c0affd5740cdae43efcf8_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:6c58ed8e6779027d62bca2dab2de0336ee630257dc903c0ff8069ec986395f47_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:f3eb950ff155132b8d113853d05a917a4e949fa80156bbbdda8e61a5a7d18799_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:04e7e7a046da793f667daa0d1eb8dc90ea984dcd1bdefc8a7b96441a6251b280_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:6f6ed4e34b8450b5af74cab6bab790013006269cb997883fc50f5c20c1f5dd8d_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:fd567a237640c49c3cb5d392aa995069eb6d7398bffb2fe982f57563b640d630_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:9276234cb0599b75d0adc88c7b1882ff3da6742306a30f26dade3f9bde06ec7e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:93b546b7d97fd7fdaf9aef486218350817697a6237cbc3ff512eef40ef772a3a_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:d6233ee14663867808ca616c9327278af99e0439f0781b548be35e6ab5777de2_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:39e1eb86a6cc6eaa31018a13f86bbb676ec26250d5daf116e3be6d6d194bfe42_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:a47193626427bfe8f686c9f591248d082271c0d20aed96aa268bf7a03b9123d8_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:ca759591794df7f94b67bf798d7d27dd6d2b45d49b8ef8511e2bf51f78672d7e_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2210848"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in grafana. This issue may allow a malicious user to craft a request to the API that enables them to send alert messages via the \"API Alert - Test\".",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "grafana: missing access control allows test alerts by underprivileged user",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "OpenShift ServiceMesh (OSSM) has switched to using upstream rhel rpms for grafana, and is no longer maintaining the servicemesh-grafana package. Hence, it is marked as affected/won\u0027tfix.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:4dc1e2ace5946178fae29c87e2f86467594833e27ddfef8a005273eb9a1bee45_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:72ebf29aa3a85cf49949379958744a699e1f572f79abf75e7cb8094ceecf074e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:ba574717bd9890dcf1677c9b56d45a2047bb1f6a72a0bb5b8e38c6f3f2db4884_amd64"
],
"known_not_affected": [
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:49e943d69210eb9f4218272f64cc2b9a100bb52416784c417b241c7dcd0eeb23_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:561fba3667ff302316ecef3dc7a80202ec5b854b347e4cbc5d2d4a2ad4419ed3_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:e12cb06f04ac2870d5c387612f4aab65438c4b8044337ab8c55e924dc273ee6b_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:0809ac10fd225656d8fec0002f71c41f7a07d9c5be0c0affd5740cdae43efcf8_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:6c58ed8e6779027d62bca2dab2de0336ee630257dc903c0ff8069ec986395f47_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:f3eb950ff155132b8d113853d05a917a4e949fa80156bbbdda8e61a5a7d18799_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:04e7e7a046da793f667daa0d1eb8dc90ea984dcd1bdefc8a7b96441a6251b280_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:6f6ed4e34b8450b5af74cab6bab790013006269cb997883fc50f5c20c1f5dd8d_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:fd567a237640c49c3cb5d392aa995069eb6d7398bffb2fe982f57563b640d630_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:9276234cb0599b75d0adc88c7b1882ff3da6742306a30f26dade3f9bde06ec7e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:93b546b7d97fd7fdaf9aef486218350817697a6237cbc3ff512eef40ef772a3a_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:d6233ee14663867808ca616c9327278af99e0439f0781b548be35e6ab5777de2_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:39e1eb86a6cc6eaa31018a13f86bbb676ec26250d5daf116e3be6d6d194bfe42_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:a47193626427bfe8f686c9f591248d082271c0d20aed96aa268bf7a03b9123d8_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:ca759591794df7f94b67bf798d7d27dd6d2b45d49b8ef8511e2bf51f78672d7e_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-2183"
},
{
"category": "external",
"summary": "RHBZ#2210848",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2210848"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-2183",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-2183"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-2183",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2183"
},
{
"category": "external",
"summary": "https://grafana.com/security/security-advisories/cve-2023-2183/",
"url": "https://grafana.com/security/security-advisories/cve-2023-2183/"
}
],
"release_date": "2023-06-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-12-12T13:55:37+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/documentation/en-us/red_hat_ceph_storage/6\n\nFor supported configurations, refer to:\n\nhttps://access.redhat.com/articles/1548993",
"product_ids": [
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:4dc1e2ace5946178fae29c87e2f86467594833e27ddfef8a005273eb9a1bee45_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:72ebf29aa3a85cf49949379958744a699e1f572f79abf75e7cb8094ceecf074e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:ba574717bd9890dcf1677c9b56d45a2047bb1f6a72a0bb5b8e38c6f3f2db4884_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:7741"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:49e943d69210eb9f4218272f64cc2b9a100bb52416784c417b241c7dcd0eeb23_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:561fba3667ff302316ecef3dc7a80202ec5b854b347e4cbc5d2d4a2ad4419ed3_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:e12cb06f04ac2870d5c387612f4aab65438c4b8044337ab8c55e924dc273ee6b_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:4dc1e2ace5946178fae29c87e2f86467594833e27ddfef8a005273eb9a1bee45_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:72ebf29aa3a85cf49949379958744a699e1f572f79abf75e7cb8094ceecf074e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:ba574717bd9890dcf1677c9b56d45a2047bb1f6a72a0bb5b8e38c6f3f2db4884_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:0809ac10fd225656d8fec0002f71c41f7a07d9c5be0c0affd5740cdae43efcf8_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:6c58ed8e6779027d62bca2dab2de0336ee630257dc903c0ff8069ec986395f47_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:f3eb950ff155132b8d113853d05a917a4e949fa80156bbbdda8e61a5a7d18799_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:04e7e7a046da793f667daa0d1eb8dc90ea984dcd1bdefc8a7b96441a6251b280_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:6f6ed4e34b8450b5af74cab6bab790013006269cb997883fc50f5c20c1f5dd8d_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:fd567a237640c49c3cb5d392aa995069eb6d7398bffb2fe982f57563b640d630_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:9276234cb0599b75d0adc88c7b1882ff3da6742306a30f26dade3f9bde06ec7e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:93b546b7d97fd7fdaf9aef486218350817697a6237cbc3ff512eef40ef772a3a_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:d6233ee14663867808ca616c9327278af99e0439f0781b548be35e6ab5777de2_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:39e1eb86a6cc6eaa31018a13f86bbb676ec26250d5daf116e3be6d6d194bfe42_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:a47193626427bfe8f686c9f591248d082271c0d20aed96aa268bf7a03b9123d8_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:ca759591794df7f94b67bf798d7d27dd6d2b45d49b8ef8511e2bf51f78672d7e_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "grafana: missing access control allows test alerts by underprivileged user"
},
{
"acknowledgments": [
{
"names": [
"Grafana Security Team"
],
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2023-2801",
"cwe": {
"id": "CWE-820",
"name": "Missing Synchronization"
},
"discovery_date": "2023-05-29T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:49e943d69210eb9f4218272f64cc2b9a100bb52416784c417b241c7dcd0eeb23_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:561fba3667ff302316ecef3dc7a80202ec5b854b347e4cbc5d2d4a2ad4419ed3_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:e12cb06f04ac2870d5c387612f4aab65438c4b8044337ab8c55e924dc273ee6b_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:0809ac10fd225656d8fec0002f71c41f7a07d9c5be0c0affd5740cdae43efcf8_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:6c58ed8e6779027d62bca2dab2de0336ee630257dc903c0ff8069ec986395f47_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:f3eb950ff155132b8d113853d05a917a4e949fa80156bbbdda8e61a5a7d18799_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:04e7e7a046da793f667daa0d1eb8dc90ea984dcd1bdefc8a7b96441a6251b280_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:6f6ed4e34b8450b5af74cab6bab790013006269cb997883fc50f5c20c1f5dd8d_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:fd567a237640c49c3cb5d392aa995069eb6d7398bffb2fe982f57563b640d630_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:9276234cb0599b75d0adc88c7b1882ff3da6742306a30f26dade3f9bde06ec7e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:93b546b7d97fd7fdaf9aef486218350817697a6237cbc3ff512eef40ef772a3a_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:d6233ee14663867808ca616c9327278af99e0439f0781b548be35e6ab5777de2_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:39e1eb86a6cc6eaa31018a13f86bbb676ec26250d5daf116e3be6d6d194bfe42_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:a47193626427bfe8f686c9f591248d082271c0d20aed96aa268bf7a03b9123d8_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:ca759591794df7f94b67bf798d7d27dd6d2b45d49b8ef8511e2bf51f78672d7e_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2210840"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in grafana. This issue occurs when sending an API call to the /ds/query or public dashboard query endpoint that has mixed queries, such as having two or more distinct data sources in one API call. As a result, the Grafana instance will crash. Currently, the only feature that uses mixed queries within Grafana is public dashboards, but it is also possible to trigger this issue by calling the API directly.\r\nIf public dashboards are enabled, reproduction requires a public dashboard to be under a heavy load. If public dashboards are disabled, reproduction only occurs when the /ds/query endpoint with a mixed query payload is under a heavy load with a load testing script.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "grafana: data source proxy race condition",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "- In OpenShift Container Platform (OCP), Red Hat Advanced Cluster Management for Kubernetes (RHACM), and OpenShift ServiceMesh (OSSM) the grafana components are protected by OpenShift OAuth that reduces the impact of this flaw to Moderate.\n- OpenShift ServiceMesh (OSSM) has switched to using upstream rhel rpms for grafana and is no longer maintaining the servicemesh-grafana package. Hence, it is marked as affected/won\u0027tfix.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:4dc1e2ace5946178fae29c87e2f86467594833e27ddfef8a005273eb9a1bee45_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:72ebf29aa3a85cf49949379958744a699e1f572f79abf75e7cb8094ceecf074e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:ba574717bd9890dcf1677c9b56d45a2047bb1f6a72a0bb5b8e38c6f3f2db4884_amd64"
],
"known_not_affected": [
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:49e943d69210eb9f4218272f64cc2b9a100bb52416784c417b241c7dcd0eeb23_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:561fba3667ff302316ecef3dc7a80202ec5b854b347e4cbc5d2d4a2ad4419ed3_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:e12cb06f04ac2870d5c387612f4aab65438c4b8044337ab8c55e924dc273ee6b_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:0809ac10fd225656d8fec0002f71c41f7a07d9c5be0c0affd5740cdae43efcf8_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:6c58ed8e6779027d62bca2dab2de0336ee630257dc903c0ff8069ec986395f47_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:f3eb950ff155132b8d113853d05a917a4e949fa80156bbbdda8e61a5a7d18799_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:04e7e7a046da793f667daa0d1eb8dc90ea984dcd1bdefc8a7b96441a6251b280_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:6f6ed4e34b8450b5af74cab6bab790013006269cb997883fc50f5c20c1f5dd8d_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:fd567a237640c49c3cb5d392aa995069eb6d7398bffb2fe982f57563b640d630_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:9276234cb0599b75d0adc88c7b1882ff3da6742306a30f26dade3f9bde06ec7e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:93b546b7d97fd7fdaf9aef486218350817697a6237cbc3ff512eef40ef772a3a_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:d6233ee14663867808ca616c9327278af99e0439f0781b548be35e6ab5777de2_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:39e1eb86a6cc6eaa31018a13f86bbb676ec26250d5daf116e3be6d6d194bfe42_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:a47193626427bfe8f686c9f591248d082271c0d20aed96aa268bf7a03b9123d8_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:ca759591794df7f94b67bf798d7d27dd6d2b45d49b8ef8511e2bf51f78672d7e_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-2801"
},
{
"category": "external",
"summary": "RHBZ#2210840",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2210840"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-2801",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-2801"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-2801",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2801"
},
{
"category": "external",
"summary": "https://grafana.com/security/security-advisories/cve-2023-2801/",
"url": "https://grafana.com/security/security-advisories/cve-2023-2801/"
}
],
"release_date": "2023-06-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-12-12T13:55:37+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/documentation/en-us/red_hat_ceph_storage/6\n\nFor supported configurations, refer to:\n\nhttps://access.redhat.com/articles/1548993",
"product_ids": [
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:4dc1e2ace5946178fae29c87e2f86467594833e27ddfef8a005273eb9a1bee45_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:72ebf29aa3a85cf49949379958744a699e1f572f79abf75e7cb8094ceecf074e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:ba574717bd9890dcf1677c9b56d45a2047bb1f6a72a0bb5b8e38c6f3f2db4884_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:7741"
},
{
"category": "workaround",
"details": "Block mixed query requests and patch to disable mixed query concurrent calls",
"product_ids": [
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:49e943d69210eb9f4218272f64cc2b9a100bb52416784c417b241c7dcd0eeb23_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:561fba3667ff302316ecef3dc7a80202ec5b854b347e4cbc5d2d4a2ad4419ed3_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:e12cb06f04ac2870d5c387612f4aab65438c4b8044337ab8c55e924dc273ee6b_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:4dc1e2ace5946178fae29c87e2f86467594833e27ddfef8a005273eb9a1bee45_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:72ebf29aa3a85cf49949379958744a699e1f572f79abf75e7cb8094ceecf074e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:ba574717bd9890dcf1677c9b56d45a2047bb1f6a72a0bb5b8e38c6f3f2db4884_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:0809ac10fd225656d8fec0002f71c41f7a07d9c5be0c0affd5740cdae43efcf8_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:6c58ed8e6779027d62bca2dab2de0336ee630257dc903c0ff8069ec986395f47_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:f3eb950ff155132b8d113853d05a917a4e949fa80156bbbdda8e61a5a7d18799_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:04e7e7a046da793f667daa0d1eb8dc90ea984dcd1bdefc8a7b96441a6251b280_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:6f6ed4e34b8450b5af74cab6bab790013006269cb997883fc50f5c20c1f5dd8d_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:fd567a237640c49c3cb5d392aa995069eb6d7398bffb2fe982f57563b640d630_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:9276234cb0599b75d0adc88c7b1882ff3da6742306a30f26dade3f9bde06ec7e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:93b546b7d97fd7fdaf9aef486218350817697a6237cbc3ff512eef40ef772a3a_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:d6233ee14663867808ca616c9327278af99e0439f0781b548be35e6ab5777de2_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:39e1eb86a6cc6eaa31018a13f86bbb676ec26250d5daf116e3be6d6d194bfe42_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:a47193626427bfe8f686c9f591248d082271c0d20aed96aa268bf7a03b9123d8_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:ca759591794df7f94b67bf798d7d27dd6d2b45d49b8ef8511e2bf51f78672d7e_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:49e943d69210eb9f4218272f64cc2b9a100bb52416784c417b241c7dcd0eeb23_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:561fba3667ff302316ecef3dc7a80202ec5b854b347e4cbc5d2d4a2ad4419ed3_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:e12cb06f04ac2870d5c387612f4aab65438c4b8044337ab8c55e924dc273ee6b_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:4dc1e2ace5946178fae29c87e2f86467594833e27ddfef8a005273eb9a1bee45_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:72ebf29aa3a85cf49949379958744a699e1f572f79abf75e7cb8094ceecf074e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:ba574717bd9890dcf1677c9b56d45a2047bb1f6a72a0bb5b8e38c6f3f2db4884_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:0809ac10fd225656d8fec0002f71c41f7a07d9c5be0c0affd5740cdae43efcf8_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:6c58ed8e6779027d62bca2dab2de0336ee630257dc903c0ff8069ec986395f47_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:f3eb950ff155132b8d113853d05a917a4e949fa80156bbbdda8e61a5a7d18799_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:04e7e7a046da793f667daa0d1eb8dc90ea984dcd1bdefc8a7b96441a6251b280_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:6f6ed4e34b8450b5af74cab6bab790013006269cb997883fc50f5c20c1f5dd8d_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:fd567a237640c49c3cb5d392aa995069eb6d7398bffb2fe982f57563b640d630_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:9276234cb0599b75d0adc88c7b1882ff3da6742306a30f26dade3f9bde06ec7e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:93b546b7d97fd7fdaf9aef486218350817697a6237cbc3ff512eef40ef772a3a_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:d6233ee14663867808ca616c9327278af99e0439f0781b548be35e6ab5777de2_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:39e1eb86a6cc6eaa31018a13f86bbb676ec26250d5daf116e3be6d6d194bfe42_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:a47193626427bfe8f686c9f591248d082271c0d20aed96aa268bf7a03b9123d8_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:ca759591794df7f94b67bf798d7d27dd6d2b45d49b8ef8511e2bf51f78672d7e_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "grafana: data source proxy race condition"
},
{
"cve": "CVE-2023-39325",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2023-10-10T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:49e943d69210eb9f4218272f64cc2b9a100bb52416784c417b241c7dcd0eeb23_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:561fba3667ff302316ecef3dc7a80202ec5b854b347e4cbc5d2d4a2ad4419ed3_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:e12cb06f04ac2870d5c387612f4aab65438c4b8044337ab8c55e924dc273ee6b_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:0809ac10fd225656d8fec0002f71c41f7a07d9c5be0c0affd5740cdae43efcf8_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:6c58ed8e6779027d62bca2dab2de0336ee630257dc903c0ff8069ec986395f47_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:f3eb950ff155132b8d113853d05a917a4e949fa80156bbbdda8e61a5a7d18799_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:04e7e7a046da793f667daa0d1eb8dc90ea984dcd1bdefc8a7b96441a6251b280_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:6f6ed4e34b8450b5af74cab6bab790013006269cb997883fc50f5c20c1f5dd8d_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:fd567a237640c49c3cb5d392aa995069eb6d7398bffb2fe982f57563b640d630_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:9276234cb0599b75d0adc88c7b1882ff3da6742306a30f26dade3f9bde06ec7e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:93b546b7d97fd7fdaf9aef486218350817697a6237cbc3ff512eef40ef772a3a_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:d6233ee14663867808ca616c9327278af99e0439f0781b548be35e6ab5777de2_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:39e1eb86a6cc6eaa31018a13f86bbb676ec26250d5daf116e3be6d6d194bfe42_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:a47193626427bfe8f686c9f591248d082271c0d20aed96aa268bf7a03b9123d8_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:ca759591794df7f94b67bf798d7d27dd6d2b45d49b8ef8511e2bf51f78672d7e_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2243296"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in handling multiplexed streams in the HTTP/2 protocol. A client can repeatedly make a request for a new multiplex stream and immediately send an RST_STREAM frame to cancel it. This creates extra work for the server setting up and tearing down the streams while not hitting any server-side limit for the maximum number of active streams per connection, resulting in a denial of service due to server resource consumption. Red Hat has rated the severity of this flaw as \u0027Important\u0027 as the US Cybersecurity and Infrastructure Security Agency (CISA) declared this vulnerability an active exploit.\r\n\r\nCVE-2023-39325 was assigned for the `Rapid Reset Attack` in the Go language packages.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487)",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This CVE is related to CVE-2023-44487.\n\nThe majority of RHEL utilities are not long-running applications; instead, they are command-line tools. These tools utilize Golang package as build-time dependency, which is why they are classified as having a \"Moderate\" level of impact.\n\nAs go-lang vendors its dependencies, a package may contain a library with a known vulnerability, solely because of lower tier libraries including it as a part of its dependencies, but the vulnerable code is not reachable at runtime. In such cases the issue is not exploitable. We classify these situations as \u201cNot affected\u201d or \u201cWill not fix,\u201d depending on the risk of breaking other unrelated packages.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:4dc1e2ace5946178fae29c87e2f86467594833e27ddfef8a005273eb9a1bee45_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:72ebf29aa3a85cf49949379958744a699e1f572f79abf75e7cb8094ceecf074e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:ba574717bd9890dcf1677c9b56d45a2047bb1f6a72a0bb5b8e38c6f3f2db4884_amd64"
],
"known_not_affected": [
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:49e943d69210eb9f4218272f64cc2b9a100bb52416784c417b241c7dcd0eeb23_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:561fba3667ff302316ecef3dc7a80202ec5b854b347e4cbc5d2d4a2ad4419ed3_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:e12cb06f04ac2870d5c387612f4aab65438c4b8044337ab8c55e924dc273ee6b_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:0809ac10fd225656d8fec0002f71c41f7a07d9c5be0c0affd5740cdae43efcf8_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:6c58ed8e6779027d62bca2dab2de0336ee630257dc903c0ff8069ec986395f47_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:f3eb950ff155132b8d113853d05a917a4e949fa80156bbbdda8e61a5a7d18799_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:04e7e7a046da793f667daa0d1eb8dc90ea984dcd1bdefc8a7b96441a6251b280_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:6f6ed4e34b8450b5af74cab6bab790013006269cb997883fc50f5c20c1f5dd8d_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:fd567a237640c49c3cb5d392aa995069eb6d7398bffb2fe982f57563b640d630_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:9276234cb0599b75d0adc88c7b1882ff3da6742306a30f26dade3f9bde06ec7e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:93b546b7d97fd7fdaf9aef486218350817697a6237cbc3ff512eef40ef772a3a_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:d6233ee14663867808ca616c9327278af99e0439f0781b548be35e6ab5777de2_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:39e1eb86a6cc6eaa31018a13f86bbb676ec26250d5daf116e3be6d6d194bfe42_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:a47193626427bfe8f686c9f591248d082271c0d20aed96aa268bf7a03b9123d8_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:ca759591794df7f94b67bf798d7d27dd6d2b45d49b8ef8511e2bf51f78672d7e_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-39325"
},
{
"category": "external",
"summary": "RHBZ#2243296",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2243296"
},
{
"category": "external",
"summary": "RHSB-2023-003",
"url": "https://access.redhat.com/security/vulnerabilities/RHSB-2023-003"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-39325",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-39325"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-39325",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39325"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2023-44487",
"url": "https://access.redhat.com/security/cve/CVE-2023-44487"
},
{
"category": "external",
"summary": "https://go.dev/issue/63417",
"url": "https://go.dev/issue/63417"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2023-2102",
"url": "https://pkg.go.dev/vuln/GO-2023-2102"
},
{
"category": "external",
"summary": "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487",
"url": "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487"
}
],
"release_date": "2023-10-10T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-12-12T13:55:37+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/documentation/en-us/red_hat_ceph_storage/6\n\nFor supported configurations, refer to:\n\nhttps://access.redhat.com/articles/1548993",
"product_ids": [
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:4dc1e2ace5946178fae29c87e2f86467594833e27ddfef8a005273eb9a1bee45_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:72ebf29aa3a85cf49949379958744a699e1f572f79abf75e7cb8094ceecf074e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:ba574717bd9890dcf1677c9b56d45a2047bb1f6a72a0bb5b8e38c6f3f2db4884_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:7741"
},
{
"category": "workaround",
"details": "The default stream concurrency limit in golang is 250 streams (requests) per HTTP/2 connection. This value may be adjusted in the golang.org/x/net/http2 package using the Server.MaxConcurrentStreams setting and the ConfigureServer function which are available in golang.org/x/net/http2.",
"product_ids": [
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:49e943d69210eb9f4218272f64cc2b9a100bb52416784c417b241c7dcd0eeb23_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:561fba3667ff302316ecef3dc7a80202ec5b854b347e4cbc5d2d4a2ad4419ed3_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:e12cb06f04ac2870d5c387612f4aab65438c4b8044337ab8c55e924dc273ee6b_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:4dc1e2ace5946178fae29c87e2f86467594833e27ddfef8a005273eb9a1bee45_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:72ebf29aa3a85cf49949379958744a699e1f572f79abf75e7cb8094ceecf074e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:ba574717bd9890dcf1677c9b56d45a2047bb1f6a72a0bb5b8e38c6f3f2db4884_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:0809ac10fd225656d8fec0002f71c41f7a07d9c5be0c0affd5740cdae43efcf8_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:6c58ed8e6779027d62bca2dab2de0336ee630257dc903c0ff8069ec986395f47_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:f3eb950ff155132b8d113853d05a917a4e949fa80156bbbdda8e61a5a7d18799_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:04e7e7a046da793f667daa0d1eb8dc90ea984dcd1bdefc8a7b96441a6251b280_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:6f6ed4e34b8450b5af74cab6bab790013006269cb997883fc50f5c20c1f5dd8d_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:fd567a237640c49c3cb5d392aa995069eb6d7398bffb2fe982f57563b640d630_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:9276234cb0599b75d0adc88c7b1882ff3da6742306a30f26dade3f9bde06ec7e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:93b546b7d97fd7fdaf9aef486218350817697a6237cbc3ff512eef40ef772a3a_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:d6233ee14663867808ca616c9327278af99e0439f0781b548be35e6ab5777de2_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:39e1eb86a6cc6eaa31018a13f86bbb676ec26250d5daf116e3be6d6d194bfe42_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:a47193626427bfe8f686c9f591248d082271c0d20aed96aa268bf7a03b9123d8_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:ca759591794df7f94b67bf798d7d27dd6d2b45d49b8ef8511e2bf51f78672d7e_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:49e943d69210eb9f4218272f64cc2b9a100bb52416784c417b241c7dcd0eeb23_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:561fba3667ff302316ecef3dc7a80202ec5b854b347e4cbc5d2d4a2ad4419ed3_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:e12cb06f04ac2870d5c387612f4aab65438c4b8044337ab8c55e924dc273ee6b_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:4dc1e2ace5946178fae29c87e2f86467594833e27ddfef8a005273eb9a1bee45_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:72ebf29aa3a85cf49949379958744a699e1f572f79abf75e7cb8094ceecf074e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:ba574717bd9890dcf1677c9b56d45a2047bb1f6a72a0bb5b8e38c6f3f2db4884_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:0809ac10fd225656d8fec0002f71c41f7a07d9c5be0c0affd5740cdae43efcf8_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:6c58ed8e6779027d62bca2dab2de0336ee630257dc903c0ff8069ec986395f47_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:f3eb950ff155132b8d113853d05a917a4e949fa80156bbbdda8e61a5a7d18799_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:04e7e7a046da793f667daa0d1eb8dc90ea984dcd1bdefc8a7b96441a6251b280_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:6f6ed4e34b8450b5af74cab6bab790013006269cb997883fc50f5c20c1f5dd8d_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:fd567a237640c49c3cb5d392aa995069eb6d7398bffb2fe982f57563b640d630_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:9276234cb0599b75d0adc88c7b1882ff3da6742306a30f26dade3f9bde06ec7e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:93b546b7d97fd7fdaf9aef486218350817697a6237cbc3ff512eef40ef772a3a_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:d6233ee14663867808ca616c9327278af99e0439f0781b548be35e6ab5777de2_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:39e1eb86a6cc6eaa31018a13f86bbb676ec26250d5daf116e3be6d6d194bfe42_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:a47193626427bfe8f686c9f591248d082271c0d20aed96aa268bf7a03b9123d8_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:ca759591794df7f94b67bf798d7d27dd6d2b45d49b8ef8511e2bf51f78672d7e_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487)"
},
{
"cve": "CVE-2023-44487",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2023-10-09T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:49e943d69210eb9f4218272f64cc2b9a100bb52416784c417b241c7dcd0eeb23_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:561fba3667ff302316ecef3dc7a80202ec5b854b347e4cbc5d2d4a2ad4419ed3_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:e12cb06f04ac2870d5c387612f4aab65438c4b8044337ab8c55e924dc273ee6b_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:0809ac10fd225656d8fec0002f71c41f7a07d9c5be0c0affd5740cdae43efcf8_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:6c58ed8e6779027d62bca2dab2de0336ee630257dc903c0ff8069ec986395f47_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:f3eb950ff155132b8d113853d05a917a4e949fa80156bbbdda8e61a5a7d18799_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:04e7e7a046da793f667daa0d1eb8dc90ea984dcd1bdefc8a7b96441a6251b280_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:6f6ed4e34b8450b5af74cab6bab790013006269cb997883fc50f5c20c1f5dd8d_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:fd567a237640c49c3cb5d392aa995069eb6d7398bffb2fe982f57563b640d630_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:9276234cb0599b75d0adc88c7b1882ff3da6742306a30f26dade3f9bde06ec7e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:93b546b7d97fd7fdaf9aef486218350817697a6237cbc3ff512eef40ef772a3a_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:d6233ee14663867808ca616c9327278af99e0439f0781b548be35e6ab5777de2_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:39e1eb86a6cc6eaa31018a13f86bbb676ec26250d5daf116e3be6d6d194bfe42_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:a47193626427bfe8f686c9f591248d082271c0d20aed96aa268bf7a03b9123d8_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:ca759591794df7f94b67bf798d7d27dd6d2b45d49b8ef8511e2bf51f78672d7e_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2242803"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in handling multiplexed streams in the HTTP/2 protocol. A client can repeatedly make a request for a new multiplex stream and immediately send an RST_STREAM frame to cancel it. This creates extra work for the server setting up and tearing down the streams while not hitting any server-side limit for the maximum number of active streams per connection, resulting in a denial of service due to server resource consumption. Red Hat has rated the severity of this flaw as \u0027Important\u0027 as the US Cybersecurity and Infrastructure Security Agency (CISA) declared this vulnerability an active exploit.\r\n\r\nCVE-2023-39325 was assigned for the Rapid Reset Attack in the Go language packages.\r\n\r\nSecurity Bulletin\r\nhttps://access.redhat.com/security/vulnerabilities/RHSB-2023-003",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack)",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "NGINX has been marked as Moderate Impact because, for performance and resource consumption reasons, NGINX limits the number of concurrent streams to a default of 128. In addition, to optimally balance network and server performance, NGINX allows the client to persist HTTP connections for up to 1000 requests by default using an HTTP keepalive.\n\nThe majority of RHEL utilities are not long-running applications; instead, they are command-line tools. These tools utilize Golang package as build-time dependency, which is why they are classified as having a \"Moderate\" level of impact.\n\nrhc component is no longer impacted by CVE-2023-44487 \u0026 CVE-2023-39325.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:4dc1e2ace5946178fae29c87e2f86467594833e27ddfef8a005273eb9a1bee45_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:72ebf29aa3a85cf49949379958744a699e1f572f79abf75e7cb8094ceecf074e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:ba574717bd9890dcf1677c9b56d45a2047bb1f6a72a0bb5b8e38c6f3f2db4884_amd64"
],
"known_not_affected": [
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:49e943d69210eb9f4218272f64cc2b9a100bb52416784c417b241c7dcd0eeb23_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:561fba3667ff302316ecef3dc7a80202ec5b854b347e4cbc5d2d4a2ad4419ed3_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:e12cb06f04ac2870d5c387612f4aab65438c4b8044337ab8c55e924dc273ee6b_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:0809ac10fd225656d8fec0002f71c41f7a07d9c5be0c0affd5740cdae43efcf8_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:6c58ed8e6779027d62bca2dab2de0336ee630257dc903c0ff8069ec986395f47_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:f3eb950ff155132b8d113853d05a917a4e949fa80156bbbdda8e61a5a7d18799_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:04e7e7a046da793f667daa0d1eb8dc90ea984dcd1bdefc8a7b96441a6251b280_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:6f6ed4e34b8450b5af74cab6bab790013006269cb997883fc50f5c20c1f5dd8d_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:fd567a237640c49c3cb5d392aa995069eb6d7398bffb2fe982f57563b640d630_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:9276234cb0599b75d0adc88c7b1882ff3da6742306a30f26dade3f9bde06ec7e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:93b546b7d97fd7fdaf9aef486218350817697a6237cbc3ff512eef40ef772a3a_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:d6233ee14663867808ca616c9327278af99e0439f0781b548be35e6ab5777de2_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:39e1eb86a6cc6eaa31018a13f86bbb676ec26250d5daf116e3be6d6d194bfe42_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:a47193626427bfe8f686c9f591248d082271c0d20aed96aa268bf7a03b9123d8_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:ca759591794df7f94b67bf798d7d27dd6d2b45d49b8ef8511e2bf51f78672d7e_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-44487"
},
{
"category": "external",
"summary": "RHBZ#2242803",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242803"
},
{
"category": "external",
"summary": "RHSB-2023-003",
"url": "https://access.redhat.com/security/vulnerabilities/RHSB-2023-003"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-44487",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-44487"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-44487",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44487"
},
{
"category": "external",
"summary": "https://github.com/dotnet/announcements/issues/277",
"url": "https://github.com/dotnet/announcements/issues/277"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2023-2102",
"url": "https://pkg.go.dev/vuln/GO-2023-2102"
},
{
"category": "external",
"summary": "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487",
"url": "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487"
},
{
"category": "external",
"summary": "https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/",
"url": "https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/"
},
{
"category": "external",
"summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
}
],
"release_date": "2023-10-10T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-12-12T13:55:37+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/documentation/en-us/red_hat_ceph_storage/6\n\nFor supported configurations, refer to:\n\nhttps://access.redhat.com/articles/1548993",
"product_ids": [
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:4dc1e2ace5946178fae29c87e2f86467594833e27ddfef8a005273eb9a1bee45_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:72ebf29aa3a85cf49949379958744a699e1f572f79abf75e7cb8094ceecf074e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:ba574717bd9890dcf1677c9b56d45a2047bb1f6a72a0bb5b8e38c6f3f2db4884_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:7741"
},
{
"category": "workaround",
"details": "Users are strongly urged to update their software as soon as fixes are available. \nThere are several mitigation approaches for this flaw. \n\n1. If circumstances permit, users may disable http2 endpoints to circumvent the flaw altogether until a fix is available.\n2. IP-based blocking or flood protection and rate control tools may be used at network endpoints to filter incoming traffic.\n3. Several package specific mitigations are also available. \n a. nginx: https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/\n b. netty: https://github.com/netty/netty/security/advisories/GHSA-xpw8-rcwv-8f8p\n c. haproxy: https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487\n d. nghttp2: https://github.com/nghttp2/nghttp2/security/advisories/GHSA-vx74-f528-fxqg\n e. golang: The default stream concurrency limit in golang is 250 streams (requests) per HTTP/2 connection. This value may be adjusted in the golang.org/x/net/http2 package using the Server.MaxConcurrentStreams setting and the ConfigureServer function which are available in golang.org/x/net/http2.",
"product_ids": [
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:49e943d69210eb9f4218272f64cc2b9a100bb52416784c417b241c7dcd0eeb23_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:561fba3667ff302316ecef3dc7a80202ec5b854b347e4cbc5d2d4a2ad4419ed3_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:e12cb06f04ac2870d5c387612f4aab65438c4b8044337ab8c55e924dc273ee6b_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:4dc1e2ace5946178fae29c87e2f86467594833e27ddfef8a005273eb9a1bee45_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:72ebf29aa3a85cf49949379958744a699e1f572f79abf75e7cb8094ceecf074e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:ba574717bd9890dcf1677c9b56d45a2047bb1f6a72a0bb5b8e38c6f3f2db4884_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:0809ac10fd225656d8fec0002f71c41f7a07d9c5be0c0affd5740cdae43efcf8_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:6c58ed8e6779027d62bca2dab2de0336ee630257dc903c0ff8069ec986395f47_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:f3eb950ff155132b8d113853d05a917a4e949fa80156bbbdda8e61a5a7d18799_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:04e7e7a046da793f667daa0d1eb8dc90ea984dcd1bdefc8a7b96441a6251b280_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:6f6ed4e34b8450b5af74cab6bab790013006269cb997883fc50f5c20c1f5dd8d_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:fd567a237640c49c3cb5d392aa995069eb6d7398bffb2fe982f57563b640d630_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:9276234cb0599b75d0adc88c7b1882ff3da6742306a30f26dade3f9bde06ec7e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:93b546b7d97fd7fdaf9aef486218350817697a6237cbc3ff512eef40ef772a3a_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:d6233ee14663867808ca616c9327278af99e0439f0781b548be35e6ab5777de2_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:39e1eb86a6cc6eaa31018a13f86bbb676ec26250d5daf116e3be6d6d194bfe42_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:a47193626427bfe8f686c9f591248d082271c0d20aed96aa268bf7a03b9123d8_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:ca759591794df7f94b67bf798d7d27dd6d2b45d49b8ef8511e2bf51f78672d7e_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:49e943d69210eb9f4218272f64cc2b9a100bb52416784c417b241c7dcd0eeb23_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:561fba3667ff302316ecef3dc7a80202ec5b854b347e4cbc5d2d4a2ad4419ed3_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:e12cb06f04ac2870d5c387612f4aab65438c4b8044337ab8c55e924dc273ee6b_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:4dc1e2ace5946178fae29c87e2f86467594833e27ddfef8a005273eb9a1bee45_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:72ebf29aa3a85cf49949379958744a699e1f572f79abf75e7cb8094ceecf074e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:ba574717bd9890dcf1677c9b56d45a2047bb1f6a72a0bb5b8e38c6f3f2db4884_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:0809ac10fd225656d8fec0002f71c41f7a07d9c5be0c0affd5740cdae43efcf8_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:6c58ed8e6779027d62bca2dab2de0336ee630257dc903c0ff8069ec986395f47_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:f3eb950ff155132b8d113853d05a917a4e949fa80156bbbdda8e61a5a7d18799_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:04e7e7a046da793f667daa0d1eb8dc90ea984dcd1bdefc8a7b96441a6251b280_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:6f6ed4e34b8450b5af74cab6bab790013006269cb997883fc50f5c20c1f5dd8d_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:fd567a237640c49c3cb5d392aa995069eb6d7398bffb2fe982f57563b640d630_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:9276234cb0599b75d0adc88c7b1882ff3da6742306a30f26dade3f9bde06ec7e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:93b546b7d97fd7fdaf9aef486218350817697a6237cbc3ff512eef40ef772a3a_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:d6233ee14663867808ca616c9327278af99e0439f0781b548be35e6ab5777de2_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:39e1eb86a6cc6eaa31018a13f86bbb676ec26250d5daf116e3be6d6d194bfe42_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:a47193626427bfe8f686c9f591248d082271c0d20aed96aa268bf7a03b9123d8_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:ca759591794df7f94b67bf798d7d27dd6d2b45d49b8ef8511e2bf51f78672d7e_amd64"
]
}
],
"threats": [
{
"category": "exploit_status",
"date": "2023-10-10T00:00:00+00:00",
"details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
},
{
"category": "impact",
"details": "Important"
}
],
"title": "HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack)"
}
]
}
RHSA-2024:0746
Vulnerability from csaf_redhat - Published: 2024-02-08 16:49 - Updated: 2026-05-10 02:38Summary
Red Hat Security Advisory: new container image: rhceph-5.3
Severity
Important
Notes
Topic: Updated container image for Red Hat Ceph Storage 5.3 is now available in
the Red Hat Ecosystem Catalog.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Red Hat Ceph Storage is a scalable, open, software-defined storage platform
that combines the most stable version of the Ceph storage system with a
Ceph management platform, deployment utilities, and support services.
This updated container image is based on Red Hat Ceph Storage 5.3 and Red
Hat Enterprise Linux.
Space precludes documenting all of these changes in this advisory. Users
are directed to the Red Hat Ceph Storage Release Notes for information on
the most significant of these changes:
https://access.redhat.com/documentation/en-us/red_hat_ceph_storage/5.3/html/release_notes/index
All users of Red Hat Ceph Storage are advised to pull these new images from
the Red Hat Ecosystem catalog.
Security Fix(es):
* grafana: Use of Cache Containing Sensitive Information (CVE-2022-23498)
* grafana: cross site scripting (CVE-2023-0507)
* grafana: cross site scripting (CVE-2023-0594)
* haproxy: request smuggling attack in HTTP/1 header parsing (CVE-2023-25725)
* golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717)
* haproxy: segfault DoS (CVE-2023-0056)
* grafana: JWT token leak to data source (CVE-2023-1387)
* grafana: stored XSS vulnerability affecting the core plugin "Text" (CVE-2023-22462)
* golang: html/template: backticks not treated as string delimiters (CVE-2023-24538)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in the Grafana package. When data-source query caching is enabled, Grafana caches all headers, including `grafana_session.` As a result, any user that queries a data source where the caching is enabled can acquire another user’s session.
8.8 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x | — |
Vendor Fix
fix
Workaround
|
Known not affected
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x | — |
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le | — |
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64 | — |
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le | — |
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x | — |
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64 | — |
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64 | — |
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le | — |
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x | — |
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x | — |
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le | — |
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64 | — |
Workaround
|
Threats
Impact
Important
A flaw was found in the net/http library of the golang package. This flaw allows an attacker to cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.
5.3 (Medium)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x | — |
Vendor Fix
fix
|
Known not affected
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64 | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64 | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64 | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64 | — |
Threats
Impact
Moderate
An uncontrolled resource consumption vulnerability was discovered in HAProxy which could crash the service. This issue could allow an authenticated remote attacker to run a specially crafted malicious server in an OpenShift cluster. The biggest impact is to availability.
4.3 (Medium)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x | — |
Vendor Fix
fix
|
Known not affected
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64 | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64 | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64 | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64 | — |
Threats
Impact
Moderate
A flaw was found in the GeoMap Grafana plugin, where a user can store unsanitized HTML in the GeoMap plugin under the Attribution text field, and the client will process it. The vulnerability makes it possible to use XHR to make arbitrary API calls on behalf of the attacked user. This means that a malicious user with editor permissions could alter a GeoMap panel to include JavaScript that changes the password for the user viewing the panel (this could be an admin) to a known password, thus gaining access to the admin account and resulting as the editor becoming an admin.
7.3 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x | — |
Vendor Fix
fix
Workaround
|
Known not affected
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x | — |
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le | — |
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64 | — |
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le | — |
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x | — |
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64 | — |
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64 | — |
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le | — |
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x | — |
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x | — |
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le | — |
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64 | — |
Workaround
|
Threats
Impact
Important
A flaw was found in the grafana package. This flaw allows a malicious user with the ability to introduce trace data to provide a JavaScript that changes the password for the user viewing the trace view (this could be an admin) to a known password, thus gaining access to the admin account.
7.3 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x | — |
Vendor Fix
fix
Workaround
|
Known not affected
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x | — |
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le | — |
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64 | — |
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le | — |
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x | — |
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64 | — |
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64 | — |
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le | — |
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x | — |
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x | — |
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le | — |
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64 | — |
Workaround
|
Threats
Impact
Important
A flaw was found in Grafana. This flaw allows a remote, authenticated attacker to obtain sensitive information caused by an issue when enabling the "url_login" configuration option. By sending a specially crafted request, an attacker can obtain JWT information and use this to launch further attacks against the affected system.
7.5 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x | — |
Vendor Fix
fix
|
Known not affected
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64 | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64 | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64 | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64 | — |
Threats
Impact
Moderate
A flaw was found in the Grafana core plugin, "Text." The vulnerability was possible due to React's render cycle that will pass through unsanitized HTML code. However, the HTML is cleaned and saved in Grafana's database in the next cycle. An attacker needs the Editor role in changing a Text panel to include JavaScript. Later, another user needs to edit the same Text panel and click "Markdown" or "HTML" to execute the code. This issue allows possible vertical privilege escalation, where a user with an Editor role can change to a known password for a user having an Admin role if the user with an Admin role executes malicious JavaScript viewing a dashboard.
6.4 (Medium)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x | — |
Vendor Fix
fix
|
Known not affected
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64 | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64 | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64 | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64 | — |
Threats
Impact
Moderate
A flaw was found in Golang Go. This flaw allows a remote attacker to execute arbitrary code on the system, caused by not properly considering backticks (`) as Javascript string delimiters. By sending a specially crafted request, an attacker execute arbitrary code on the system.
9.8 (Critical)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x | — |
Vendor Fix
fix
Workaround
|
Known not affected
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x | — |
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le | — |
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64 | — |
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le | — |
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x | — |
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64 | — |
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64 | — |
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le | — |
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x | — |
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x | — |
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le | — |
Workaround
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64 | — |
Workaround
|
Threats
Impact
Moderate
A flaw was found in HAProxy's headers processing that causes HAProxy to drop important headers fields such as Connection, Content-length, Transfer-Encoding, and Host after having partially processed them. A maliciously crafted HTTP request could be used in an HTTP request smuggling attack to bypass filtering and detection by HAProxy.
8.2 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x | — |
Vendor Fix
fix
|
Known not affected
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64 | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64 | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64 | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le | — | ||
| Unresolved product id: 8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64 | — |
Threats
Impact
Important
References
64 references
Acknowledgments
Grafana Security Team
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated container image for Red Hat Ceph Storage 5.3 is now available in\nthe Red Hat Ecosystem Catalog.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat Ceph Storage is a scalable, open, software-defined storage platform\nthat combines the most stable version of the Ceph storage system with a\nCeph management platform, deployment utilities, and support services.\n\nThis updated container image is based on Red Hat Ceph Storage 5.3 and Red\nHat Enterprise Linux.\n\nSpace precludes documenting all of these changes in this advisory. Users\nare directed to the Red Hat Ceph Storage Release Notes for information on\nthe most significant of these changes:\n\nhttps://access.redhat.com/documentation/en-us/red_hat_ceph_storage/5.3/html/release_notes/index\n\nAll users of Red Hat Ceph Storage are advised to pull these new images from\nthe Red Hat Ecosystem catalog.\n\nSecurity Fix(es):\n\n* grafana: Use of Cache Containing Sensitive Information (CVE-2022-23498)\n\n* grafana: cross site scripting (CVE-2023-0507)\n\n* grafana: cross site scripting (CVE-2023-0594)\n\n* haproxy: request smuggling attack in HTTP/1 header parsing (CVE-2023-25725)\n\n* golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717)\n\n* haproxy: segfault DoS (CVE-2023-0056)\n\n* grafana: JWT token leak to data source (CVE-2023-1387)\n\n* grafana: stored XSS vulnerability affecting the core plugin \"Text\" (CVE-2023-22462)\n\n* golang: html/template: backticks not treated as string delimiters (CVE-2023-24538)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2024:0746",
"url": "https://access.redhat.com/errata/RHSA-2024:0746"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2160808",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2160808"
},
{
"category": "external",
"summary": "2161274",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2161274"
},
{
"category": "external",
"summary": "2164936",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2164936"
},
{
"category": "external",
"summary": "2167266",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2167266"
},
{
"category": "external",
"summary": "2168037",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2168037"
},
{
"category": "external",
"summary": "2168038",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2168038"
},
{
"category": "external",
"summary": "2169089",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2169089"
},
{
"category": "external",
"summary": "2184481",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2184481"
},
{
"category": "external",
"summary": "2186322",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2186322"
},
{
"category": "external",
"summary": "2256938",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2256938"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_0746.json"
}
],
"title": "Red Hat Security Advisory: new container image: rhceph-5.3",
"tracking": {
"current_release_date": "2026-05-10T02:38:16+00:00",
"generator": {
"date": "2026-05-10T02:38:16+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.9"
}
},
"id": "RHSA-2024:0746",
"initial_release_date": "2024-02-08T16:49:55+00:00",
"revision_history": [
{
"date": "2024-02-08T16:49:55+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2024-02-08T16:49:55+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-10T02:38:16+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Ceph Storage 5.3 Tools",
"product": {
"name": "Red Hat Ceph Storage 5.3 Tools",
"product_id": "8Base-RHCEPH-5.3-Tools",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:ceph_storage:5.3::el8"
}
}
}
],
"category": "product_family",
"name": "Red Hat Ceph Storage"
},
{
"branches": [
{
"category": "product_version",
"name": "rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"product": {
"name": "rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"product_id": "rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832?arch=amd64\u0026repository_url=registry.redhat.io/rhceph/rhceph-5-dashboard-rhel8\u0026tag=5-83"
}
}
},
{
"category": "product_version",
"name": "rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64",
"product": {
"name": "rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64",
"product_id": "rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64",
"product_identification_helper": {
"purl": "pkg:oci/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad?arch=amd64\u0026repository_url=registry.redhat.io/rhceph/keepalived-rhel8\u0026tag=2.1.5-39"
}
}
},
{
"category": "product_version",
"name": "rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64",
"product": {
"name": "rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64",
"product_id": "rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f?arch=amd64\u0026repository_url=registry.redhat.io/rhceph/rhceph-5-rhel8\u0026tag=5-499"
}
}
},
{
"category": "product_version",
"name": "rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64",
"product": {
"name": "rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64",
"product_id": "rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db?arch=amd64\u0026repository_url=registry.redhat.io/rhceph/rhceph-haproxy-rhel8\u0026tag=2.2.19-32"
}
}
},
{
"category": "product_version",
"name": "rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64",
"product": {
"name": "rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64",
"product_id": "rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64",
"product_identification_helper": {
"purl": "pkg:oci/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9?arch=amd64\u0026repository_url=registry.redhat.io/rhceph/snmp-notifier-rhel8\u0026tag=1.2.1-50"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"product": {
"name": "rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"product_id": "rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32?arch=ppc64le\u0026repository_url=registry.redhat.io/rhceph/rhceph-5-dashboard-rhel8\u0026tag=5-83"
}
}
},
{
"category": "product_version",
"name": "rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le",
"product": {
"name": "rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le",
"product_id": "rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58?arch=ppc64le\u0026repository_url=registry.redhat.io/rhceph/keepalived-rhel8\u0026tag=2.1.5-39"
}
}
},
{
"category": "product_version",
"name": "rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le",
"product": {
"name": "rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le",
"product_id": "rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b?arch=ppc64le\u0026repository_url=registry.redhat.io/rhceph/rhceph-5-rhel8\u0026tag=5-499"
}
}
},
{
"category": "product_version",
"name": "rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le",
"product": {
"name": "rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le",
"product_id": "rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935?arch=ppc64le\u0026repository_url=registry.redhat.io/rhceph/rhceph-haproxy-rhel8\u0026tag=2.2.19-32"
}
}
},
{
"category": "product_version",
"name": "rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le",
"product": {
"name": "rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le",
"product_id": "rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167?arch=ppc64le\u0026repository_url=registry.redhat.io/rhceph/snmp-notifier-rhel8\u0026tag=1.2.1-50"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x",
"product": {
"name": "rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x",
"product_id": "rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x",
"product_identification_helper": {
"purl": "pkg:oci/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088?arch=s390x\u0026repository_url=registry.redhat.io/rhceph/rhceph-5-dashboard-rhel8\u0026tag=5-83"
}
}
},
{
"category": "product_version",
"name": "rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x",
"product": {
"name": "rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x",
"product_id": "rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x",
"product_identification_helper": {
"purl": "pkg:oci/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2?arch=s390x\u0026repository_url=registry.redhat.io/rhceph/keepalived-rhel8\u0026tag=2.1.5-39"
}
}
},
{
"category": "product_version",
"name": "rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x",
"product": {
"name": "rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x",
"product_id": "rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x",
"product_identification_helper": {
"purl": "pkg:oci/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05?arch=s390x\u0026repository_url=registry.redhat.io/rhceph/rhceph-5-rhel8\u0026tag=5-499"
}
}
},
{
"category": "product_version",
"name": "rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x",
"product": {
"name": "rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x",
"product_id": "rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x",
"product_identification_helper": {
"purl": "pkg:oci/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2?arch=s390x\u0026repository_url=registry.redhat.io/rhceph/rhceph-haproxy-rhel8\u0026tag=2.2.19-32"
}
}
},
{
"category": "product_version",
"name": "rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x",
"product": {
"name": "rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x",
"product_id": "rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x",
"product_identification_helper": {
"purl": "pkg:oci/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709?arch=s390x\u0026repository_url=registry.redhat.io/rhceph/snmp-notifier-rhel8\u0026tag=1.2.1-50"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x as a component of Red Hat Ceph Storage 5.3 Tools",
"product_id": "8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x"
},
"product_reference": "rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x",
"relates_to_product_reference": "8Base-RHCEPH-5.3-Tools"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le as a component of Red Hat Ceph Storage 5.3 Tools",
"product_id": "8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le"
},
"product_reference": "rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le",
"relates_to_product_reference": "8Base-RHCEPH-5.3-Tools"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64 as a component of Red Hat Ceph Storage 5.3 Tools",
"product_id": "8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64"
},
"product_reference": "rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64",
"relates_to_product_reference": "8Base-RHCEPH-5.3-Tools"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64 as a component of Red Hat Ceph Storage 5.3 Tools",
"product_id": "8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64"
},
"product_reference": "rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"relates_to_product_reference": "8Base-RHCEPH-5.3-Tools"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le as a component of Red Hat Ceph Storage 5.3 Tools",
"product_id": "8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le"
},
"product_reference": "rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"relates_to_product_reference": "8Base-RHCEPH-5.3-Tools"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x as a component of Red Hat Ceph Storage 5.3 Tools",
"product_id": "8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x"
},
"product_reference": "rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x",
"relates_to_product_reference": "8Base-RHCEPH-5.3-Tools"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le as a component of Red Hat Ceph Storage 5.3 Tools",
"product_id": "8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le"
},
"product_reference": "rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le",
"relates_to_product_reference": "8Base-RHCEPH-5.3-Tools"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x as a component of Red Hat Ceph Storage 5.3 Tools",
"product_id": "8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x"
},
"product_reference": "rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x",
"relates_to_product_reference": "8Base-RHCEPH-5.3-Tools"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64 as a component of Red Hat Ceph Storage 5.3 Tools",
"product_id": "8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64"
},
"product_reference": "rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64",
"relates_to_product_reference": "8Base-RHCEPH-5.3-Tools"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64 as a component of Red Hat Ceph Storage 5.3 Tools",
"product_id": "8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64"
},
"product_reference": "rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64",
"relates_to_product_reference": "8Base-RHCEPH-5.3-Tools"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le as a component of Red Hat Ceph Storage 5.3 Tools",
"product_id": "8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le"
},
"product_reference": "rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le",
"relates_to_product_reference": "8Base-RHCEPH-5.3-Tools"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x as a component of Red Hat Ceph Storage 5.3 Tools",
"product_id": "8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x"
},
"product_reference": "rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x",
"relates_to_product_reference": "8Base-RHCEPH-5.3-Tools"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x as a component of Red Hat Ceph Storage 5.3 Tools",
"product_id": "8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x"
},
"product_reference": "rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x",
"relates_to_product_reference": "8Base-RHCEPH-5.3-Tools"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le as a component of Red Hat Ceph Storage 5.3 Tools",
"product_id": "8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le"
},
"product_reference": "rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le",
"relates_to_product_reference": "8Base-RHCEPH-5.3-Tools"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64 as a component of Red Hat Ceph Storage 5.3 Tools",
"product_id": "8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64"
},
"product_reference": "rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64",
"relates_to_product_reference": "8Base-RHCEPH-5.3-Tools"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-23498",
"cwe": {
"id": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor"
},
"discovery_date": "2023-02-06T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2167266"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Grafana package. When data-source query caching is enabled, Grafana caches all headers, including `grafana_session.` As a result, any user that queries a data source where the caching is enabled can acquire another user\u2019s session.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "grafana: Use of Cache Containing Sensitive Information",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x"
],
"known_not_affected": [
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-23498"
},
{
"category": "external",
"summary": "RHBZ#2167266",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2167266"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-23498",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-23498"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-23498",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23498"
},
{
"category": "external",
"summary": "https://github.com/grafana/grafana/security/advisories/GHSA-2j8f-6whh-frc8",
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-2j8f-6whh-frc8"
}
],
"release_date": "2023-02-03T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-02-08T16:49:55+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/2789521\n\nand \n\nhttps://access.redhat.com/documentation/en-us/red_hat_ceph_storage/5/html-single/upgrade_guide/index\n\nFor supported configurations, refer to:\n\nhttps://access.redhat.com/articles/1548993",
"product_ids": [
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:0746"
},
{
"category": "workaround",
"details": "To mitigate the vulnerability, disable the data source query caching for all data sources.",
"product_ids": [
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "grafana: Use of Cache Containing Sensitive Information"
},
{
"cve": "CVE-2022-41717",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2023-01-16T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2161274"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the net/http library of the golang package. This flaw allows an attacker to cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Within Red Hat OpenShift Container Platform, the grafana container is listed as will not fix. Since OCP 4.10, Grafana itself is not shipped and the Grafana web server is protected behind an OAuth proxy server.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x"
],
"known_not_affected": [
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-41717"
},
{
"category": "external",
"summary": "RHBZ#2161274",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2161274"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-41717",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41717"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-41717",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41717"
},
{
"category": "external",
"summary": "https://go.dev/cl/455635",
"url": "https://go.dev/cl/455635"
},
{
"category": "external",
"summary": "https://go.dev/cl/455717",
"url": "https://go.dev/cl/455717"
},
{
"category": "external",
"summary": "https://go.dev/issue/56350",
"url": "https://go.dev/issue/56350"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ",
"url": "https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2022-1144",
"url": "https://pkg.go.dev/vuln/GO-2022-1144"
}
],
"release_date": "2022-11-30T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-02-08T16:49:55+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/2789521\n\nand \n\nhttps://access.redhat.com/documentation/en-us/red_hat_ceph_storage/5/html-single/upgrade_guide/index\n\nFor supported configurations, refer to:\n\nhttps://access.redhat.com/articles/1548993",
"product_ids": [
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:0746"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests"
},
{
"cve": "CVE-2023-0056",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2023-01-13T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2160808"
}
],
"notes": [
{
"category": "description",
"text": "An uncontrolled resource consumption vulnerability was discovered in HAProxy which could crash the service. This issue could allow an authenticated remote attacker to run a specially crafted malicious server in an OpenShift cluster. The biggest impact is to availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "haproxy: segfault DoS",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x"
],
"known_not_affected": [
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-0056"
},
{
"category": "external",
"summary": "RHBZ#2160808",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2160808"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-0056",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0056"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-0056",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0056"
},
{
"category": "external",
"summary": "https://github.com/haproxy/haproxy/issues/1972",
"url": "https://github.com/haproxy/haproxy/issues/1972"
}
],
"release_date": "2022-12-21T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-02-08T16:49:55+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/2789521\n\nand \n\nhttps://access.redhat.com/documentation/en-us/red_hat_ceph_storage/5/html-single/upgrade_guide/index\n\nFor supported configurations, refer to:\n\nhttps://access.redhat.com/articles/1548993",
"product_ids": [
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:0746"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "haproxy: segfault DoS"
},
{
"acknowledgments": [
{
"names": [
"Grafana Security Team"
],
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2023-0507",
"cwe": {
"id": "CWE-80",
"name": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"
},
"discovery_date": "2023-02-08T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2168038"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the GeoMap Grafana plugin, where a user can store unsanitized HTML in the GeoMap plugin under the Attribution text field, and the client will process it. The vulnerability makes it possible to use XHR to make arbitrary API calls on behalf of the attacked user. This means that a malicious user with editor permissions could alter a GeoMap panel to include JavaScript that changes the password for the user viewing the panel (this could be an admin) to a known password, thus gaining access to the admin account and resulting as the editor becoming an admin.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "grafana: cross site scripting",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "For Grafana package shipped in Red Hat Enterprise Linux, it is not possible to take advantage of this vulnerability without specialized \u0027editor\u0027 access, which reduces the impact of this issue in RHEL. Thus, it is set to Moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x"
],
"known_not_affected": [
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-0507"
},
{
"category": "external",
"summary": "RHBZ#2168038",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2168038"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-0507",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0507"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-0507",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0507"
},
{
"category": "external",
"summary": "https://grafana.com/security/security-advisories/CVE-2023-0507",
"url": "https://grafana.com/security/security-advisories/CVE-2023-0507"
}
],
"release_date": "2023-03-01T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-02-08T16:49:55+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/2789521\n\nand \n\nhttps://access.redhat.com/documentation/en-us/red_hat_ceph_storage/5/html-single/upgrade_guide/index\n\nFor supported configurations, refer to:\n\nhttps://access.redhat.com/articles/1548993",
"product_ids": [
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:0746"
},
{
"category": "workaround",
"details": "Applying the Content-Security-Policy shipped with Grafana would block inline scripts from executing and would mitigate this.",
"product_ids": [
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "grafana: cross site scripting"
},
{
"acknowledgments": [
{
"names": [
"Grafana Security Team"
],
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2023-0594",
"cwe": {
"id": "CWE-80",
"name": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"
},
"discovery_date": "2023-02-08T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2168037"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the grafana package. This flaw allows a malicious user with the ability to introduce trace data to provide a JavaScript that changes the password for the user viewing the trace view (this could be an admin) to a known password, thus gaining access to the admin account.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "grafana: cross site scripting",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is an issue with Grafana Tempo which we don\u0027t ship in Red Hat Enterprise Linux. Hence, RHEL-8, 9 are not-affected.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x"
],
"known_not_affected": [
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-0594"
},
{
"category": "external",
"summary": "RHBZ#2168037",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2168037"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-0594",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0594"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-0594",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0594"
},
{
"category": "external",
"summary": "https://grafana.com/security/security-advisories/CVE-2023-0594",
"url": "https://grafana.com/security/security-advisories/CVE-2023-0594"
}
],
"release_date": "2023-03-01T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-02-08T16:49:55+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/2789521\n\nand \n\nhttps://access.redhat.com/documentation/en-us/red_hat_ceph_storage/5/html-single/upgrade_guide/index\n\nFor supported configurations, refer to:\n\nhttps://access.redhat.com/articles/1548993",
"product_ids": [
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:0746"
},
{
"category": "workaround",
"details": "Applying the Content-Security-Policy shipped with Grafana would block inline scripts from executing and would mitigate this.",
"product_ids": [
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "grafana: cross site scripting"
},
{
"acknowledgments": [
{
"names": [
"Grafana Security Team"
],
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2023-1387",
"cwe": {
"id": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor"
},
"discovery_date": "2023-04-12T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2186322"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Grafana. This flaw allows a remote, authenticated attacker to obtain sensitive information caused by an issue when enabling the \"url_login\" configuration option. By sending a specially crafted request, an attacker can obtain JWT information and use this to launch further attacks against the affected system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "grafana: JWT token leak to data source",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x"
],
"known_not_affected": [
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-1387"
},
{
"category": "external",
"summary": "RHBZ#2186322",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2186322"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-1387",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-1387"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-1387",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1387"
},
{
"category": "external",
"summary": "https://grafana.com/blog/2023/04/26/grafana-security-release-new-versions-of-grafana-with-security-fixes-for-cve-2023-28119-and-cve-2023-1387/",
"url": "https://grafana.com/blog/2023/04/26/grafana-security-release-new-versions-of-grafana-with-security-fixes-for-cve-2023-28119-and-cve-2023-1387/"
},
{
"category": "external",
"summary": "https://grafana.com/security/security-advisories/cve-2023-1387/",
"url": "https://grafana.com/security/security-advisories/cve-2023-1387/"
}
],
"release_date": "2023-04-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-02-08T16:49:55+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/2789521\n\nand \n\nhttps://access.redhat.com/documentation/en-us/red_hat_ceph_storage/5/html-single/upgrade_guide/index\n\nFor supported configurations, refer to:\n\nhttps://access.redhat.com/articles/1548993",
"product_ids": [
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:0746"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "grafana: JWT token leak to data source"
},
{
"acknowledgments": [
{
"names": [
"Grafana Security Team"
],
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2023-22462",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2023-01-27T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2164936"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Grafana core plugin, \"Text.\" The vulnerability was possible due to React\u0027s render cycle that will pass through unsanitized HTML code. However, the HTML is cleaned and saved in Grafana\u0027s database in the next cycle. An attacker needs the Editor role in changing a Text panel to include JavaScript. Later, another user needs to edit the same Text panel and click \"Markdown\" or \"HTML\" to execute the code. This issue allows possible vertical privilege escalation, where a user with an Editor role can change to a known password for a user having an Admin role if the user with an Admin role executes malicious JavaScript viewing a dashboard.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "grafana: stored XSS vulnerability affecting the core plugin \"Text\"",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "OpenShift Service Mesh containers include the grafana RPM from RHEL and consume CVE fixes for grafana from RHEL channels. The servicemesh-grafana RPM shipped in early versions of OpenShift Service Mesh 2.1 is no longer maintained.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x"
],
"known_not_affected": [
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-22462"
},
{
"category": "external",
"summary": "RHBZ#2164936",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2164936"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-22462",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-22462"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-22462",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22462"
}
],
"release_date": "2023-03-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-02-08T16:49:55+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/2789521\n\nand \n\nhttps://access.redhat.com/documentation/en-us/red_hat_ceph_storage/5/html-single/upgrade_guide/index\n\nFor supported configurations, refer to:\n\nhttps://access.redhat.com/articles/1548993",
"product_ids": [
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:0746"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "grafana: stored XSS vulnerability affecting the core plugin \"Text\""
},
{
"cve": "CVE-2023-24538",
"cwe": {
"id": "CWE-94",
"name": "Improper Control of Generation of Code (\u0027Code Injection\u0027)"
},
"discovery_date": "2023-04-04T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2184481"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Golang Go. This flaw allows a remote attacker to execute arbitrary code on the system, caused by not properly considering backticks (`) as Javascript string delimiters. By sending a specially crafted request, an attacker execute arbitrary code on the system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: html/template: backticks not treated as string delimiters",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The described issue involving Go templates and JavaScript template literals poses a moderate severity rather than an important one due to several mitigating factors. Firstly, the vulnerability requires specific conditions to be met: the presence of Go templates within JavaScript template literals. This limits the scope of affected codebases, reducing the likelihood of exploitation. Additionally, the decision to disallow such interactions in future releases of Go indicates a proactive approach to addressing the issue. Furthermore, the affected packages or components within Red Hat Enterprise Linux, such as Conmon, Grafana, and the RHC package, have been assessed and determined not to be impacted due to their specific usage patterns. So the limited scope of affected systems and the absence of exploitation vectors in specific components within Red Hat Enterprise Linux contribute to categorizing the severity of the issue as moderate.\n\nFor Red Hat Enterprise Linux,\n\n* Conmon uses go in unit testing, but not functionally in the package. Go is used only in test files, hence, not in the actual code, thus, conmon is not affected.\n* The Go templates in Grafana do not contain any javascript. Thus, it is not affected.\n* The rhc package do not make use of html/template. Hence, it is also not affected.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x"
],
"known_not_affected": [
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-24538"
},
{
"category": "external",
"summary": "RHBZ#2184481",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2184481"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-24538",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-24538"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-24538",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24538"
},
{
"category": "external",
"summary": "https://github.com/golang/go/issues/59234",
"url": "https://github.com/golang/go/issues/59234"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8",
"url": "https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8"
}
],
"release_date": "2023-04-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-02-08T16:49:55+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/2789521\n\nand \n\nhttps://access.redhat.com/documentation/en-us/red_hat_ceph_storage/5/html-single/upgrade_guide/index\n\nFor supported configurations, refer to:\n\nhttps://access.redhat.com/articles/1548993",
"product_ids": [
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:0746"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: html/template: backticks not treated as string delimiters"
},
{
"cve": "CVE-2023-25725",
"cwe": {
"id": "CWE-444",
"name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
},
"discovery_date": "2023-02-11T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2169089"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in HAProxy\u0027s headers processing that causes HAProxy to drop important headers fields such as Connection, Content-length, Transfer-Encoding, and Host after having partially processed them. A maliciously crafted HTTP request could be used in an HTTP request smuggling attack to bypass filtering and detection by HAProxy.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "haproxy: request smuggling attack in HTTP/1 header parsing",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat OpenStack Platform doesn\u0027t ship any haproxy code of its own and instead the openstack-haproxy-container consumes the `haproxy` RPM provided by RHEL.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x"
],
"known_not_affected": [
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-25725"
},
{
"category": "external",
"summary": "RHBZ#2169089",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2169089"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-25725",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-25725"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-25725",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25725"
},
{
"category": "external",
"summary": "https://www.haproxy.com/blog/february-2023-header-parser-fixed/",
"url": "https://www.haproxy.com/blog/february-2023-header-parser-fixed/"
},
{
"category": "external",
"summary": "https://www.mail-archive.com/haproxy@formilux.org/msg43229.html",
"url": "https://www.mail-archive.com/haproxy@formilux.org/msg43229.html"
}
],
"release_date": "2023-02-14T16:20:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-02-08T16:49:55+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/2789521\n\nand \n\nhttps://access.redhat.com/documentation/en-us/red_hat_ceph_storage/5/html-single/upgrade_guide/index\n\nFor supported configurations, refer to:\n\nhttps://access.redhat.com/articles/1548993",
"product_ids": [
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:0746"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L",
"version": "3.1"
},
"products": [
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:6a75187c09c4c29565a936b67314d37fa34cabe0902e5a70deea731ddcee59a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:a3271d3fe7f918a59f96c32fde709b66c9dc5f6d482b5881ca5322a3d701de58_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/keepalived-rhel8@sha256:e39e1ff87d78a154a98bc60f4002ced54758aa1cbbe1a03d57b3141e046eecad_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:5eeace779a37893bfe8f526be9dcfbcf6131af8009cc09d8c04c6a30adf23832_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:6862d889c99ed5652b877660533056d539918e3362a25fea0fb53abe7de23a32_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-dashboard-rhel8@sha256:cbcf2ca9ef81e45796ece23783c282d0313d4a6813a086122466af3f0d3b6088_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:10f9c1198dda12709ad7d67f9cb270370eca4f882ef00f40586d5b0acbc8190b_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:51d3d740a3b063e07a6054142d28bb512af3772201c2233f8e14be5e3d4f6f05_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-5-rhel8@sha256:e0d758ac81cdc23c8a03ebc7832158ffe53a8cab9b2f5f18dfac0bc0147b0f6f_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:04682c5e2b75cebaf5bd57c9f2c9375361869aa3b7e2e8795a548b7f872327db_amd64",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:663c2136462c821cafff78ebe1fd993308834358b1241eb7a8c1c440e3057935_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/rhceph-haproxy-rhel8@sha256:88f02f1bba0d7698a1848ad011c418bdaaa97b9095f5d5d5b7fdda48869c87a2_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:031ef712e4211d539514d5c5ce447515f5711af4e6b679e758352942b8b2d709_s390x",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:ab41dff414825b28512047407bb4bdf7bfa67c02f783c2469712f54a24a5d167_ppc64le",
"8Base-RHCEPH-5.3-Tools:rhceph/snmp-notifier-rhel8@sha256:d7334b7d095562b8fd7d93b17bc5a9f4b2788ed553148bb8bad9ab0a2bba0be9_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "haproxy: request smuggling attack in HTTP/1 header parsing"
}
]
}
SUSE-SU-2023:2575-1
Vulnerability from csaf_suse - Published: 2023-06-21 11:42 - Updated: 2023-06-21 11:42Summary
Security update for SUSE Manager Client Tools
Severity
Important
Notes
Title of the patch: Security update for SUSE Manager Client Tools
Description of the patch: This update fixes the following issues:
grafana:
- Version update from 8.5.22 to 9.5.1 (jsc#PED-3694):
* Security fixes:
- CVE-2023-1410: grafana: Stored XSS in Graphite FunctionDescription tooltip (bsc#1209645)
- CVE-2023-1387: grafana: JWT URL-login flow leaks token to data sources through request parameter in proxy requests
(bnc#1210907)
- CVE-2022-36062: grafana: Fix RBAC folders/dashboards privilege escalation (bsc#1203596)
- CVE-2022-35957: grafana: Escalation from admin to server admin when auth proxy is used (bsc#1203597)
- CVE-2022-32149: Upgrade x/text to version unaffected by CVE-2022-32149 (bsc#1204501)
- CVE-2022-31107: grafana: OAuth account takeover (bsc#1201539)
- CVE-2022-31097: grafana: stored XSS vulnerability (bsc#1201535)
- CVE-2022-27664: go1.18,go1.19: net/http: handle server errors after sending GOAWAY (bsc#1203185)
- CVE-2022-0155: follow-redirects: Exposure of Private Personal Information to an Unauthorized Actor
- CVE-2021-43138: spacewalk-web: a malicious user can obtain privileges via the mapValues() method(bsc#1200480)
- CVE-2021-3918: json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes
('Prototype Pollution') (bsc#1192696)
- CVE-2021-3807: node-ansi-regex: Inefficient Regular Expression Complexity in chalk/ansi-regex (bsc#1192154)
- CVE-2020-7753: nodejs-trim: Regular Expression Denial of Service (ReDoS) in trim function
* Important changes:
- Default named retention policies won't be used to query.
Users who have a default named retention policy in their influxdb database, have to rename it to something else.
To change the hardcoded retention policy in the dashboard.json, users must then select the right retention policy
from dropdown and save the panel/dashboard.
- Grafana Alerting rules with NoDataState configuration set to Alerting will now respect 'For' duration.
- Users who use LDAP role sync to only sync Viewer, Editor and Admin roles, but grant Grafana Server Admin role
manually will not be able to do that anymore. After this change, LDAP role sync will override any manual changes
to Grafana Server Admin role assignments. If grafana_admin is left unset in LDAP role mapping configuration, it
will default to false.
- The InfluxDB backend migration feature toggle (influxdbBackendMigration) has been reintroduced in this version
as issues were discovered with backend processing of InfluxDB data. Unless this feature toggle is enabled, all
InfluxDB data will be parsed in the frontend. This frontend processing is the default behavior.
In Grafana 9.4.4, InfluxDB data parsing started to be handled in the backend. If you have upgraded to 9.4.4
and then added new transformations on InfluxDB data, those panels will fail to render. To resolve this either:
Remove the affected panel and re-create it or edit the `time` field as `Time` in `panel.json`
or `dashboard.json`
- The `@grafana/ui` package helper function `selectOptionInTest` used in frontend tests has been removed as it
caused testing libraries to be bundled in the production code of Grafana. If you were using this helper function
in your tests please update your code accordingly.
- Removed deprecated `checkHealth` prop from the `@grafana/e2e` `addDataSource` configuration. Previously this
value defaulted to `false`, and has not been used in end-to-end tests since Grafana 8.0.3.
- Removed the deprecated `LegacyBaseMap`, `LegacyValueMapping`, `LegacyValueMap`, and `LegacyRangeMap` types, and
`getMappedValue` function from grafana-data. See the documentation for the migration.
This change fixes a bug in Grafana where intermittent failure of database, network between Grafana and the
database, or error in querying the database would cause all alert rules to be unscheduled in Grafana.
Following this change scheduled alert rules are not updated unless the query is successful.
- The `get_alert_rules_duration_seconds` metric has been renamed to `schedule_query_alert_rules_duration_seconds`
- Any secret (data sources credential, alert manager credential, etc, etc) created or modified with Grafana v9.0
won't be decryptable from any previous version (by default) because the way encrypted secrets are stored into the
database has changed. Although secrets created or modified with previous versions will still be decryptable by
Grafana v9.0.
- If required, although generally discouraged, the `disableEnvelopeEncryption` feature toggle can be enabled to
keep envelope encryption disabled once updating to Grafana
- In case of need to rollback to an earlier version of Grafana (i.e. Grafana v8.x) for any reason, after being
created or modified any secret with Grafana v9.0, the `envelopeEncryption` feature toggle will need to be enabled
to keep backwards compatibility (only from `v8.3.x` a bit unstable, from `8.5.x` stable).
- As a final attempt to deal with issues related with the aforementioned situations, the
`grafana-cli admin secrets-migration rollback` command has been designed to move back all the Grafana secrets
encrypted with envelope encryption to legacy encryption. So, after running that command it should be safe to
disable envelope encryption and/or roll back to a previous version of Grafana.
Alternatively or complementarily to all the points above, backing up the Grafana database before updating could
be a good idea to prevent disasters (although the risk of getting some secrets corrupted only applies to those
updates/created with after updating to Grafana v9.0).
- In Elasticsearch, browser access mode was deprecated in grafana 7.4.0 and removed in 9.0.0. If you used this mode
please switch to server access mode on the datasource configuration page.
- Environment variables passed from Grafana to external Azure plugins have been renamed:
`AZURE_CLOUD` renamed to `GFAZPL_AZURE_CLOUD`,
`AZURE_MANAGED_IDENTITY_ENABLED` renamed to `GFAZPL_MANAGED_IDENTITY_ENABLED`,
`AZURE_MANAGED_IDENTITY_CLIENT_ID` renamed to `GFAZPL_MANAGED_IDENTITY_CLIENT_ID`.
There are no known plugins which were relying on these variables. Moving forward plugins should read Azure
settings only via Grafana Azure SDK which properly handles old and new environment variables.
- Removes support for for ElasticSearch versions after their end-of-life, currently versions < 7.10.0.
To continue to use ElasticSearch data source, upgrade ElasticSearch to version 7.10.0+.
- Application Insights and Insight Analytics queries in Azure Monitor were deprecated in Grafana 8.0 and finally
removed in 9.0. Deprecated queries will no longer be executed.
- grafana/ui: Button now specifies a default type='button'.
The `Button` component provided by @grafana/ui now specifies a default `type='button'` when no type is provided.
In previous versions, if the attribute was not specified for buttons associated with a `<form>` the
default value was `submit` per the specification. You can preserve the old behavior by explicitly setting the
type attribute: `<Button type='submit' />`
- The `Rename by regex` transformation has been improved to allow global patterns of the form
`/<stringToReplace>/g`.
Depending on the regex match used, this may cause some transformations to behave slightly differently. You can
guarantee the same behaviour as before by wrapping the `match` string in forward slashes (`/`), e.g. `(.*)` would
become `/(.*)/`
- `<Select />` menus will now portal to the document body by default. This is to give more consistent
behaviour when positioning and overlaying. If you were setting`menuShouldPortal={true}` before you can safely
remove that prop and behaviour will be the same. If you weren't explicitly setting that prop, there should be no
visible changes in behaviour but your tests may need updating. If you were setting `menuShouldPortal={false}`
this will continue to prevent the menu from portalling.
- Grafana alerting endpoint prefixed with `api/v1/rule/test` that tests a rule against a Corte/Loki data source now
expects the data source UID as a path parameter instead of the data source numeric identifier.
- Grafana alerting endpoints prefixed with `api/prometheus/` that proxy requests to a Cortex/Loki data source now
expect the data source UID as a path parameter instead of the data source numeric identifier.
- Grafana alerting endpoints prefixed with `api/ruler/` that proxy requests to a Cortex/Loki data source now expect
the data source UID as a path parameter instead of the data
- Grafana alerting endpoints prefixed with `api/alertmanager/` that proxy requests to an Alertmanager now expect
the data source UID as a path parameter instead of the data source numeric identifier.
- The format of log messages have been updated, `lvl` is now `level` and `eror`and `dbug` has been replaced with
`error` and `debug`. The precision of timestamps has been increased.
To smooth the transition, it is possible to opt-out of the new log format by enabling the feature toggle
`oldlog`.
This option will be removed in a future minor release.
- In the Loki data source, the dataframe format used to represent Loki logs-data has been changed to a more
efficient format. The query-result is represented by a single dataframe with a 'labels' column, instead of the
separate dataframes for every labels-value. When displaying such data in explore, or in a logs-panel in the
dashboard will continue to work without changes, but if the data was loaded into a different dashboard-panel, or
Transforms were used, adjustments may be necessary. For example, if you used the 'labels to fields'
transformation with the logs data, please switch to the 'extract fields' transformation.
* Deprecations:
- The `grafana_database_conn_*` metrics are deprecated, and will be removed in a future version of Grafana. Use
the `go_sql_stats_*` metrics instead.
- Support for compact Explore URLs is deprecated and will be removed in a future release. Until then, when
navigating to Explore using the deprecated format the URLs are automatically converted. If you have
existing links pointing to Explore update them using the format generated by Explore upon navigation.
You can identify a compact URL by its format. Compact URLs have the left (and optionally right) url parameter as
an array of strings, for example `&left=['now-1h','now'...]`. The standard explore URLs follow a key/value
pattern, for example `&left={'datasource':'test'...}`. Please be sure to check your dashboards for any
hardcoded links to Explore and update them to the standard URL pattern.
- Chore: Remove deprecated DataSourceAPI methods.
- Data: Remove deprecated types and functions from valueMappings.
- Elasticsearch: Remove browser access mode.
- Elasticsearch: Remove support for versions after their end of the life (<7.10.0).
- Explore: Remove support for legacy, compact format URLs.
- Graph: Deprecate Graph (old) and make it no longer a visualization option for new panels.
- `setExploreQueryField`, `setExploreMetricsQueryField` and `setExploreLogsQueryField` are now deprecated and will
be removed in a future release. If you need to set a different query editor for Explore, conditionally render
based on `props.app` in your regular query editor.
* Changes:
- User: Fix externalUserId not being populated.
If you used any of these components please use them from grafana/experimental from now on:
- AccessoryButton
- EditorFieldGroup
- EditorHeader
- EditorField
- EditorRow
- EditorList
- EditorRows
- EditorSwitch
- FlexItem
- Stack
- InlineSelect
- InputGroup
- Space
- Starting with 9.1.0, existing heatmap panels will start using a new implementation. This can be disabled by
setting the `useLegacyHeatmapPanel` feature flag to true. It can be tested on a single dashbobard by adding
`?__feature.useLegacyHeatmapPanel=true` to any dashboard URL.
- Logger: Enable new logging format by default.
- Loki: Enable new visual query builder by default.
- Plugins: Remove plugin list panel.
- Install wrapper scripts under /usr/sbin
- Install actual binaries under /usr/libexec/grafana (or /usr/lib under older distributions) and create a simlink
for wrapper scripts and the service (which expect the binary to be under /usr/share/grafana/bin)
- Chore: Upgrade typescript to 4.6.4.
Patchnames: SUSE-2023-2575,SUSE-SLE-Module-Packagehub-Subpackages-15-SP4-2023-2575,SUSE-SLE-Module-Packagehub-Subpackages-15-SP5-2023-2575,openSUSE-SLE-15.4-2023-2575,openSUSE-SLE-15.5-2023-2575
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.5 (High)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.5 (High)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
8.1 (High)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.8 (High)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
6.5 (Medium)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
7.5 (High)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.3 (High)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.1 (High)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.5 (High)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
6.6 (Medium)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
6.4 (Medium)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
4.2 (Medium)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
5.7 (Medium)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
55 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for SUSE Manager Client Tools",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update fixes the following issues:\n\ngrafana:\n\n- Version update from 8.5.22 to 9.5.1 (jsc#PED-3694):\n * Security fixes:\n - CVE-2023-1410: grafana: Stored XSS in Graphite FunctionDescription tooltip (bsc#1209645)\n - CVE-2023-1387: grafana: JWT URL-login flow leaks token to data sources through request parameter in proxy requests\n (bnc#1210907)\n - CVE-2022-36062: grafana: Fix RBAC folders/dashboards privilege escalation (bsc#1203596)\n - CVE-2022-35957: grafana: Escalation from admin to server admin when auth proxy is used (bsc#1203597)\n - CVE-2022-32149: Upgrade x/text to version unaffected by CVE-2022-32149 (bsc#1204501)\n - CVE-2022-31107: grafana: OAuth account takeover (bsc#1201539)\n - CVE-2022-31097: grafana: stored XSS vulnerability (bsc#1201535)\n - CVE-2022-27664: go1.18,go1.19: net/http: handle server errors after sending GOAWAY (bsc#1203185)\n - CVE-2022-0155: follow-redirects: Exposure of Private Personal Information to an Unauthorized Actor\n - CVE-2021-43138: spacewalk-web: a malicious user can obtain privileges via the mapValues() method(bsc#1200480)\n - CVE-2021-3918: json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes\n (\u0027Prototype Pollution\u0027) (bsc#1192696)\n - CVE-2021-3807: node-ansi-regex: Inefficient Regular Expression Complexity in chalk/ansi-regex (bsc#1192154)\n - CVE-2020-7753: nodejs-trim: Regular Expression Denial of Service (ReDoS) in trim function \n * Important changes:\n - Default named retention policies won\u0027t be used to query.\n Users who have a default named retention policy in their influxdb database, have to rename it to something else.\n To change the hardcoded retention policy in the dashboard.json, users must then select the right retention policy\n from dropdown and save the panel/dashboard.\n - Grafana Alerting rules with NoDataState configuration set to Alerting will now respect \u0027For\u0027 duration.\n - Users who use LDAP role sync to only sync Viewer, Editor and Admin roles, but grant Grafana Server Admin role\n manually will not be able to do that anymore. After this change, LDAP role sync will override any manual changes\n to Grafana Server Admin role assignments. If grafana_admin is left unset in LDAP role mapping configuration, it\n will default to false.\n - The InfluxDB backend migration feature toggle (influxdbBackendMigration) has been reintroduced in this version\n as issues were discovered with backend processing of InfluxDB data. Unless this feature toggle is enabled, all\n InfluxDB data will be parsed in the frontend. This frontend processing is the default behavior. \n In Grafana 9.4.4, InfluxDB data parsing started to be handled in the backend. If you have upgraded to 9.4.4\n and then added new transformations on InfluxDB data, those panels will fail to render. To resolve this either:\n Remove the affected panel and re-create it or edit the `time` field as `Time` in `panel.json` \n or `dashboard.json`\n - The `@grafana/ui` package helper function `selectOptionInTest` used in frontend tests has been removed as it\n caused testing libraries to be bundled in the production code of Grafana. If you were using this helper function\n in your tests please update your code accordingly.\n - Removed deprecated `checkHealth` prop from the `@grafana/e2e` `addDataSource` configuration. Previously this\n value defaulted to `false`, and has not been used in end-to-end tests since Grafana 8.0.3.\n - Removed the deprecated `LegacyBaseMap`, `LegacyValueMapping`, `LegacyValueMap`, and `LegacyRangeMap` types, and\n `getMappedValue` function from grafana-data. See the documentation for the migration.\n This change fixes a bug in Grafana where intermittent failure of database, network between Grafana and the\n database, or error in querying the database would cause all alert rules to be unscheduled in Grafana. \n Following this change scheduled alert rules are not updated unless the query is successful.\n - The `get_alert_rules_duration_seconds` metric has been renamed to `schedule_query_alert_rules_duration_seconds`\n - Any secret (data sources credential, alert manager credential, etc, etc) created or modified with Grafana v9.0\n won\u0027t be decryptable from any previous version (by default) because the way encrypted secrets are stored into the\n database has changed. Although secrets created or modified with previous versions will still be decryptable by\n Grafana v9.0.\n - If required, although generally discouraged, the `disableEnvelopeEncryption` feature toggle can be enabled to\n keep envelope encryption disabled once updating to Grafana\n - In case of need to rollback to an earlier version of Grafana (i.e. Grafana v8.x) for any reason, after being\n created or modified any secret with Grafana v9.0, the `envelopeEncryption` feature toggle will need to be enabled\n to keep backwards compatibility (only from `v8.3.x` a bit unstable, from `8.5.x` stable).\n - As a final attempt to deal with issues related with the aforementioned situations, the \n `grafana-cli admin secrets-migration rollback` command has been designed to move back all the Grafana secrets\n encrypted with envelope encryption to legacy encryption. So, after running that command it should be safe to\n disable envelope encryption and/or roll back to a previous version of Grafana.\n Alternatively or complementarily to all the points above, backing up the Grafana database before updating could\n be a good idea to prevent disasters (although the risk of getting some secrets corrupted only applies to those \n updates/created with after updating to Grafana v9.0).\n - In Elasticsearch, browser access mode was deprecated in grafana 7.4.0 and removed in 9.0.0. If you used this mode\n please switch to server access mode on the datasource configuration page.\n - Environment variables passed from Grafana to external Azure plugins have been renamed:\n `AZURE_CLOUD` renamed to `GFAZPL_AZURE_CLOUD`,\n `AZURE_MANAGED_IDENTITY_ENABLED` renamed to `GFAZPL_MANAGED_IDENTITY_ENABLED`,\n `AZURE_MANAGED_IDENTITY_CLIENT_ID` renamed to `GFAZPL_MANAGED_IDENTITY_CLIENT_ID`.\n There are no known plugins which were relying on these variables. Moving forward plugins should read Azure\n settings only via Grafana Azure SDK which properly handles old and new environment variables.\n - Removes support for for ElasticSearch versions after their end-of-life, currently versions \u003c 7.10.0.\n To continue to use ElasticSearch data source, upgrade ElasticSearch to version 7.10.0+.\n - Application Insights and Insight Analytics queries in Azure Monitor were deprecated in Grafana 8.0 and finally\n removed in 9.0. Deprecated queries will no longer be executed.\n - grafana/ui: Button now specifies a default type=\u0027button\u0027.\n The `Button` component provided by @grafana/ui now specifies a default `type=\u0027button\u0027` when no type is provided.\n In previous versions, if the attribute was not specified for buttons associated with a `\u003cform\u003e` the\n default value was `submit` per the specification. You can preserve the old behavior by explicitly setting the\n type attribute: `\u003cButton type=\u0027submit\u0027 /\u003e`\n - The `Rename by regex` transformation has been improved to allow global patterns of the form \n `/\u003cstringToReplace\u003e/g`.\n Depending on the regex match used, this may cause some transformations to behave slightly differently. You can\n guarantee the same behaviour as before by wrapping the `match` string in forward slashes (`/`), e.g. `(.*)` would\n become `/(.*)/`\n - `\u003cSelect /\u003e` menus will now portal to the document body by default. This is to give more consistent\n behaviour when positioning and overlaying. If you were setting`menuShouldPortal={true}` before you can safely \n remove that prop and behaviour will be the same. If you weren\u0027t explicitly setting that prop, there should be no\n visible changes in behaviour but your tests may need updating. If you were setting `menuShouldPortal={false}`\n this will continue to prevent the menu from portalling.\n - Grafana alerting endpoint prefixed with `api/v1/rule/test` that tests a rule against a Corte/Loki data source now\n expects the data source UID as a path parameter instead of the data source numeric identifier.\n - Grafana alerting endpoints prefixed with `api/prometheus/` that proxy requests to a Cortex/Loki data source now\n expect the data source UID as a path parameter instead of the data source numeric identifier.\n - Grafana alerting endpoints prefixed with `api/ruler/` that proxy requests to a Cortex/Loki data source now expect\n the data source UID as a path parameter instead of the data\n - Grafana alerting endpoints prefixed with `api/alertmanager/` that proxy requests to an Alertmanager now expect\n the data source UID as a path parameter instead of the data source numeric identifier.\n - The format of log messages have been updated, `lvl` is now `level` and `eror`and `dbug` has been replaced with\n `error` and `debug`. The precision of timestamps has been increased.\n To smooth the transition, it is possible to opt-out of the new log format by enabling the feature toggle\n `oldlog`.\n This option will be removed in a future minor release.\n - In the Loki data source, the dataframe format used to represent Loki logs-data has been changed to a more\n efficient format. The query-result is represented by a single dataframe with a \u0027labels\u0027 column, instead of the\n separate dataframes for every labels-value. When displaying such data in explore, or in a logs-panel in the\n dashboard will continue to work without changes, but if the data was loaded into a different dashboard-panel, or\n Transforms were used, adjustments may be necessary. For example, if you used the \u0027labels to fields\u0027 \n transformation with the logs data, please switch to the \u0027extract fields\u0027 transformation.\n * Deprecations:\n - The `grafana_database_conn_*` metrics are deprecated, and will be removed in a future version of Grafana. Use \n the `go_sql_stats_*` metrics instead.\n - Support for compact Explore URLs is deprecated and will be removed in a future release. Until then, when\n navigating to Explore using the deprecated format the URLs are automatically converted. If you have\n existing links pointing to Explore update them using the format generated by Explore upon navigation.\n You can identify a compact URL by its format. Compact URLs have the left (and optionally right) url parameter as\n an array of strings, for example `\u0026left=[\u0027now-1h\u0027,\u0027now\u0027...]`. The standard explore URLs follow a key/value\n pattern, for example `\u0026left={\u0027datasource\u0027:\u0027test\u0027...}`. Please be sure to check your dashboards for any\n hardcoded links to Explore and update them to the standard URL pattern.\n - Chore: Remove deprecated DataSourceAPI methods.\n - Data: Remove deprecated types and functions from valueMappings.\n - Elasticsearch: Remove browser access mode.\n - Elasticsearch: Remove support for versions after their end of the life (\u003c7.10.0).\n - Explore: Remove support for legacy, compact format URLs.\n - Graph: Deprecate Graph (old) and make it no longer a visualization option for new panels.\n - `setExploreQueryField`, `setExploreMetricsQueryField` and `setExploreLogsQueryField` are now deprecated and will\n be removed in a future release. If you need to set a different query editor for Explore, conditionally render\n based on `props.app` in your regular query editor.\n * Changes:\n - User: Fix externalUserId not being populated.\n If you used any of these components please use them from grafana/experimental from now on:\n - AccessoryButton\n - EditorFieldGroup\n - EditorHeader\n - EditorField\n - EditorRow\n - EditorList\n - EditorRows\n - EditorSwitch\n - FlexItem\n - Stack\n - InlineSelect\n - InputGroup\n - Space\n - Starting with 9.1.0, existing heatmap panels will start using a new implementation. This can be disabled by\n setting the `useLegacyHeatmapPanel` feature flag to true. It can be tested on a single dashbobard by adding\n `?__feature.useLegacyHeatmapPanel=true` to any dashboard URL.\n - Logger: Enable new logging format by default.\n - Loki: Enable new visual query builder by default.\n - Plugins: Remove plugin list panel.\n - Install wrapper scripts under /usr/sbin\n - Install actual binaries under /usr/libexec/grafana (or /usr/lib under older distributions) and create a simlink \n for wrapper scripts and the service (which expect the binary to be under /usr/share/grafana/bin)\n - Chore: Upgrade typescript to 4.6.4.\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2023-2575,SUSE-SLE-Module-Packagehub-Subpackages-15-SP4-2023-2575,SUSE-SLE-Module-Packagehub-Subpackages-15-SP5-2023-2575,openSUSE-SLE-15.4-2023-2575,openSUSE-SLE-15.5-2023-2575",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2023_2575-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2023:2575-1",
"url": "https://www.suse.com/support/update/announcement/2023/suse-su-20232575-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2023:2575-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2023-June/029953.html"
},
{
"category": "self",
"summary": "SUSE Bug 1192154",
"url": "https://bugzilla.suse.com/1192154"
},
{
"category": "self",
"summary": "SUSE Bug 1192696",
"url": "https://bugzilla.suse.com/1192696"
},
{
"category": "self",
"summary": "SUSE Bug 1200480",
"url": "https://bugzilla.suse.com/1200480"
},
{
"category": "self",
"summary": "SUSE Bug 1201535",
"url": "https://bugzilla.suse.com/1201535"
},
{
"category": "self",
"summary": "SUSE Bug 1201539",
"url": "https://bugzilla.suse.com/1201539"
},
{
"category": "self",
"summary": "SUSE Bug 1203185",
"url": "https://bugzilla.suse.com/1203185"
},
{
"category": "self",
"summary": "SUSE Bug 1203596",
"url": "https://bugzilla.suse.com/1203596"
},
{
"category": "self",
"summary": "SUSE Bug 1203597",
"url": "https://bugzilla.suse.com/1203597"
},
{
"category": "self",
"summary": "SUSE Bug 1204501",
"url": "https://bugzilla.suse.com/1204501"
},
{
"category": "self",
"summary": "SUSE Bug 1209645",
"url": "https://bugzilla.suse.com/1209645"
},
{
"category": "self",
"summary": "SUSE Bug 1210907",
"url": "https://bugzilla.suse.com/1210907"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-7753 page",
"url": "https://www.suse.com/security/cve/CVE-2020-7753/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-3807 page",
"url": "https://www.suse.com/security/cve/CVE-2021-3807/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-3918 page",
"url": "https://www.suse.com/security/cve/CVE-2021-3918/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-43138 page",
"url": "https://www.suse.com/security/cve/CVE-2021-43138/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-0155 page",
"url": "https://www.suse.com/security/cve/CVE-2022-0155/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-27664 page",
"url": "https://www.suse.com/security/cve/CVE-2022-27664/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-31097 page",
"url": "https://www.suse.com/security/cve/CVE-2022-31097/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-31107 page",
"url": "https://www.suse.com/security/cve/CVE-2022-31107/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-32149 page",
"url": "https://www.suse.com/security/cve/CVE-2022-32149/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-35957 page",
"url": "https://www.suse.com/security/cve/CVE-2022-35957/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-36062 page",
"url": "https://www.suse.com/security/cve/CVE-2022-36062/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-1387 page",
"url": "https://www.suse.com/security/cve/CVE-2023-1387/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-1410 page",
"url": "https://www.suse.com/security/cve/CVE-2023-1410/"
}
],
"title": "Security update for SUSE Manager Client Tools",
"tracking": {
"current_release_date": "2023-06-21T11:42:33Z",
"generator": {
"date": "2023-06-21T11:42:33Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2023:2575-1",
"initial_release_date": "2023-06-21T11:42:33Z",
"revision_history": [
{
"date": "2023-06-21T11:42:33Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "grafana-9.5.1-150200.3.41.3.aarch64",
"product": {
"name": "grafana-9.5.1-150200.3.41.3.aarch64",
"product_id": "grafana-9.5.1-150200.3.41.3.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-9.5.1-150200.3.41.3.i586",
"product": {
"name": "grafana-9.5.1-150200.3.41.3.i586",
"product_id": "grafana-9.5.1-150200.3.41.3.i586"
}
}
],
"category": "architecture",
"name": "i586"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-9.5.1-150200.3.41.3.ppc64le",
"product": {
"name": "grafana-9.5.1-150200.3.41.3.ppc64le",
"product_id": "grafana-9.5.1-150200.3.41.3.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-9.5.1-150200.3.41.3.s390x",
"product": {
"name": "grafana-9.5.1-150200.3.41.3.s390x",
"product_id": "grafana-9.5.1-150200.3.41.3.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-9.5.1-150200.3.41.3.x86_64",
"product": {
"name": "grafana-9.5.1-150200.3.41.3.x86_64",
"product_id": "grafana-9.5.1-150200.3.41.3.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Module for Package Hub 15 SP4",
"product": {
"name": "SUSE Linux Enterprise Module for Package Hub 15 SP4",
"product_id": "SUSE Linux Enterprise Module for Package Hub 15 SP4",
"product_identification_helper": {
"cpe": "cpe:/o:suse:packagehub:15:sp4"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Module for Package Hub 15 SP5",
"product": {
"name": "SUSE Linux Enterprise Module for Package Hub 15 SP5",
"product_id": "SUSE Linux Enterprise Module for Package Hub 15 SP5",
"product_identification_helper": {
"cpe": "cpe:/o:suse:packagehub:15:sp5"
}
}
},
{
"category": "product_name",
"name": "openSUSE Leap 15.4",
"product": {
"name": "openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.4"
}
}
},
{
"category": "product_name",
"name": "openSUSE Leap 15.5",
"product": {
"name": "openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.5"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-9.5.1-150200.3.41.3.aarch64 as component of SUSE Linux Enterprise Module for Package Hub 15 SP4",
"product_id": "SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.aarch64"
},
"product_reference": "grafana-9.5.1-150200.3.41.3.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Package Hub 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-9.5.1-150200.3.41.3.ppc64le as component of SUSE Linux Enterprise Module for Package Hub 15 SP4",
"product_id": "SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.ppc64le"
},
"product_reference": "grafana-9.5.1-150200.3.41.3.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Package Hub 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-9.5.1-150200.3.41.3.s390x as component of SUSE Linux Enterprise Module for Package Hub 15 SP4",
"product_id": "SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.s390x"
},
"product_reference": "grafana-9.5.1-150200.3.41.3.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Package Hub 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-9.5.1-150200.3.41.3.x86_64 as component of SUSE Linux Enterprise Module for Package Hub 15 SP4",
"product_id": "SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.x86_64"
},
"product_reference": "grafana-9.5.1-150200.3.41.3.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Package Hub 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-9.5.1-150200.3.41.3.aarch64 as component of SUSE Linux Enterprise Module for Package Hub 15 SP5",
"product_id": "SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.aarch64"
},
"product_reference": "grafana-9.5.1-150200.3.41.3.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Package Hub 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-9.5.1-150200.3.41.3.ppc64le as component of SUSE Linux Enterprise Module for Package Hub 15 SP5",
"product_id": "SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.ppc64le"
},
"product_reference": "grafana-9.5.1-150200.3.41.3.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Package Hub 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-9.5.1-150200.3.41.3.s390x as component of SUSE Linux Enterprise Module for Package Hub 15 SP5",
"product_id": "SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.s390x"
},
"product_reference": "grafana-9.5.1-150200.3.41.3.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Package Hub 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-9.5.1-150200.3.41.3.x86_64 as component of SUSE Linux Enterprise Module for Package Hub 15 SP5",
"product_id": "SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.x86_64"
},
"product_reference": "grafana-9.5.1-150200.3.41.3.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Package Hub 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-9.5.1-150200.3.41.3.aarch64 as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.aarch64"
},
"product_reference": "grafana-9.5.1-150200.3.41.3.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-9.5.1-150200.3.41.3.ppc64le as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.ppc64le"
},
"product_reference": "grafana-9.5.1-150200.3.41.3.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-9.5.1-150200.3.41.3.s390x as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.s390x"
},
"product_reference": "grafana-9.5.1-150200.3.41.3.s390x",
"relates_to_product_reference": "openSUSE Leap 15.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-9.5.1-150200.3.41.3.x86_64 as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.x86_64"
},
"product_reference": "grafana-9.5.1-150200.3.41.3.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-9.5.1-150200.3.41.3.aarch64 as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.aarch64"
},
"product_reference": "grafana-9.5.1-150200.3.41.3.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-9.5.1-150200.3.41.3.ppc64le as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.ppc64le"
},
"product_reference": "grafana-9.5.1-150200.3.41.3.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-9.5.1-150200.3.41.3.s390x as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.s390x"
},
"product_reference": "grafana-9.5.1-150200.3.41.3.s390x",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-9.5.1-150200.3.41.3.x86_64 as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.x86_64"
},
"product_reference": "grafana-9.5.1-150200.3.41.3.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.5"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-7753",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-7753"
}
],
"notes": [
{
"category": "general",
"text": "All versions of package trim are vulnerable to Regular Expression Denial of Service (ReDoS) via trim().",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.x86_64",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.x86_64",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.aarch64",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.ppc64le",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.s390x",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.x86_64",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.aarch64",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.ppc64le",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.s390x",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-7753",
"url": "https://www.suse.com/security/cve/CVE-2020-7753"
},
{
"category": "external",
"summary": "SUSE Bug 1218843 for CVE-2020-7753",
"url": "https://bugzilla.suse.com/1218843"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.x86_64",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.x86_64",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.aarch64",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.ppc64le",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.s390x",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.x86_64",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.aarch64",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.ppc64le",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.s390x",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.x86_64",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.x86_64",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.aarch64",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.ppc64le",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.s390x",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.x86_64",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.aarch64",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.ppc64le",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.s390x",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2023-06-21T11:42:33Z",
"details": "important"
}
],
"title": "CVE-2020-7753"
},
{
"cve": "CVE-2021-3807",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-3807"
}
],
"notes": [
{
"category": "general",
"text": "ansi-regex is vulnerable to Inefficient Regular Expression Complexity",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.x86_64",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.x86_64",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.aarch64",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.ppc64le",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.s390x",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.x86_64",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.aarch64",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.ppc64le",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.s390x",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-3807",
"url": "https://www.suse.com/security/cve/CVE-2021-3807"
},
{
"category": "external",
"summary": "SUSE Bug 1192154 for CVE-2021-3807",
"url": "https://bugzilla.suse.com/1192154"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.x86_64",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.x86_64",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.aarch64",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.ppc64le",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.s390x",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.x86_64",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.aarch64",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.ppc64le",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.s390x",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.x86_64",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.x86_64",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.aarch64",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.ppc64le",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.s390x",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.x86_64",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.aarch64",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.ppc64le",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.s390x",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2023-06-21T11:42:33Z",
"details": "important"
}
],
"title": "CVE-2021-3807"
},
{
"cve": "CVE-2021-3918",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-3918"
}
],
"notes": [
{
"category": "general",
"text": "json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.x86_64",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.x86_64",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.aarch64",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.ppc64le",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.s390x",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.x86_64",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.aarch64",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.ppc64le",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.s390x",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-3918",
"url": "https://www.suse.com/security/cve/CVE-2021-3918"
},
{
"category": "external",
"summary": "SUSE Bug 1192696 for CVE-2021-3918",
"url": "https://bugzilla.suse.com/1192696"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.x86_64",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.x86_64",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.aarch64",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.ppc64le",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.s390x",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.x86_64",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.aarch64",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.ppc64le",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.s390x",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.x86_64",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.x86_64",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.aarch64",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.ppc64le",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.s390x",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.x86_64",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.aarch64",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.ppc64le",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.s390x",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2023-06-21T11:42:33Z",
"details": "important"
}
],
"title": "CVE-2021-3918"
},
{
"cve": "CVE-2021-43138",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-43138"
}
],
"notes": [
{
"category": "general",
"text": "In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.x86_64",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.x86_64",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.aarch64",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.ppc64le",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.s390x",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.x86_64",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.aarch64",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.ppc64le",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.s390x",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-43138",
"url": "https://www.suse.com/security/cve/CVE-2021-43138"
},
{
"category": "external",
"summary": "SUSE Bug 1200480 for CVE-2021-43138",
"url": "https://bugzilla.suse.com/1200480"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.x86_64",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.x86_64",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.aarch64",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.ppc64le",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.s390x",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.x86_64",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.aarch64",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.ppc64le",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.s390x",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.x86_64",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.x86_64",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.aarch64",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.ppc64le",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.s390x",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.x86_64",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.aarch64",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.ppc64le",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.s390x",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2023-06-21T11:42:33Z",
"details": "important"
}
],
"title": "CVE-2021-43138"
},
{
"cve": "CVE-2022-0155",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-0155"
}
],
"notes": [
{
"category": "general",
"text": "follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.x86_64",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.x86_64",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.aarch64",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.ppc64le",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.s390x",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.x86_64",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.aarch64",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.ppc64le",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.s390x",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-0155",
"url": "https://www.suse.com/security/cve/CVE-2022-0155"
},
{
"category": "external",
"summary": "SUSE Bug 1218844 for CVE-2022-0155",
"url": "https://bugzilla.suse.com/1218844"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.x86_64",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.x86_64",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.aarch64",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.ppc64le",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.s390x",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.x86_64",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.aarch64",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.ppc64le",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.s390x",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.x86_64",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.x86_64",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.aarch64",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.ppc64le",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.s390x",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.x86_64",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.aarch64",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.ppc64le",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.s390x",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2023-06-21T11:42:33Z",
"details": "moderate"
}
],
"title": "CVE-2022-0155"
},
{
"cve": "CVE-2022-27664",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-27664"
}
],
"notes": [
{
"category": "general",
"text": "In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.x86_64",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.x86_64",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.aarch64",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.ppc64le",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.s390x",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.x86_64",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.aarch64",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.ppc64le",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.s390x",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-27664",
"url": "https://www.suse.com/security/cve/CVE-2022-27664"
},
{
"category": "external",
"summary": "SUSE Bug 1203185 for CVE-2022-27664",
"url": "https://bugzilla.suse.com/1203185"
},
{
"category": "external",
"summary": "SUSE Bug 1203293 for CVE-2022-27664",
"url": "https://bugzilla.suse.com/1203293"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.x86_64",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.x86_64",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.aarch64",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.ppc64le",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.s390x",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.x86_64",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.aarch64",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.ppc64le",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.s390x",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.x86_64",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.x86_64",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.aarch64",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.ppc64le",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.s390x",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.x86_64",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.aarch64",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.ppc64le",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.s390x",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2023-06-21T11:42:33Z",
"details": "important"
}
],
"title": "CVE-2022-27664"
},
{
"cve": "CVE-2022-31097",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-31097"
}
],
"notes": [
{
"category": "general",
"text": "Grafana is an open-source platform for monitoring and observability. Versions on the 8.x and 9.x branch prior to 9.0.3, 8.5.9, 8.4.10, and 8.3.10 are vulnerable to stored cross-site scripting via the Unified Alerting feature of Grafana. An attacker can exploit this vulnerability to escalate privilege from editor to admin by tricking an authenticated admin to click on a link. Versions 9.0.3, 8.5.9, 8.4.10, and 8.3.10 contain a patch. As a workaround, it is possible to disable alerting or use legacy alerting.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.x86_64",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.x86_64",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.aarch64",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.ppc64le",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.s390x",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.x86_64",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.aarch64",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.ppc64le",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.s390x",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-31097",
"url": "https://www.suse.com/security/cve/CVE-2022-31097"
},
{
"category": "external",
"summary": "SUSE Bug 1201535 for CVE-2022-31097",
"url": "https://bugzilla.suse.com/1201535"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.x86_64",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.x86_64",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.aarch64",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.ppc64le",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.s390x",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.x86_64",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.aarch64",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.ppc64le",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.s390x",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.x86_64",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.x86_64",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.aarch64",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.ppc64le",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.s390x",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.x86_64",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.aarch64",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.ppc64le",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.s390x",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2023-06-21T11:42:33Z",
"details": "important"
}
],
"title": "CVE-2022-31097"
},
{
"cve": "CVE-2022-31107",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-31107"
}
],
"notes": [
{
"category": "general",
"text": "Grafana is an open-source platform for monitoring and observability. In versions 5.3 until 9.0.3, 8.5.9, 8.4.10, and 8.3.10, it is possible for a malicious user who has authorization to log into a Grafana instance via a configured OAuth IdP which provides a login name to take over the account of another user in that Grafana instance. This can occur when the malicious user is authorized to log in to Grafana via OAuth, the malicious user\u0027s external user id is not already associated with an account in Grafana, the malicious user\u0027s email address is not already associated with an account in Grafana, and the malicious user knows the Grafana username of the target user. If these conditions are met, the malicious user can set their username in the OAuth provider to that of the target user, then go through the OAuth flow to log in to Grafana. Due to the way that external and internal user accounts are linked together during login, if the conditions above are all met then the malicious user will be able to log in to the target user\u0027s Grafana account. Versions 9.0.3, 8.5.9, 8.4.10, and 8.3.10 contain a patch for this issue. As a workaround, concerned users can disable OAuth login to their Grafana instance, or ensure that all users authorized to log in via OAuth have a corresponding user account in Grafana linked to their email address.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.x86_64",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.x86_64",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.aarch64",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.ppc64le",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.s390x",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.x86_64",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.aarch64",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.ppc64le",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.s390x",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-31107",
"url": "https://www.suse.com/security/cve/CVE-2022-31107"
},
{
"category": "external",
"summary": "SUSE Bug 1201539 for CVE-2022-31107",
"url": "https://bugzilla.suse.com/1201539"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.x86_64",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.x86_64",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.aarch64",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.ppc64le",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.s390x",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.x86_64",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.aarch64",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.ppc64le",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.s390x",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.x86_64",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.x86_64",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.aarch64",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.ppc64le",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.s390x",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.x86_64",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.aarch64",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.ppc64le",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.s390x",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2023-06-21T11:42:33Z",
"details": "important"
}
],
"title": "CVE-2022-31107"
},
{
"cve": "CVE-2022-32149",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-32149"
}
],
"notes": [
{
"category": "general",
"text": "An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.x86_64",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.x86_64",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.aarch64",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.ppc64le",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.s390x",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.x86_64",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.aarch64",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.ppc64le",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.s390x",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-32149",
"url": "https://www.suse.com/security/cve/CVE-2022-32149"
},
{
"category": "external",
"summary": "SUSE Bug 1204501 for CVE-2022-32149",
"url": "https://bugzilla.suse.com/1204501"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.x86_64",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.x86_64",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.aarch64",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.ppc64le",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.s390x",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.x86_64",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.aarch64",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.ppc64le",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.s390x",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.x86_64",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.x86_64",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.aarch64",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.ppc64le",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.s390x",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.x86_64",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.aarch64",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.ppc64le",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.s390x",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2023-06-21T11:42:33Z",
"details": "important"
}
],
"title": "CVE-2022-32149"
},
{
"cve": "CVE-2022-35957",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-35957"
}
],
"notes": [
{
"category": "general",
"text": "Grafana is an open-source platform for monitoring and observability. Versions prior to 9.1.6 and 8.5.13 are vulnerable to an escalation from admin to server admin when auth proxy is used, allowing an admin to take over the server admin account and gain full control of the grafana instance. All installations should be upgraded as soon as possible. As a workaround deactivate auth proxy following the instructions at: https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/auth-proxy/",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.x86_64",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.x86_64",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.aarch64",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.ppc64le",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.s390x",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.x86_64",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.aarch64",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.ppc64le",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.s390x",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-35957",
"url": "https://www.suse.com/security/cve/CVE-2022-35957"
},
{
"category": "external",
"summary": "SUSE Bug 1203597 for CVE-2022-35957",
"url": "https://bugzilla.suse.com/1203597"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.x86_64",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.x86_64",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.aarch64",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.ppc64le",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.s390x",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.x86_64",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.aarch64",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.ppc64le",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.s390x",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.x86_64",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.x86_64",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.aarch64",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.ppc64le",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.s390x",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.x86_64",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.aarch64",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.ppc64le",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.s390x",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2023-06-21T11:42:33Z",
"details": "moderate"
}
],
"title": "CVE-2022-35957"
},
{
"cve": "CVE-2022-36062",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-36062"
}
],
"notes": [
{
"category": "general",
"text": "Grafana is an open-source platform for monitoring and observability. In versions prior to 8.5.13, 9.0.9, and 9.1.6, Grafana is subject to Improper Preservation of Permissions resulting in privilege escalation on some folders where Admin is the only used permission. The vulnerability impacts Grafana instances where RBAC was disabled and enabled afterwards, as the migrations which are translating legacy folder permissions to RBAC permissions do not account for the scenario where the only user permission in the folder is Admin, as a result RBAC adds permissions for Editors and Viewers which allow them to edit and view folders accordingly. This issue has been patched in versions 8.5.13, 9.0.9, and 9.1.6. A workaround when the impacted folder/dashboard is known is to remove the additional permissions manually.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.x86_64",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.x86_64",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.aarch64",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.ppc64le",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.s390x",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.x86_64",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.aarch64",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.ppc64le",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.s390x",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-36062",
"url": "https://www.suse.com/security/cve/CVE-2022-36062"
},
{
"category": "external",
"summary": "SUSE Bug 1203596 for CVE-2022-36062",
"url": "https://bugzilla.suse.com/1203596"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.x86_64",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.x86_64",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.aarch64",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.ppc64le",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.s390x",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.x86_64",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.aarch64",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.ppc64le",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.s390x",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.x86_64",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.x86_64",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.aarch64",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.ppc64le",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.s390x",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.x86_64",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.aarch64",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.ppc64le",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.s390x",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2023-06-21T11:42:33Z",
"details": "moderate"
}
],
"title": "CVE-2022-36062"
},
{
"cve": "CVE-2023-1387",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-1387"
}
],
"notes": [
{
"category": "general",
"text": "Grafana is an open-source platform for monitoring and observability. \n\nStarting with the 9.1 branch, Grafana introduced the ability to search for a JWT in the URL query parameter auth_token and use it as the authentication token. \n\nBy enabling the \"url_login\" configuration option (disabled by default), a JWT might be sent to data sources. If an attacker has access to the data source, the leaked token could be used to authenticate to Grafana.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.x86_64",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.x86_64",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.aarch64",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.ppc64le",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.s390x",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.x86_64",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.aarch64",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.ppc64le",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.s390x",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-1387",
"url": "https://www.suse.com/security/cve/CVE-2023-1387"
},
{
"category": "external",
"summary": "SUSE Bug 1210907 for CVE-2023-1387",
"url": "https://bugzilla.suse.com/1210907"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.x86_64",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.x86_64",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.aarch64",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.ppc64le",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.s390x",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.x86_64",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.aarch64",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.ppc64le",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.s390x",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.x86_64",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.x86_64",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.aarch64",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.ppc64le",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.s390x",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.x86_64",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.aarch64",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.ppc64le",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.s390x",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2023-06-21T11:42:33Z",
"details": "moderate"
}
],
"title": "CVE-2023-1387"
},
{
"cve": "CVE-2023-1410",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-1410"
}
],
"notes": [
{
"category": "general",
"text": "Grafana is an open-source platform for monitoring and observability. \n\nGrafana had a stored XSS vulnerability in the Graphite FunctionDescription tooltip. \n\nThe stored XSS vulnerability was possible due the value of the Function Description was not properly sanitized.\n\nAn attacker needs to have control over the Graphite data source in order to manipulate a function description and a Grafana admin needs to configure the data source, later a Grafana user needs to select a tampered function and hover over the description. \n\n Users may upgrade to version 8.5.22, 9.2.15 and 9.3.11 to receive a fix.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.x86_64",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.x86_64",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.aarch64",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.ppc64le",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.s390x",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.x86_64",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.aarch64",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.ppc64le",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.s390x",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-1410",
"url": "https://www.suse.com/security/cve/CVE-2023-1410"
},
{
"category": "external",
"summary": "SUSE Bug 1209645 for CVE-2023-1410",
"url": "https://bugzilla.suse.com/1209645"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.x86_64",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.x86_64",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.aarch64",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.ppc64le",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.s390x",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.x86_64",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.aarch64",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.ppc64le",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.s390x",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-9.5.1-150200.3.41.3.x86_64",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.aarch64",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.ppc64le",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.s390x",
"SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-9.5.1-150200.3.41.3.x86_64",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.aarch64",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.ppc64le",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.s390x",
"openSUSE Leap 15.4:grafana-9.5.1-150200.3.41.3.x86_64",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.aarch64",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.ppc64le",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.s390x",
"openSUSE Leap 15.5:grafana-9.5.1-150200.3.41.3.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2023-06-21T11:42:33Z",
"details": "moderate"
}
],
"title": "CVE-2023-1410"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…