RLSA-2022:7519

Import Source

https://storage.googleapis.com/resf-osv-data/RLSA-2022:7519.json

Related

• CVE-2021-23648
• CVE-2022-1705
• CVE-2022-1962
• CVE-2022-21673
• CVE-2022-21698
• CVE-2022-21702
• CVE-2022-21703
• CVE-2022-21713
• CVE-2022-28131
• CVE-2022-30630
• CVE-2022-30631
• CVE-2022-30632
• CVE-2022-30633
• CVE-2022-30635
• CVE-2022-32148

Published

2022-11-08T06:21:47Z

Modified

2023-02-02T13:50:31.843726Z

Summary

Moderate: grafana security, bug fix, and enhancement update

Details

Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB.

The following packages have been upgraded to a later upstream version: grafana (7.5.15). (BZ#2055348)

Security Fix(es):

• sanitize-url: XSS due to improper sanitization in sanitizeUrl function (CVE-2021-23648)

• golang: net/http: improper sanitization of Transfer-Encoding header (CVE-2022-1705)

• golang: go/parser: stack exhaustion in all Parse* functions (CVE-2022-1962)

• grafana: Forward OAuth Identity Token can allow users to access some data sources (CVE-2022-21673)

• prometheus/client_golang: Denial of service using InstrumentHandlerCounter (CVE-2022-21698)

• grafana: XSS vulnerability in data source handling (CVE-2022-21702)

• grafana: CSRF vulnerability can lead to privilege escalation (CVE-2022-21703)

• grafana: IDOR vulnerability can lead to information disclosure (CVE-2022-21713)

• golang: encoding/xml: stack exhaustion in Decoder.Skip (CVE-2022-28131)

• golang: io/fs: stack exhaustion in Glob (CVE-2022-30630)

• golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)

• golang: path/filepath: stack exhaustion in Glob (CVE-2022-30632)

• golang: encoding/xml: stack exhaustion in Unmarshal (CVE-2022-30633)

• golang: encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635)

• golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working (CVE-2022-32148)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Rocky Linux 8.7 Release Notes linked from the References section.

References

• https://errata.rockylinux.org/RLSA-2022:7519
• https://bugzilla.redhat.com/show_bug.cgi?id=2044628
• https://bugzilla.redhat.com/show_bug.cgi?id=2045880
• https://bugzilla.redhat.com/show_bug.cgi?id=2050648
• https://bugzilla.redhat.com/show_bug.cgi?id=2050742
• https://bugzilla.redhat.com/show_bug.cgi?id=2050743
• https://bugzilla.redhat.com/show_bug.cgi?id=2055348
• https://bugzilla.redhat.com/show_bug.cgi?id=2065290
• https://bugzilla.redhat.com/show_bug.cgi?id=2107342
• https://bugzilla.redhat.com/show_bug.cgi?id=2107371
• https://bugzilla.redhat.com/show_bug.cgi?id=2107374
• https://bugzilla.redhat.com/show_bug.cgi?id=2107376
• https://bugzilla.redhat.com/show_bug.cgi?id=2107383
• https://bugzilla.redhat.com/show_bug.cgi?id=2107386
• https://bugzilla.redhat.com/show_bug.cgi?id=2107388
• https://bugzilla.redhat.com/show_bug.cgi?id=2107390
• https://bugzilla.redhat.com/show_bug.cgi?id=2107392