SUSE-SU-2021:1233-1

Source
https://www.suse.com/support/update/announcement/2021/suse-su-20211233-1/
Import Source
https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2021:1233-1.json
JSON Data
https://api.osv.dev/v1/vulns/SUSE-SU-2021:1233-1
Related
Published
2021-04-15T15:21:15Z
Modified
2021-04-15T15:21:15Z
Summary
Security update for grafana and system-user-grafana
Details

This update for grafana and system-user-grafana fixes the following issues:

  • Updated grafana to upstream version 7.3.1

    • CVE-2019-15043: In Grafana 2.x through 6.x before 6.3.4, parts of the HTTP API allow unauthenticated use. This makes it possible to run a denial of service attack against the server running Grafana
    • CVE-2020-12245: Grafana before 6.7.3 allows table-panel XSS via column.title or cellLinkTooltip (bsc#1170557)
    • CVE-2020-13379: The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client. This can be used to gain information about the network that Grafana is running on. Furthermore, passing invalid URL objects could be used for DOS'ing Grafana via SegFault (bsc#1172409)
    • CVE-2019-15043: In Grafana 2.x through 6.x before 6.3.4, parts of the HTTP API allow unauthenticated use. This makes it possible to run a denial of service attack against the server running Grafana (bsc#1148383)
    • CVE-2020-12052: Grafana version below 6.7.3 is vulnerable for annotation popup XSS (bsc#1170657)
    • CVE-2020-24303: Grafana before 7.1.0-beta 1 allows XSS via a query alias for the ElasticSearch datasource. (bsc#1178243)
    • CVE-2018-18623: Grafana 5.3.1 has XSS via the 'Dashboard > Text Panel' screen (bsc#1172450)
    • CVE-2019-19499: Grafana versions below or equal to 6.4.3 has an Arbitrary File Read vulnerability, which could be exploited by an authenticated attacker that has privileges to modify the data source configurations (bsc#1175951)

    • Please refer to this package's changelog to get a full list of all changes (including bug fixes etc.)

  • Initial shipment of system-user-grafana to SES 6

References

Affected packages

SUSE:Manager Client Tools 15 / system-user-grafana

Package

Name
system-user-grafana
Purl
pkg:rpm/suse/system-user-grafana&distro=SUSE%20Manager%20Client%20Tools%2015

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.0.0-3.9.1

Ecosystem specific

{
    "binaries": [
        {
            "system-user-grafana": "1.0.0-3.9.1"
        }
    ]
}

SUSE:Enterprise Storage 6 / grafana

Package

Name
grafana
Purl
pkg:rpm/suse/grafana&distro=SUSE%20Enterprise%20Storage%206

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
7.3.1-3.6.1

Ecosystem specific

{
    "binaries": [
        {
            "system-user-grafana": "1.0.0-3.9.1",
            "grafana": "7.3.1-3.6.1"
        }
    ]
}

SUSE:Enterprise Storage 6 / system-user-grafana

Package

Name
system-user-grafana
Purl
pkg:rpm/suse/system-user-grafana&distro=SUSE%20Enterprise%20Storage%206

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.0.0-3.9.1

Ecosystem specific

{
    "binaries": [
        {
            "system-user-grafana": "1.0.0-3.9.1",
            "grafana": "7.3.1-3.6.1"
        }
    ]
}