SUSE-SU-2022:3676-1

Import Source

JSON Data

https://api.osv.dev/v1/vulns/SUSE-SU-2022:3676-1

Related

Published

2022-10-20T11:40:04Z

Modified

2022-10-20T11:40:04Z

Summary

Security update for grafana

Details

This update for grafana fixes the following issues:

Updated to version 8.5.13 (jsc#PED-2145, jsc#SLE-23439, jsc#SLE-23422, jsc#SLE-24565):

CVE-2022-36062: Fixed RBAC folders/dashboards privilege escalation (bsc#1203596).
CVE-2022-35957: Fixed escalation from admin to server admin when auth proxy is used (bsc#1203597).
CVE-2022-31107: Fixed OAuth account takeover (bsc#1201539).
CVE-2022-31097: Fixed XSS vulnerability in the Unified Alerting (bsc#1201535).
CVE-2022-21702: Fixed XSS vulnerability in handling data sources (bsc#1195726).
CVE-2022-21703: Fixed cross-origin request forgery vulnerability (bsc#1195727).
CVE-2022-21713: Fixed Insecure Direct Object Reference vulnerability in Teams API (bsc#1195728).
CVE-2022-21673: Fixed missing error return in GetUserInfo if no user was found (bsc#1194873).
CVE-2021-43815: Fixed directory traversal for .csv files (bsc#1193686).
CVE-2021-41244: Fixed incorrect access control vulnerability(bsc#1192763).
CVE-2021-41174: Fixed XSS vulnerability on unauthenticated pages through interpolation binding expressions for AngularJS in URL (bsc#1192383).
CVE-2021-3711: Fixed SM2 Decryption Buffer Overflow (bsc#1189520).
CVE-2021-36222: Fixed a null pointer dereference in the KDC (bsc#1188571).
CVE-2021-43798: Fixed arbitrary file read in the graph native plugin (bsc#1193492).

References

Affected packages

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

8.5.13-150100.3.12.1

{
    "binaries": [
        {
            "grafana": "8.5.13-150100.3.12.1"
        }
    ]
}