SUSE-SU-2022:3676-1

Source
https://www.suse.com/support/update/announcement/2022/suse-su-20223676-1/
Import Source
https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2022:3676-1.json
JSON Data
https://api.osv.dev/v1/vulns/SUSE-SU-2022:3676-1
Related
Published
2022-10-20T11:40:04Z
Modified
2022-10-20T11:40:04Z
Summary
Security update for grafana
Details

This update for grafana fixes the following issues:

Updated to version 8.5.13 (jsc#PED-2145, jsc#SLE-23439, jsc#SLE-23422, jsc#SLE-24565):

  • CVE-2022-36062: Fixed RBAC folders/dashboards privilege escalation (bsc#1203596).
  • CVE-2022-35957: Fixed escalation from admin to server admin when auth proxy is used (bsc#1203597).
  • CVE-2022-31107: Fixed OAuth account takeover (bsc#1201539).
  • CVE-2022-31097: Fixed XSS vulnerability in the Unified Alerting (bsc#1201535).
  • CVE-2022-21702: Fixed XSS vulnerability in handling data sources (bsc#1195726).
  • CVE-2022-21703: Fixed cross-origin request forgery vulnerability (bsc#1195727).
  • CVE-2022-21713: Fixed Insecure Direct Object Reference vulnerability in Teams API (bsc#1195728).
  • CVE-2022-21673: Fixed missing error return in GetUserInfo if no user was found (bsc#1194873).
  • CVE-2021-43815: Fixed directory traversal for .csv files (bsc#1193686).
  • CVE-2021-41244: Fixed incorrect access control vulnerability(bsc#1192763).
  • CVE-2021-41174: Fixed XSS vulnerability on unauthenticated pages through interpolation binding expressions for AngularJS in URL (bsc#1192383).
  • CVE-2021-3711: Fixed SM2 Decryption Buffer Overflow (bsc#1189520).
  • CVE-2021-36222: Fixed a null pointer dereference in the KDC (bsc#1188571).
  • CVE-2021-43798: Fixed arbitrary file read in the graph native plugin (bsc#1193492).
References

Affected packages

SUSE:Enterprise Storage 6 / grafana

Package

Name
grafana
Purl
pkg:rpm/suse/grafana&distro=SUSE%20Enterprise%20Storage%206

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
8.5.13-150100.3.12.1

Ecosystem specific

{
    "binaries": [
        {
            "grafana": "8.5.13-150100.3.12.1"
        }
    ]
}