1. Home
  2. Security Advisories
  3. AlmaLinux OS
  4. ALSA-2022:7519

[ALSA-2022:7519] grafana security, bug fix, and enhancement update

Severity Moderate
Affected Packages 2
CVEs 15
Info Packages References Vulnerabilities

grafana security, bug fix, and enhancement update

Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB.

The following packages have been upgraded to a later upstream version: grafana (7.5.15). (BZ#2055348)

Security Fix(es):

  • sanitize-url: XSS due to improper sanitization in sanitizeUrl function (CVE-2021-23648)
  • golang: net/http: improper sanitization of Transfer-Encoding header (CVE-2022-1705)
  • golang: go/parser: stack exhaustion in all Parse* functions (CVE-2022-1962)
  • grafana: Forward OAuth Identity Token can allow users to access some data sources (CVE-2022-21673)
  • prometheus/client_golang: Denial of service using InstrumentHandlerCounter (CVE-2022-21698)
  • grafana: XSS vulnerability in data source handling (CVE-2022-21702)
  • grafana: CSRF vulnerability can lead to privilege escalation (CVE-2022-21703)
  • grafana: IDOR vulnerability can lead to information disclosure (CVE-2022-21713)
  • golang: encoding/xml: stack exhaustion in Decoder.Skip (CVE-2022-28131)
  • golang: io/fs: stack exhaustion in Glob (CVE-2022-30630)
  • golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)
  • golang: path/filepath: stack exhaustion in Glob (CVE-2022-30632)
  • golang: encoding/xml: stack exhaustion in Unmarshal (CVE-2022-30633)
  • golang: encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635)
  • golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working (CVE-2022-32148)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.

Package Affected Version
pkg:rpm/almalinux/grafana?arch=x86_64&distro=almalinux-8 < 7.5.15-3.el8
pkg:rpm/almalinux/grafana?arch=aarch64&distro=almalinux-8 < 7.5.15-3.el8
ID
ALSA-2022:7519
Severity
moderate
URL
https://errata.almalinux.org/ALSA-2022:7519.html
Published
2022-11-08T00:00:00
(22 months ago)
Modified
2022-11-12T01:59:13
(22 months ago)
Rights
Copyright 2022 AlmaLinux OS
Other Advisories
Source # ID Name URL
RHSA RHSA-2022:7519 https://access.redhat.com/errata/RHSA-2022:7519
CVE CVE-2021-23648 https://access.redhat.com/security/cve/CVE-2021-23648
CVE CVE-2022-1705 https://access.redhat.com/security/cve/CVE-2022-1705
CVE CVE-2022-1962 https://access.redhat.com/security/cve/CVE-2022-1962
CVE CVE-2022-21673 https://access.redhat.com/security/cve/CVE-2022-21673
CVE CVE-2022-21698 https://access.redhat.com/security/cve/CVE-2022-21698
CVE CVE-2022-21702 https://access.redhat.com/security/cve/CVE-2022-21702
CVE CVE-2022-21703 https://access.redhat.com/security/cve/CVE-2022-21703
CVE CVE-2022-21713 https://access.redhat.com/security/cve/CVE-2022-21713
CVE CVE-2022-28131 https://access.redhat.com/security/cve/CVE-2022-28131
CVE CVE-2022-30630 https://access.redhat.com/security/cve/CVE-2022-30630
CVE CVE-2022-30631 https://access.redhat.com/security/cve/CVE-2022-30631
CVE CVE-2022-30632 https://access.redhat.com/security/cve/CVE-2022-30632
CVE CVE-2022-30633 https://access.redhat.com/security/cve/CVE-2022-30633
CVE CVE-2022-30635 https://access.redhat.com/security/cve/CVE-2022-30635
CVE CVE-2022-32148 https://access.redhat.com/security/cve/CVE-2022-32148
Bugzilla 2044628 https://bugzilla.redhat.com/2044628
Bugzilla 2045880 https://bugzilla.redhat.com/2045880
Bugzilla 2050648 https://bugzilla.redhat.com/2050648
Bugzilla 2050742 https://bugzilla.redhat.com/2050742
Bugzilla 2050743 https://bugzilla.redhat.com/2050743
Bugzilla 2065290 https://bugzilla.redhat.com/2065290
Bugzilla 2107342 https://bugzilla.redhat.com/2107342
Bugzilla 2107371 https://bugzilla.redhat.com/2107371
Bugzilla 2107374 https://bugzilla.redhat.com/2107374
Bugzilla 2107376 https://bugzilla.redhat.com/2107376
Bugzilla 2107383 https://bugzilla.redhat.com/2107383
Bugzilla 2107386 https://bugzilla.redhat.com/2107386
Bugzilla 2107388 https://bugzilla.redhat.com/2107388
Bugzilla 2107390 https://bugzilla.redhat.com/2107390
Bugzilla 2107392 https://bugzilla.redhat.com/2107392
Self ALSA-2022:7519 https://errata.almalinux.org/8/ALSA-2022-7519.html
Type Package URL Namespace Name / Product Version Distribution / Platform Arch Patch / Fix
Affected pkg:rpm/almalinux/grafana?arch=x86_64&distro=almalinux-8 almalinux grafana < 7.5.15-3.el8 almalinux-8 x86_64
Affected pkg:rpm/almalinux/grafana?arch=aarch64&distro=almalinux-8 almalinux grafana < 7.5.15-3.el8 almalinux-8 aarch64
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date