[RHSA-2023:6420] grafana security and enhancement update

Severity Moderate

Affected Packages 4

CVEs 9

Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB.

Security Fix(es):

grafana: persistent xss in grafana core plugins (CVE-2022-23552)
grafana: plugin signature bypass (CVE-2022-31123)
grafana: data source and plugin proxy endpoints leaking authentication tokens to some destination plugins (CVE-2022-31130)
grafana: Data source and plugin proxy endpoints could leak the authentication cookie to some destination plugins (CVE-2022-39201)
grafana: email addresses and usernames cannot be trusted (CVE-2022-39306)
grafana: User enumeration via forget password (CVE-2022-39307)
grafana: Spoofing of the originalUrl parameter of snapshots (CVE-2022-39324)
golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717)
golang: net/http, net/textproto: denial of service from excessive memory allocation (CVE-2023-24534)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.3 Release Notes linked from the References section.

Package	Affected Version
pkg:rpm/redhat/grafana?arch=x86_64&distro=redhat-9.3	< 9.2.10-7.el9_3
pkg:rpm/redhat/grafana?arch=s390x&distro=redhat-9.3	< 9.2.10-7.el9_3
pkg:rpm/redhat/grafana?arch=ppc64le&distro=redhat-9.3	< 9.2.10-7.el9_3
pkg:rpm/redhat/grafana?arch=aarch64&distro=redhat-9.3	< 9.2.10-7.el9_3

ID

RHSA-2023:6420

Severity

moderate

URL

https://access.redhat.com/errata/RHSA-2023:6420

Published

2023-11-07T00:00:00
(10 months ago)

Modified

2023-11-07T00:00:00
(10 months ago)

Rights

Other Advisories

Source	# ID	URL
Bugzilla	2131146	https://bugzilla.redhat.com/2131146
Bugzilla	2131147	https://bugzilla.redhat.com/2131147
Bugzilla	2131148	https://bugzilla.redhat.com/2131148
Bugzilla	2138014	https://bugzilla.redhat.com/2138014
Bugzilla	2138015	https://bugzilla.redhat.com/2138015
Bugzilla	2148252	https://bugzilla.redhat.com/2148252
Bugzilla	2158420	https://bugzilla.redhat.com/2158420
Bugzilla	2161274	https://bugzilla.redhat.com/2161274
Bugzilla	2184483	https://bugzilla.redhat.com/2184483
RHSA	RHSA-2023:6420	https://access.redhat.com/errata/RHSA-2023:6420
CVE	CVE-2022-23552	https://access.redhat.com/security/cve/CVE-2022-23552
CVE	CVE-2022-31123	https://access.redhat.com/security/cve/CVE-2022-31123
CVE	CVE-2022-31130	https://access.redhat.com/security/cve/CVE-2022-31130
CVE	CVE-2022-39201	https://access.redhat.com/security/cve/CVE-2022-39201
CVE	CVE-2022-39306	https://access.redhat.com/security/cve/CVE-2022-39306
CVE	CVE-2022-39307	https://access.redhat.com/security/cve/CVE-2022-39307
CVE	CVE-2022-39324	https://access.redhat.com/security/cve/CVE-2022-39324
CVE	CVE-2022-41717	https://access.redhat.com/security/cve/CVE-2022-41717
CVE	CVE-2023-24534	https://access.redhat.com/security/cve/CVE-2023-24534

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform	Arch
Affected	pkg:rpm/redhat/grafana?arch=x86_64&distro=redhat-9.3	redhat	grafana	< 9.2.10-7.el9_3	redhat-9.3	x86_64
Affected	pkg:rpm/redhat/grafana?arch=s390x&distro=redhat-9.3	redhat	grafana	< 9.2.10-7.el9_3	redhat-9.3	s390x
Affected	pkg:rpm/redhat/grafana?arch=ppc64le&distro=redhat-9.3	redhat	grafana	< 9.2.10-7.el9_3	redhat-9.3	ppc64le
Affected	pkg:rpm/redhat/grafana?arch=aarch64&distro=redhat-9.3	redhat	grafana	< 9.2.10-7.el9_3	redhat-9.3	aarch64

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date