SB2022060233 - openEuler update for grafana
Published: June 2, 2022
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 vulnerabilities.
1) Cross-site request forgery (CVE-ID: CVE-2022-21703)
CWE-ID: CWE-352 - Cross-Site Request Forgery (CSRF)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim into inviting the attacker as a new user with high privileges to escalate privileges.
2) Authorization bypass through user-controlled key (CVE-ID: CVE-2022-21713)
CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to gain access to sensitive information.
The vulnerability exists due to an Insecure Direct Object Reference (IDOR) error in Grafana Teams APIs. A remote authenticated user can view unintended data by querying for the specific team ID or search for teams and see the total number of available teams.
Remediation
Install update from vendor's website.