Red Hat Enterprise Linux 9 update for grafana
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 9 |
| CVE-ID | CVE-2022-23552 CVE-2022-31123 CVE-2022-31130 CVE-2022-39201 CVE-2022-39306 CVE-2022-39307 CVE-2022-39324 CVE-2022-41717 CVE-2023-24534 |
| CWE-ID | CWE-79 CWE-347 CWE-200 CWE-20 CWE-451 CWE-770 CWE-400 |
| Exploitation vector | Network |
| Public exploit | Public exploit code for vulnerability #8 is available. |
| Vulnerable software Subscribe |
Red Hat Enterprise Linux for ARM 64 Operating systems & Components / Operating system Red Hat Enterprise Linux for Power, little endian Operating systems & Components / Operating system Red Hat Enterprise Linux for IBM z Systems Operating systems & Components / Operating system Red Hat Enterprise Linux for x86_64 Operating systems & Components / Operating system grafana (Red Hat package) Operating systems & Components / Operating system package or component |
| Vendor | Red Hat Inc. |
Security Bulletin
This security bulletin contains information about 9 vulnerabilities.
1) Stored cross-site scripting
EUVDB-ID: #VU71567
Risk: Low
CVSSv3.1: 4.2 [CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-23552
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote user to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote user with the Editor role can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall updates from vendor's website.
Red Hat Enterprise Linux for ARM 64: 9
Red Hat Enterprise Linux for Power, little endian: 9
Red Hat Enterprise Linux for IBM z Systems: 9
Red Hat Enterprise Linux for x86_64: 9
grafana (Red Hat package): before 9.2.10-7.el9_3
External linkshttp://access.redhat.com/errata/RHSA-2023:6420
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Improper Verification of Cryptographic Signature
EUVDB-ID: #VU72128
Risk: Medium
CVSSv3.1: 5.9 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-31123
CWE-ID:
CWE-347 - Improper Verification of Cryptographic Signature
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the affected instance.
The vulnerability exists due to missing signature verification mechanism. A remote attacker can trick the server admin into installing a malicious plugin even though unsigned plugins are not allowed.
MitigationInstall updates from vendor's website.
Red Hat Enterprise Linux for ARM 64: 9
Red Hat Enterprise Linux for Power, little endian: 9
Red Hat Enterprise Linux for IBM z Systems: 9
Red Hat Enterprise Linux for x86_64: 9
grafana (Red Hat package): before 9.2.10-7.el9_3
External linkshttp://access.redhat.com/errata/RHSA-2023:6420
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Information disclosure
EUVDB-ID: #VU72130
Risk: Medium
CVSSv3.1: 4.3 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-31130
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote user to gain access to potentially sensitive information.
The vulnerability exists due to the GitLab data source plugin leaks the API key to GitLab. A remote privileged user can expose Grafana authentication token to a third-party.
Install updates from vendor's website.
Red Hat Enterprise Linux for ARM 64: 9
Red Hat Enterprise Linux for Power, little endian: 9
Red Hat Enterprise Linux for IBM z Systems: 9
Red Hat Enterprise Linux for x86_64: 9
grafana (Red Hat package): before 9.2.10-7.el9_3
External linkshttp://access.redhat.com/errata/RHSA-2023:6420
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Information disclosure
EUVDB-ID: #VU72131
Risk: Medium
CVSSv3.1: 4.3 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-39201
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote user to gain access to potentially sensitive information.
The vulnerability exists due to Grafana leaks the authentication cookie of users to plugins. A remote user can gain unauthorized access to sensitive information.
MitigationInstall updates from vendor's website.
Red Hat Enterprise Linux for ARM 64: 9
Red Hat Enterprise Linux for Power, little endian: 9
Red Hat Enterprise Linux for IBM z Systems: 9
Red Hat Enterprise Linux for x86_64: 9
grafana (Red Hat package): before 9.2.10-7.el9_3
External linkshttp://access.redhat.com/errata/RHSA-2023:6420
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Input validation error
EUVDB-ID: #VU69484
Risk: Medium
CVSSv3.1: 5.6 [CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-39306
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to insufficient validation of user-supplied input. A remote user can use the invitation link to sign up with an arbitrary username/email with a malicious intent.
MitigationInstall updates from vendor's website.
Red Hat Enterprise Linux for ARM 64: 9
Red Hat Enterprise Linux for Power, little endian: 9
Red Hat Enterprise Linux for IBM z Systems: 9
Red Hat Enterprise Linux for x86_64: 9
grafana (Red Hat package): before 9.2.10-7.el9_3
External linkshttp://access.redhat.com/errata/RHSA-2023:6420
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Information disclosure
EUVDB-ID: #VU69485
Risk: Medium
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-39307
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the application when using the forget password on the login page. A remote attacker can gain unauthorized access to sensitive information on the system.
MitigationInstall updates from vendor's website.
Red Hat Enterprise Linux for ARM 64: 9
Red Hat Enterprise Linux for Power, little endian: 9
Red Hat Enterprise Linux for IBM z Systems: 9
Red Hat Enterprise Linux for x86_64: 9
grafana (Red Hat package): before 9.2.10-7.el9_3
External linkshttp://access.redhat.com/errata/RHSA-2023:6420
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Spoofing attack
EUVDB-ID: #VU71566
Risk: Low
CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-39324
CWE-ID:
CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to usage of a hidden originalUrl parameter in the shared dashboard. A remote attacker can trick the victim into opening a shared snapshot and click on the button in the Grafana web UI, which will redirect user to an attacker-controlled URL.
Install updates from vendor's website.
Red Hat Enterprise Linux for ARM 64: 9
Red Hat Enterprise Linux for Power, little endian: 9
Red Hat Enterprise Linux for IBM z Systems: 9
Red Hat Enterprise Linux for x86_64: 9
grafana (Red Hat package): before 9.2.10-7.el9_3
External linkshttp://access.redhat.com/errata/RHSA-2023:6420
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Allocation of Resources Without Limits or Throttling
EUVDB-ID: #VU70334
Risk: Medium
CVSSv3.1: 4.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C]
CVE-ID: CVE-2022-41717
CWE-ID:
CWE-770 - Allocation of Resources Without Limits or Throttling
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to excessive memory growth when handling HTTP/2 server requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.
MitigationInstall updates from vendor's website.
Red Hat Enterprise Linux for ARM 64: 9
Red Hat Enterprise Linux for Power, little endian: 9
Red Hat Enterprise Linux for IBM z Systems: 9
Red Hat Enterprise Linux for x86_64: 9
grafana (Red Hat package): before 9.2.10-7.el9_3
External linkshttp://access.redhat.com/errata/RHSA-2023:6420
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
9) Resource exhaustion
EUVDB-ID: #VU74571
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-24534
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources when parsing HTTP and MIME headers in net/textproto. A remote attacker can cause an HTTP server to allocate large amounts of memory from a small request and perform a denial of service (DoS) attack.
MitigationInstall updates from vendor's website.
Red Hat Enterprise Linux for ARM 64: 9
Red Hat Enterprise Linux for Power, little endian: 9
Red Hat Enterprise Linux for IBM z Systems: 9
Red Hat Enterprise Linux for x86_64: 9
grafana (Red Hat package): before 9.2.10-7.el9_3
External linkshttp://access.redhat.com/errata/RHSA-2023:6420
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
