Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-7rqg-hjwc-6mjf #1599

Closed
GoVulnBot opened this issue Mar 1, 2023 · 3 comments
Assignees
Labels
excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module.

Comments

@GoVulnBot
Copy link

In GitHub Security Advisory GHSA-7rqg-hjwc-6mjf, there is a vulnerability in the following Go packages or modules:

Unit Fixed Vulnerable Ranges
github.com/grafana/grafana 9.3.4 >= 9.3, < 9.3.4

Cross references:

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: github.com/grafana/grafana
    versions:
      - introduced: 9.3.0
        fixed: 9.3.4
    packages:
      - package: github.com/grafana/grafana
  - module: github.com/grafana/grafana
    versions:
      - introduced: 9.2.0
        fixed: 9.2.10
    packages:
      - package: github.com/grafana/grafana
description: "### Description \nOn 2023-01-01 during an internal audit of Grafana,
    a member of the security team found a stored XSS vulnerability affecting the core
    plugin \"Text\".\n\nThe stored XSS vulnerability requires several user interactions
    in order to be fully exploited. The vulnerability was possible due to  React's
    render cycle that will pass though the unsanitized HTML code, but in the next
    cycle the HTML is cleaned up and saved in Grafana's database.\n\n### Impact\nAn
    attacker needs to have the Editor role in order to change a Text panel to include
    JavaScript. later, an another user needs to edit the same Text panel, and click
    on \"Markdown\" or \"HTML\" for the code to be executed. This means that vertical
    privilege escalation is possible, where a user with Editor role can change to
    a known password for a user having Admin role if the user with Admin role executes
    malicious JavaScript viewing a dashboard.   \n\n### Impacted versions\nGrafana
    versions 9.2.x. and 9.3.x\n\n### Solutions and mitigations\nUpdate your Grafana
    instance.\n\n\n## Reporting security issues\n\nIf you think you have found a security
    vulnerability, please send a report to security@grafana.com. This address can
    be used for all of Grafana Labs' open source and commercial products (including,
    but not limited to Grafana, Grafana Cloud, Grafana Enterprise, and grafana.com).
    We can accept only vulnerability reports at this address. We would prefer that
    you encrypt your message to us by using our PGP key. The key fingerprint is\n\nF988
    7BEA 027A 049F AE8E 5CAA D125 8932 BE24 C5CA\n\nThe key is available from keyserver.ubuntu.com.\n\n##
    Security announcements\n\nWe maintain a [security category](https://community.grafana.com/c/support/security-announcements)
    on our blog, where we will always post a summary, remediation, and mitigation
    details for any patch containing security fixes.\n\nYou can also subscribe to
    our [RSS feed](https://grafana.com/tags/security/index.xml)."
cves:
  - CVE-2023-22462
ghsas:
  - GHSA-7rqg-hjwc-6mjf
references:
  - advisory: https://github.com/grafana/grafana/security/advisories/GHSA-7rqg-hjwc-6mjf
  - fix: https://github.com/grafana/grafana/commit/db83d5f398caffe35c5846cfa7727d1a2a414165
  - web: https://grafana.com/blog/2023/02/28/grafana-security-release-new-versions-with-security-fixes-for-cve-2023-0594-cve-2023-0507-and-cve-2023-22462/
  - advisory: https://github.com/advisories/GHSA-7rqg-hjwc-6mjf

@zpavlinovic zpavlinovic self-assigned this Mar 1, 2023
@zpavlinovic zpavlinovic added the excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module. label Mar 1, 2023
@zpavlinovic
Copy link
Contributor

Vulnerability in tool.

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/472715 mentions this issue: data/excluded: batch add GO-2023-1599, GO-2023-1598

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/592759 mentions this issue: data/reports: unexclude 75 reports

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module.
Projects
None yet
Development

No branches or pull requests

3 participants