Security update for grafana and system-user-grafana SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2021:1233-1 Final 1 1 2021-04-15T15:21:15Z current 2021-04-15T15:21:15Z 2021-04-15T15:21:15Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for grafana and system-user-grafana This update for grafana and system-user-grafana fixes the following issues: - Updated grafana to upstream version 7.3.1 * CVE-2019-15043: In Grafana 2.x through 6.x before 6.3.4, parts of the HTTP API allow unauthenticated use. This makes it possible to run a denial of service attack against the server running Grafana * CVE-2020-12245: Grafana before 6.7.3 allows table-panel XSS via column.title or cellLinkTooltip (bsc#1170557) * CVE-2020-13379: The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client. This can be used to gain information about the network that Grafana is running on. Furthermore, passing invalid URL objects could be used for DOS'ing Grafana via SegFault (bsc#1172409) * CVE-2019-15043: In Grafana 2.x through 6.x before 6.3.4, parts of the HTTP API allow unauthenticated use. This makes it possible to run a denial of service attack against the server running Grafana (bsc#1148383) * CVE-2020-12052: Grafana version below 6.7.3 is vulnerable for annotation popup XSS (bsc#1170657) * CVE-2020-24303: Grafana before 7.1.0-beta 1 allows XSS via a query alias for the ElasticSearch datasource. (bsc#1178243) * CVE-2018-18623: Grafana 5.3.1 has XSS via the 'Dashboard > Text Panel' screen (bsc#1172450) * CVE-2019-19499: Grafana versions below or equal to 6.4.3 has an Arbitrary File Read vulnerability, which could be exploited by an authenticated attacker that has privileges to modify the data source configurations (bsc#1175951) * Please refer to this package's changelog to get a full list of all changes (including bug fixes etc.) - Initial shipment of system-user-grafana to SES 6 The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Container caasp/v4/grafana:7.5.12-2021-1233,SUSE-2021-1233,SUSE-SLE-Manager-Tools-15-2021-1233,SUSE-Storage-6-2021-1233 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2021/suse-su-20211233-1/ Link for SUSE-SU-2021:1233-1 https://lists.suse.com/pipermail/sle-security-updates/2021-April/008643.html E-Mail link for SUSE-SU-2021:1233-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1148383 SUSE Bug 1148383 https://bugzilla.suse.com/1170557 SUSE Bug 1170557 https://bugzilla.suse.com/1170657 SUSE Bug 1170657 https://bugzilla.suse.com/1172409 SUSE Bug 1172409 https://bugzilla.suse.com/1172450 SUSE Bug 1172450 https://bugzilla.suse.com/1175951 SUSE Bug 1175951 https://bugzilla.suse.com/1178243 SUSE Bug 1178243 https://www.suse.com/security/cve/CVE-2018-18623/ SUSE CVE CVE-2018-18623 page https://www.suse.com/security/cve/CVE-2019-15043/ SUSE CVE CVE-2019-15043 page https://www.suse.com/security/cve/CVE-2019-19499/ SUSE CVE CVE-2019-19499 page https://www.suse.com/security/cve/CVE-2020-12052/ SUSE CVE CVE-2020-12052 page https://www.suse.com/security/cve/CVE-2020-12245/ SUSE CVE CVE-2020-12245 page https://www.suse.com/security/cve/CVE-2020-13379/ SUSE CVE CVE-2020-13379 page https://www.suse.com/security/cve/CVE-2020-24303/ SUSE CVE CVE-2020-24303 page Container caasp/v4/grafana:7.5.12 SUSE Enterprise Storage 6 SUSE Manager Tools 15 system-user-grafana-1.0.0-3.9.1 grafana-7.3.1-3.6.1 system-user-grafana-1.0.0-3.9.1 as a component of Container caasp/v4/grafana:7.5.12 grafana-7.3.1-3.6.1 as a component of SUSE Enterprise Storage 6 system-user-grafana-1.0.0-3.9.1 as a component of SUSE Enterprise Storage 6 system-user-grafana-1.0.0-3.9.1 as a component of SUSE Manager Tools 15 Grafana 5.3.1 has XSS via the "Dashboard > Text Panel" screen. NOTE: this issue exists because of an incomplete fix for CVE-2018-12099. CVE-2018-18623 Container caasp/v4/grafana:7.5.12:system-user-grafana-1.0.0-3.9.1 SUSE Enterprise Storage 6:grafana-7.3.1-3.6.1 SUSE Enterprise Storage 6:system-user-grafana-1.0.0-3.9.1 SUSE Manager Tools 15:system-user-grafana-1.0.0-3.9.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20211233-1/ https://www.suse.com/security/cve/CVE-2018-18623.html CVE-2018-18623 https://bugzilla.suse.com/1172450 SUSE Bug 1172450 https://bugzilla.suse.com/1174583 SUSE Bug 1174583 https://bugzilla.suse.com/1175951 SUSE Bug 1175951 In Grafana 2.x through 6.x before 6.3.4, parts of the HTTP API allow unauthenticated use. This makes it possible to run a denial of service attack against the server running Grafana. CVE-2019-15043 Container caasp/v4/grafana:7.5.12:system-user-grafana-1.0.0-3.9.1 SUSE Enterprise Storage 6:grafana-7.3.1-3.6.1 SUSE Enterprise Storage 6:system-user-grafana-1.0.0-3.9.1 SUSE Manager Tools 15:system-user-grafana-1.0.0-3.9.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20211233-1/ https://www.suse.com/security/cve/CVE-2019-15043.html CVE-2019-15043 https://bugzilla.suse.com/1148383 SUSE Bug 1148383 Grafana <= 6.4.3 has an Arbitrary File Read vulnerability, which could be exploited by an authenticated attacker that has privileges to modify the data source configurations. CVE-2019-19499 Container caasp/v4/grafana:7.5.12:system-user-grafana-1.0.0-3.9.1 SUSE Enterprise Storage 6:grafana-7.3.1-3.6.1 SUSE Enterprise Storage 6:system-user-grafana-1.0.0-3.9.1 SUSE Manager Tools 15:system-user-grafana-1.0.0-3.9.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20211233-1/ https://www.suse.com/security/cve/CVE-2019-19499.html CVE-2019-19499 https://bugzilla.suse.com/1175951 SUSE Bug 1175951 Grafana version < 6.7.3 is vulnerable for annotation popup XSS. CVE-2020-12052 Container caasp/v4/grafana:7.5.12:system-user-grafana-1.0.0-3.9.1 SUSE Enterprise Storage 6:grafana-7.3.1-3.6.1 SUSE Enterprise Storage 6:system-user-grafana-1.0.0-3.9.1 SUSE Manager Tools 15:system-user-grafana-1.0.0-3.9.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20211233-1/ https://www.suse.com/security/cve/CVE-2020-12052.html CVE-2020-12052 https://bugzilla.suse.com/1170657 SUSE Bug 1170657 Grafana before 6.7.3 allows table-panel XSS via column.title or cellLinkTooltip. CVE-2020-12245 Container caasp/v4/grafana:7.5.12:system-user-grafana-1.0.0-3.9.1 SUSE Enterprise Storage 6:grafana-7.3.1-3.6.1 SUSE Enterprise Storage 6:system-user-grafana-1.0.0-3.9.1 SUSE Manager Tools 15:system-user-grafana-1.0.0-3.9.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20211233-1/ https://www.suse.com/security/cve/CVE-2020-12245.html CVE-2020-12245 https://bugzilla.suse.com/1170557 SUSE Bug 1170557 The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client. This can be used to gain information about the network that Grafana is running on. Furthermore, passing invalid URL objects could be used for DOS'ing Grafana via SegFault. CVE-2020-13379 Container caasp/v4/grafana:7.5.12:system-user-grafana-1.0.0-3.9.1 SUSE Enterprise Storage 6:grafana-7.3.1-3.6.1 SUSE Enterprise Storage 6:system-user-grafana-1.0.0-3.9.1 SUSE Manager Tools 15:system-user-grafana-1.0.0-3.9.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20211233-1/ https://www.suse.com/security/cve/CVE-2020-13379.html CVE-2020-13379 https://bugzilla.suse.com/1172409 SUSE Bug 1172409 Grafana before 7.1.0-beta 1 allows XSS via a query alias for the ElasticSearch datasource. CVE-2020-24303 Container caasp/v4/grafana:7.5.12:system-user-grafana-1.0.0-3.9.1 SUSE Enterprise Storage 6:grafana-7.3.1-3.6.1 SUSE Enterprise Storage 6:system-user-grafana-1.0.0-3.9.1 SUSE Manager Tools 15:system-user-grafana-1.0.0-3.9.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20211233-1/ https://www.suse.com/security/cve/CVE-2020-24303.html CVE-2020-24303 https://bugzilla.suse.com/1178243 SUSE Bug 1178243