Bugzilla – Bug 1096985
VUL-0: CVE-2018-12099: grafana: Grafana before 5.2.0-beta1 has XSS vulnerabilities in dashboard links.
Last modified: 2021-08-11 11:21:08 UTC
CVE-2018-12099 Grafana before 5.2.0-beta1 has XSS vulnerabilities in dashboard links. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-12099 https://github.com/grafana/grafana/releases/tag/v5.2.0-beta1 https://github.com/grafana/grafana/pull/11813
Backport to 4.5.x: https://github.com/grafana/grafana/pull/12265
https://github.com/grafana/grafana/commit/83fae7f49f913ff18672097a9f7a4ad37833e2aa is a patch that works against the tar release, which has JS files minified.
I will pick this update as soon as the current updates are out. We are a bit overloaded currently.
Created attachment 778716 [details] xss-not-fixed.png
Hello, Deployed a Monasca enabled cloud with: > doener3:~ # export UPDATEREPOS=http://download.suse.de/ibs/SUSE:/Maintenance:/8048/SUSE_Updates_OpenStack-Cloud_8_x86_64/ > doener3:~ # user_keyfile=/tmp/viccuad.pub cloudpv=/dev/cloud nodenumber=7 want_monasca_proposal=1 controller_node_memory=20971520 storage_method=none mkcloudtarget=all cloudsource=GM8+up networkingplugin=openvswitch networkingmode=vxlan /root/automation/scripts/mkcloud all 2>&1 | tee scenario1_$(date +%Y-%m-%d_%H%M) Followed the reproducer at https://github.com/grafana/grafana/pull/11813#issue-185710569 I was able to trigger the XSS script on a mouseover, so I think this bug isn't fixed. See attached screenshot.
Yes, the maintenance update, wasn't yet created. (Btw. this is also tracked in https://trello.com/c/5MGLsLR1/1005-bug-1096985-cve-2018-12099-vul-0-cve-2018-12099-grafana-grafana-before-520-beta1-has-xss-vulnerabilities-in-dashboard-links .)
Rick, please make sure these maintenance updates are created?
FWIW, the update that I'm testing does indeed contain a patch with the minified js that supposedly fixes the XSS vulnerability: https://build.suse.de/package/view_file/SUSE:Maintenance:8048/grafana.SUSE_SLE-12-SP3_Update_Products_Cloud8_Update/0001-fix-XSS-vulnerabilities-in-dashboard-links.patch?rev=2
I just checked: those minified js files contain the change in https://github.com/grafana/grafana/pull/12265 which were supposed to fix the vulnerability. Can you verify if the change in the js is present in the browser?
Created attachment 778744 [details] xss-fix-is-working.png
The code is there, the fix indeed works; from prettifying and looking at it, I realized that I put the XSS code in the wrong field (see new screenshot). Sorry for the noise, and many thanks for the prompt response.
If the XSS still works in the tooltip field, then that means it is not sufficiently fixed.
The XSS still works in the tooltip field. The minified changes in the patch to the tar are being shipped correctly and present in the system. By looking at the js script in the browser and the http GET requests downloading js files, I don't see the specific js scripts getting loaded when I go through the motions of opening the grafana dashboard, and later adding the new link in settings -> links. I'm not so well versed on frontend, so maybe I'm missing something.
SUSE-SU-2018:2317-1: An update that solves two vulnerabilities and has 5 fixes is now available. Category: security (moderate) Bug References: 1090336,1090849,1094448,1095603,1096985,1097847,1101366 CVE References: CVE-2018-12099,CVE-2018-3817 Sources used: SUSE OpenStack Cloud Crowbar 8 (src): grafana-4.5.1-4.3.1, kafka-0.9.0.1-5.3.1, logstash-2.4.1-5.4.1, openstack-monasca-installer-20180622_15.06-3.6.1 SUSE OpenStack Cloud 8 (src): grafana-4.5.1-4.3.1, kafka-0.9.0.1-5.3.1, logstash-2.4.1-5.4.1, openstack-monasca-installer-20180622_15.06-3.6.1 HPE Helion Openstack 8 (src): grafana-4.5.1-4.3.1, kafka-0.9.0.1-5.3.1, logstash-2.4.1-5.4.1, openstack-monasca-installer-20180622_15.06-3.6.1
Hello, As already commented in the case of testing a SOC8 update for this, the corresponding SOC7 backport, being shipped in update SUSE:Maintenance:8371:170231, SR https://build.suse.de/request/show/170231, contains only a partial fix of the CVE as the XSS works on the tooltip field (see attached screenshot).
Created attachment 780437 [details] fix_not_working_tooltip_SOC7
SUSE-SU-2018:2536-1: An update that solves three vulnerabilities and has 5 fixes is now available. Category: security (moderate) Bug References: 1086909,1090192,1090343,1090849,1094448,1095603,1096985,1102920 CVE References: CVE-2018-12099,CVE-2018-1288,CVE-2018-3817 Sources used: SUSE OpenStack Cloud 7 (src): grafana-4.5.1-1.8.1, kafka-0.10.2.2-5.1, logstash-2.4.1-5.1, monasca-installer-20180608_12.47-9.1
done
Victor did show it was only partially fixed. Did anything else happen that makes it now fixed?
Tracked for Cloud Monitoring in https://jira.suse.com/browse/SOC-9975
SUSE-SU-2019:2867-1: An update that solves 11 vulnerabilities and has 10 fixes is now available. Category: security (moderate) Bug References: 1019074,1096985,1106515,1115960,1116846,1118900,1120657,1125893,1126088,1132593,1132666,1136035,1141121,1141676,1143215,1145796,1146578,1148158,1148383,1150895,917802 CVE References: CVE-2015-3448,CVE-2016-10127,CVE-2018-15727,CVE-2018-19039,CVE-2018-558213,CVE-2019-13611,CVE-2019-15043,CVE-2019-2614,CVE-2019-2627,CVE-2019-2628,CVE-2019-5477 Sources used: SUSE OpenStack Cloud Crowbar 8 (src): crowbar-core-5.0+git.1569597589.1f025c557-3.32.2, crowbar-ha-5.0+git.1567673535.607aada-3.26.2, crowbar-openstack-5.0+git.1570141351.058c8bd44-4.31.2, crowbar-ui-1.2.0+git.1568396400.0344a727-3.12.3, galera-3-25.3.25-4.6.3, grafana-4.6.5-4.6.3, mariadb-10.2.25-4.14.2, mariadb-connector-c-3.1.2-3.12.3, novnc-1.0.0-3.6.3, openstack-cinder-11.2.3~dev16-3.21.4, openstack-cinder-doc-11.2.3~dev16-3.21.3, openstack-glance-15.0.3~dev3-3.12.4, openstack-glance-doc-15.0.3~dev3-3.12.3, openstack-heat-9.0.8~dev13-3.24.4, openstack-heat-doc-9.0.8~dev13-3.24.3, openstack-horizon-plugin-neutron-vpnaas-ui-1.0.1~dev3-3.6.4, openstack-keystone-12.0.4~dev4-5.27.4, openstack-keystone-doc-12.0.4~dev4-5.27.3, openstack-monasca-installer-20190923_16.32-3.9.3, openstack-neutron-11.0.9~dev51-3.24.5, openstack-neutron-doc-11.0.9~dev51-3.24.4, openstack-neutron-gbp-7.3.1~dev56-3.9.4, openstack-neutron-lbaas-11.0.4~dev6-3.15.4, openstack-neutron-lbaas-doc-11.0.4~dev6-3.15.4, openstack-nova-16.1.9~dev7-3.29.3, openstack-nova-doc-16.1.9~dev7-3.29.3, python-amqp-2.2.2-3.6.3, python-ovs-2.7.2-3.6.1, python-pysaml2-4.0.2-5.3.3, python-urllib3-1.22-5.9.3, release-notes-suse-openstack-cloud-8.20190911-3.20.3, rubygem-easy_diff-1.0.0-3.4.2 SUSE OpenStack Cloud 8 (src): ardana-ansible-8.0+git.1566374355.c509923-3.67.3, ardana-glance-8.0+git.1566376789.be0fe01-3.17.3, ardana-horizon-8.0+git.1565816064.5d4f73f-3.18.3, ardana-input-model-8.0+git.1566517401.98450e6-3.33.3, ardana-manila-8.0+git.1568835837.2452e7a-1.21.3, ardana-neutron-8.0+git.1568220097.74ee4b4-3.33.3, ardana-nova-8.0+git.1566902754.c58ff69-3.35.3, ardana-octavia-8.0+git.1568373448.bcaee7e-3.20.3, ardana-tempest-8.0+git.1566471887.fd2fec7-3.27.3, galera-3-25.3.25-4.6.3, grafana-4.6.5-4.6.3, mariadb-10.2.25-4.14.2, mariadb-connector-c-3.1.2-3.12.3, novnc-1.0.0-3.6.3, openstack-cinder-11.2.3~dev16-3.21.4, openstack-cinder-doc-11.2.3~dev16-3.21.3, openstack-glance-15.0.3~dev3-3.12.4, openstack-glance-doc-15.0.3~dev3-3.12.3, openstack-heat-9.0.8~dev13-3.24.4, openstack-heat-doc-9.0.8~dev13-3.24.3, openstack-horizon-plugin-neutron-vpnaas-ui-1.0.1~dev3-3.6.4, openstack-keystone-12.0.4~dev4-5.27.4, openstack-keystone-doc-12.0.4~dev4-5.27.3, openstack-monasca-installer-20190923_16.32-3.9.3, openstack-neutron-11.0.9~dev51-3.24.5, openstack-neutron-doc-11.0.9~dev51-3.24.4, openstack-neutron-gbp-7.3.1~dev56-3.9.4, openstack-neutron-lbaas-11.0.4~dev6-3.15.4, openstack-neutron-lbaas-doc-11.0.4~dev6-3.15.4, openstack-nova-16.1.9~dev7-3.29.3, openstack-nova-doc-16.1.9~dev7-3.29.3, python-amqp-2.2.2-3.6.3, python-ovs-2.7.2-3.6.1, python-pysaml2-4.0.2-5.3.3, python-python-engineio-2.0.2-3.3.3, python-urllib3-1.22-5.9.3, release-notes-suse-openstack-cloud-8.20190911-3.20.3, venv-openstack-aodh-5.1.1~dev7-12.20.2, venv-openstack-barbican-5.0.2~dev3-12.21.2, venv-openstack-ceilometer-9.0.8~dev7-12.18.2, venv-openstack-cinder-11.2.3~dev16-14.21.2, venv-openstack-designate-5.0.3~dev7-12.19.2, venv-openstack-freezer-5.0.0.0~xrc2~dev2-10.16.2, venv-openstack-glance-15.0.3~dev3-12.19.2, venv-openstack-heat-9.0.8~dev13-12.21.2, venv-openstack-horizon-12.0.4~dev6-14.26.2, venv-openstack-ironic-9.1.8~dev7-12.21.2, venv-openstack-keystone-12.0.4~dev4-11.22.3, venv-openstack-magnum-5.0.2_5.0.2_5.0.2~dev31-11.20.2, venv-openstack-manila-5.1.1~dev2-12.23.2, venv-openstack-monasca-2.2.2~dev1-11.18.2, venv-openstack-monasca-ceilometer-1.5.1_1.5.1_1.5.1~dev3-8.16.2, venv-openstack-murano-4.0.2~dev2-12.16.2, venv-openstack-neutron-11.0.9~dev51-13.24.3, venv-openstack-nova-16.1.9~dev7-11.22.3, venv-openstack-octavia-1.0.6~dev2-12.21.2, venv-openstack-sahara-7.0.4~dev1-11.20.2, venv-openstack-swift-2.15.2-11.13.3, venv-openstack-trove-8.0.1~dev13-11.20.2 HPE Helion Openstack 8 (src): ardana-ansible-8.0+git.1566374355.c509923-3.67.3, ardana-glance-8.0+git.1566376789.be0fe01-3.17.3, ardana-horizon-8.0+git.1565816064.5d4f73f-3.18.3, ardana-input-model-8.0+git.1566517401.98450e6-3.33.3, ardana-manila-8.0+git.1568835837.2452e7a-1.21.3, ardana-neutron-8.0+git.1568220097.74ee4b4-3.33.3, ardana-nova-8.0+git.1566902754.c58ff69-3.35.3, ardana-octavia-8.0+git.1568373448.bcaee7e-3.20.3, ardana-tempest-8.0+git.1566471887.fd2fec7-3.27.3, galera-3-25.3.25-4.6.3, grafana-4.6.5-4.6.3, mariadb-10.2.25-4.14.2, mariadb-connector-c-3.1.2-3.12.3, novnc-1.0.0-3.6.3, openstack-cinder-11.2.3~dev16-3.21.4, openstack-cinder-doc-11.2.3~dev16-3.21.3, openstack-glance-15.0.3~dev3-3.12.4, openstack-glance-doc-15.0.3~dev3-3.12.3, openstack-heat-9.0.8~dev13-3.24.4, openstack-heat-doc-9.0.8~dev13-3.24.3, openstack-horizon-plugin-neutron-vpnaas-ui-1.0.1~dev3-3.6.4, openstack-keystone-12.0.4~dev4-5.27.4, openstack-keystone-doc-12.0.4~dev4-5.27.3, openstack-monasca-installer-20190923_16.32-3.9.3, openstack-neutron-11.0.9~dev51-3.24.5, openstack-neutron-doc-11.0.9~dev51-3.24.4, openstack-neutron-gbp-7.3.1~dev56-3.9.4, openstack-neutron-lbaas-11.0.4~dev6-3.15.4, openstack-neutron-lbaas-doc-11.0.4~dev6-3.15.4, openstack-nova-16.1.9~dev7-3.29.3, openstack-nova-doc-16.1.9~dev7-3.29.3, python-amqp-2.2.2-3.6.3, python-pysaml2-4.0.2-5.3.3, python-python-engineio-2.0.2-3.3.3, python-urllib3-1.22-5.9.3, release-notes-hpe-helion-openstack-8.20190911-3.20.3, venv-openstack-aodh-5.1.1~dev7-12.20.2, venv-openstack-barbican-5.0.2~dev3-12.21.2, venv-openstack-ceilometer-9.0.8~dev7-12.18.2, venv-openstack-cinder-11.2.3~dev16-14.21.2, venv-openstack-designate-5.0.3~dev7-12.19.2, venv-openstack-freezer-5.0.0.0~xrc2~dev2-10.16.2, venv-openstack-glance-15.0.3~dev3-12.19.2, venv-openstack-heat-9.0.8~dev13-12.21.2, venv-openstack-horizon-hpe-12.0.4~dev6-14.26.2, venv-openstack-ironic-9.1.8~dev7-12.21.2, venv-openstack-keystone-12.0.4~dev4-11.22.3, venv-openstack-magnum-5.0.2_5.0.2_5.0.2~dev31-11.20.2, venv-openstack-manila-5.1.1~dev2-12.23.2, venv-openstack-monasca-2.2.2~dev1-11.18.2, venv-openstack-monasca-ceilometer-1.5.1_1.5.1_1.5.1~dev3-8.16.2, venv-openstack-murano-4.0.2~dev2-12.16.2, venv-openstack-neutron-11.0.9~dev51-13.24.3, venv-openstack-nova-16.1.9~dev7-11.22.3, venv-openstack-octavia-1.0.6~dev2-12.21.2, venv-openstack-sahara-7.0.4~dev1-11.20.2, venv-openstack-swift-2.15.2-11.13.3, venv-openstack-trove-8.0.1~dev13-11.20.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2020:1273-1: An update that fixes 6 vulnerabilities is now available. Category: security (moderate) Bug References: 1096985,1106515,1115960,1139862,1148383,1167424 CVE References: CVE-2018-12099,CVE-2018-15727,CVE-2018-19039,CVE-2018-558213,CVE-2019-13068,CVE-2019-15043 Sources used: SUSE Enterprise Storage 5 (src): grafana-4.6.5-3.10.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Reassigning to security team as SES-5 is end of life and SES-6 wasn't affected.
released