Bugzilla – Bug 1178243
VUL-1: CVE-2020-24303: grafana: XSS via a query alias for the ElasticSearch datasource
Last modified: 2024-05-22 14:35:21 UTC
CVE-2020-24303 Grafana before 7.1.0-beta 1 allows XSS via a query alias for the ElasticSearch datasource. References: https://bugzilla.redhat.com/show_bug.cgi?id=1892418 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-24303 https://github.com/grafana/grafana/pull/25401 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24303 https://github.com/grafana/grafana/blob/master/CHANGELOG.md#710-beta-1-2020-07-01
All supported code streams appear to be affected. SUSE:SLE-12:Update Affected SUSE:SLE-12:Update:Products:ManagerToolsBeta:Update Affected SUSE:SLE-12-SP3:Update:Products:Cloud8:Update Affected SUSE:SLE-12-SP3:Update:Products:SES5:Update Affected SUSE:SLE-12-SP4:Update:Products:Cloud9:Update Affected SUSE:SLE-15:Update Affected SUSE:SLE-15:Update:Products:ManagerToolsBeta:Update Affected SUSE:SLE-15-SP1:Update:Products:SES6:Update Affected
Note that nvd is wrong, it says the problem only exists "Up to (including) 7.0.5". 7.0.6 is also affected even though it was released after the fix. It is fixed in 7.1.0-beta1 and later.
https://build.opensuse.org/request/show/850537 https://build.opensuse.org/request/show/850567
https://build.opensuse.org/request/show/850804
SES does neither use nor support ElasticSearch as data source for Grafana in any of its versions.
SUSE-SU-2020:3624-1: An update that fixes 5 vulnerabilities, contains one feature is now available. Category: security (moderate) Bug References: 1005886,1170479,1177120,1178243,1178988 CVE References: CVE-2016-8611,CVE-2019-20933,CVE-2019-9740,CVE-2020-24303,CVE-2020-26137 JIRA References: SOC-11240 Sources used: SUSE OpenStack Cloud 7 (src): crowbar-openstack-4.0+git.1604938545.30c10db18-9.77.1, grafana-6.7.4-1.20.1, influxdb-1.2.4-5.1, python-urllib3-1.16-3.12.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2020:3896-1: An update that solves 6 vulnerabilities, contains one feature and has one errata is now available. Category: security (important) Bug References: 1117080,1125815,1132174,1132323,1178243,1178988,1179161 CVE References: CVE-2016-10745,CVE-2018-17954,CVE-2019-10906,CVE-2019-20933,CVE-2019-8341,CVE-2020-24303 JIRA References: SOC-11240 Sources used: SUSE OpenStack Cloud Crowbar 8 (src): crowbar-core-5.0+git.1606840757.839a64745-3.47.1, crowbar-openstack-5.0+git.1604938523.ded915845-4.46.1, grafana-6.7.4-4.15.1, influxdb-1.3.4-4.3.1, openstack-heat-templates-0.0.0+git.1605509190.64f020b-3.18.1, openstack-nova-16.1.9~dev77-3.42.1, openstack-nova-doc-16.1.9~dev77-3.42.1, python-Jinja2-2.9.6-3.3.1, rubygem-crowbar-client-3.9.3-3.15.1 SUSE OpenStack Cloud 8 (src): grafana-6.7.4-4.15.1, influxdb-1.3.4-4.3.1, openstack-heat-templates-0.0.0+git.1605509190.64f020b-3.18.1, openstack-nova-16.1.9~dev77-3.42.1, openstack-nova-doc-16.1.9~dev77-3.42.1, python-Jinja2-2.9.6-3.3.1, venv-openstack-aodh-5.1.1~dev7-12.30.1, venv-openstack-barbican-5.0.2~dev3-12.31.1, venv-openstack-ceilometer-9.0.8~dev7-12.28.1, venv-openstack-cinder-11.2.3~dev29-14.32.1, venv-openstack-designate-5.0.3~dev7-12.29.1, venv-openstack-freezer-5.0.0.0~xrc2~dev2-10.26.1, venv-openstack-glance-15.0.3~dev3-12.29.1, venv-openstack-heat-9.0.8~dev22-12.31.1, venv-openstack-ironic-9.1.8~dev8-12.31.1, venv-openstack-keystone-12.0.4~dev11-11.32.1, venv-openstack-magnum-5.0.2_5.0.2_5.0.2~dev31-11.30.1, venv-openstack-manila-5.1.1~dev5-12.35.1, venv-openstack-monasca-2.2.2~dev1-11.26.1, venv-openstack-monasca-ceilometer-1.5.1_1.5.1_1.5.1~dev3-8.26.1, venv-openstack-murano-4.0.2~dev2-12.26.1, venv-openstack-neutron-11.0.9~dev69-13.34.1, venv-openstack-nova-16.1.9~dev77-11.32.1, venv-openstack-octavia-1.0.6~dev3-12.31.1, venv-openstack-sahara-7.0.5~dev4-11.30.1, venv-openstack-trove-8.0.2~dev2-11.30.1 HPE Helion Openstack 8 (src): grafana-6.7.4-4.15.1, influxdb-1.3.4-4.3.1, openstack-heat-templates-0.0.0+git.1605509190.64f020b-3.18.1, openstack-nova-16.1.9~dev77-3.42.1, openstack-nova-doc-16.1.9~dev77-3.42.1, python-Jinja2-2.9.6-3.3.1, venv-openstack-aodh-5.1.1~dev7-12.30.1, venv-openstack-barbican-5.0.2~dev3-12.31.1, venv-openstack-ceilometer-9.0.8~dev7-12.28.1, venv-openstack-cinder-11.2.3~dev29-14.32.1, venv-openstack-designate-5.0.3~dev7-12.29.1, venv-openstack-freezer-5.0.0.0~xrc2~dev2-10.26.1, venv-openstack-glance-15.0.3~dev3-12.29.1, venv-openstack-heat-9.0.8~dev22-12.31.1, venv-openstack-ironic-9.1.8~dev8-12.31.1, venv-openstack-keystone-12.0.4~dev11-11.32.1, venv-openstack-magnum-5.0.2_5.0.2_5.0.2~dev31-11.30.1, venv-openstack-manila-5.1.1~dev5-12.35.1, venv-openstack-monasca-2.2.2~dev1-11.26.1, venv-openstack-monasca-ceilometer-1.5.1_1.5.1_1.5.1~dev3-8.26.1, venv-openstack-murano-4.0.2~dev2-12.26.1, venv-openstack-neutron-11.0.9~dev69-13.34.1, venv-openstack-nova-16.1.9~dev77-11.32.1, venv-openstack-octavia-1.0.6~dev3-12.31.1, venv-openstack-sahara-7.0.5~dev4-11.30.1, venv-openstack-trove-8.0.2~dev2-11.30.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2020:3897-1: An update that solves 7 vulnerabilities, contains 8 features and has one errata is now available. Category: security (important) Bug References: 1125815,1132174,1132323,1160851,1177120,1177611,1178243,1178988 CVE References: CVE-2016-10745,CVE-2019-10906,CVE-2019-20933,CVE-2019-8341,CVE-2020-24303,CVE-2020-26137,CVE-2020-5390 JIRA References: SCRD-8681,SOC-11184,SOC-11240,SOC-11391,SOC-7751,SOC-8764,SOC-9178,SOC-9781 Sources used: SUSE OpenStack Cloud Crowbar 9 (src): crowbar-core-6.0+git.1606314264.bf9ada813-3.31.2, crowbar-openstack-6.0+git.1604573541.bb18c172d-3.28.3, grafana-6.7.4-3.20.1, influxdb-1.3.8-4.3.3, openstack-cinder-13.0.10~dev20-3.28.2, openstack-heat-11.0.4~dev4-3.19.2, openstack-heat-gbp-12.0.1~dev2-3.3.4, openstack-heat-templates-0.0.0+git.1605509190.64f020b6-3.9.3, openstack-horizon-plugin-gbp-ui-12.0.1~dev3-3.3.4, openstack-ironic-python-agent-3.3.4~dev6-3.19.4, openstack-manila-7.4.2~dev57-4.30.2, openstack-neutron-13.0.8~dev135-3.31.2, openstack-neutron-gbp-12.0.1~dev5-3.19.4, openstack-neutron-vpnaas-13.0.2~dev6-3.9.2, openstack-nova-18.3.1~dev77-3.31.2, python-Jinja2-2.10.1-3.3.3, python-pysaml2-4.5.0-4.3.3, python-pytest-3.7.4-3.3.3, python-urllib3-1.23-3.15.3, release-notes-suse-openstack-cloud-9.20200917-3.24.3, spark-2.2.3-5.3.3 SUSE OpenStack Cloud 9 (src): ardana-cassandra-9.0+git.1600802664.7e480a2-3.6.2, ardana-mq-9.0+git.1605174486.a78ddce-3.19.2, ardana-osconfig-9.0+git.1601621747.a87e5a0-3.22.2, ardana-tempest-9.0+git.1603378983.fc0bca9-3.19.2, grafana-6.7.4-3.20.1, influxdb-1.3.8-4.3.3, openstack-cinder-13.0.10~dev20-3.28.2, openstack-heat-11.0.4~dev4-3.19.2, openstack-heat-gbp-12.0.1~dev2-3.3.4, openstack-heat-templates-0.0.0+git.1605509190.64f020b6-3.9.3, openstack-horizon-plugin-gbp-ui-12.0.1~dev3-3.3.4, openstack-ironic-python-agent-3.3.4~dev6-3.19.4, openstack-manila-7.4.2~dev57-4.30.2, openstack-neutron-13.0.8~dev135-3.31.2, openstack-neutron-gbp-12.0.1~dev5-3.19.4, openstack-neutron-vpnaas-13.0.2~dev6-3.9.2, openstack-nova-18.3.1~dev77-3.31.2, python-Jinja2-2.10.1-3.3.3, python-pysaml2-4.5.0-4.3.3, python-pytest-3.7.4-3.3.3, python-urllib3-1.23-3.15.3, release-notes-suse-openstack-cloud-9.20200917-3.24.3, spark-2.2.3-5.3.3, venv-openstack-barbican-7.0.1~dev24-3.21.2, venv-openstack-cinder-13.0.10~dev20-3.24.2, venv-openstack-designate-7.0.2~dev2-3.21.2, venv-openstack-glance-17.0.1~dev30-3.19.2, venv-openstack-heat-11.0.4~dev4-3.21.2, venv-openstack-horizon-14.1.1~dev7-4.23.2, venv-openstack-ironic-11.1.5~dev16-4.19.2, venv-openstack-keystone-14.2.1~dev4-3.21.2, venv-openstack-magnum-7.2.1~dev1-4.21.2, venv-openstack-manila-7.4.2~dev57-3.25.2, venv-openstack-monasca-2.7.1~dev10-3.19.2, venv-openstack-monasca-ceilometer-1.8.2~dev3-3.21.2, venv-openstack-neutron-13.0.8~dev135-6.23.2, venv-openstack-nova-18.3.1~dev77-3.23.2, venv-openstack-octavia-3.2.3~dev7-4.21.2, venv-openstack-sahara-9.0.2~dev15-3.21.2, venv-openstack-swift-2.19.2~dev48-2.16.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2021:1233-1: An update that fixes 7 vulnerabilities is now available. Category: security (moderate) Bug References: 1148383,1170557,1170657,1172409,1172450,1175951,1178243 CVE References: CVE-2018-18623,CVE-2019-15043,CVE-2019-19499,CVE-2020-12052,CVE-2020-12245,CVE-2020-13379,CVE-2020-24303 JIRA References: Sources used: SUSE Manager Tools 15 (src): system-user-grafana-1.0.0-3.9.1 SUSE Enterprise Storage 6 (src): grafana-7.3.1-3.6.1, system-user-grafana-1.0.0-3.9.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Adding Witek, so he can have a look to see for the SUSE Manager packages (the Beta client tools, but SUSE:SLE-12:Update and SUSE:SLE-15:Update as well)
SUSE Manager packages have version 7.4.2 including the bugfix: * https://build.suse.de/package/show/Devel:Galaxy:Manager:Head/grafana * https://build.suse.de/package/show/SUSE:SLE-15:Update/grafana * https://build.suse.de/package/show/SUSE:SLE-12:Update/grafana
SUSE-SU-2021:1962-1: An update that fixes 23 vulnerabilities, contains two features is now available. Category: security (moderate) Bug References: 1044849,1048688,1115960,1148383,1170657,1171909,1172409,1172450,1174583,1178243,1179805,1181277,1181278,1181689,1181690,1182317,1182433,1183174,1183803,1184148,1185623,1186608,1186611 CVE References: CVE-2017-11481,CVE-2017-11499,CVE-2018-18623,CVE-2018-18624,CVE-2018-18625,CVE-2018-19039,CVE-2019-15043,CVE-2019-25025,CVE-2020-10743,CVE-2020-11110,CVE-2020-12052,CVE-2020-13379,CVE-2020-17516,CVE-2020-24303,CVE-2020-29651,CVE-2021-21238,CVE-2021-21239,CVE-2021-23336,CVE-2021-27358,CVE-2021-28658,CVE-2021-31542,CVE-2021-33203,CVE-2021-33571 JIRA References: SOC-10357,SOC-11453 Sources used: SUSE OpenStack Cloud Crowbar 9 (src): cassandra-3.11.10-3.3.3, crowbar-openstack-6.0+git.1616146717.a89ae0f4e-3.34.4, grafana-6.7.4-3.23.2, kibana-4.6.6-4.9.2, openstack-dashboard-14.1.1~dev11-3.24.6, openstack-ironic-11.1.5~dev17-3.25.5, openstack-neutron-13.0.8~dev164-3.37.4, openstack-neutron-gbp-12.0.1~dev29-3.25.3, openstack-nova-18.3.1~dev82-3.37.6, python-Django1-1.11.29-3.25.1, python-elementpath-1.3.1-1.3.2, python-py-1.5.4-3.3.2, python-pysaml2-4.5.0-4.6.2, python-xmlschema-1.0.18-1.3.2, rubygem-activerecord-session_store-0.1.2-4.3.2 SUSE OpenStack Cloud 9 (src): ardana-neutron-9.0+git.1615223676.777f0b3-3.25.2, ardana-swift-9.0+git.1618235096.90974ed-3.10.2, cassandra-3.11.10-3.3.3, grafana-6.7.4-3.23.2, kibana-4.6.6-4.9.2, openstack-dashboard-14.1.1~dev11-3.24.6, openstack-ironic-11.1.5~dev17-3.25.5, openstack-neutron-13.0.8~dev164-3.37.4, openstack-neutron-gbp-12.0.1~dev29-3.25.3, openstack-nova-18.3.1~dev82-3.37.6, python-Django1-1.11.29-3.25.1, python-elementpath-1.3.1-1.3.2, python-py-1.5.4-3.3.2, python-pysaml2-4.5.0-4.6.2, python-xmlschema-1.0.18-1.3.2, venv-openstack-barbican-7.0.1~dev24-3.23.1, venv-openstack-cinder-13.0.10~dev20-3.26.1, venv-openstack-designate-7.0.2~dev2-3.23.1, venv-openstack-glance-17.0.1~dev30-3.21.1, venv-openstack-heat-11.0.4~dev4-3.23.1, venv-openstack-horizon-14.1.1~dev11-4.27.3, venv-openstack-ironic-11.1.5~dev17-4.21.2, venv-openstack-keystone-14.2.1~dev4-3.24.3, venv-openstack-magnum-7.2.1~dev1-4.23.1, venv-openstack-manila-7.4.2~dev60-3.29.1, venv-openstack-monasca-2.7.1~dev10-3.21.1, venv-openstack-monasca-ceilometer-1.8.2~dev3-3.23.2, venv-openstack-neutron-13.0.8~dev164-6.27.3, venv-openstack-nova-18.3.1~dev82-3.27.3, venv-openstack-octavia-3.2.3~dev7-4.23.1, venv-openstack-sahara-9.0.2~dev15-3.23.1, venv-openstack-swift-2.19.2~dev48-2.18.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
All done, closing.