Bug 1207749 (CVE-2022-23552) - VUL-0: CVE-2022-23552: grafana: Grafana is an open-source platform for monitoring and observability. Starting with the 8.1 branch and prior to versions 8.5.16, 9.2.10, and 9.3.4, Grafana had a stored XSS vulnerability affecting the core plu
Summary: VUL-0: CVE-2022-23552: grafana: Grafana is an open-source platform for monito...
Status: RESOLVED FIXED
Alias: CVE-2022-23552
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Major
Target Milestone: ---
Assignee: Witek Bedyk
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/355610/
Whiteboard: CVSSv3.1:SUSE:CVE-2022-23552:7.3:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2023-01-30 09:14 UTC by Stoyan Manolov
Modified: 2024-01-23 20:30 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Stoyan Manolov 2023-01-30 09:14:00 UTC 
CVE-2022-23552

Grafana is an open-source platform for monitoring and observability. Starting
with the 8.1 branch and prior to versions 8.5.16, 9.2.10, and 9.3.4, Grafana had
a stored XSS vulnerability affecting the core plugin GeoMap. The stored XSS
vulnerability was possible because SVG files weren't properly sanitized and
allowed arbitrary JavaScript to be executed in the context of the currently
authorized user of the Grafana instance. An attacker needs to have the Editor
role in order to change a panel to include either an external URL to a SVG-file
containing JavaScript, or use the `data:` scheme to load an inline SVG-file
containing JavaScript. This means that vertical privilege escalation is
possible, where a user with Editor role can change to a known password for a
user having Admin role if the user with Admin role executes malicious JavaScript
viewing a dashboard. Users may upgrade to version 8.5.16, 9.2.10, or 9.3.4 to
receive a fix.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-23552
https://www.cve.org/CVERecord?id=CVE-2022-23552
https://github.com/grafana/grafana/commit/1c8a50b36973bd59a1cc5f34c30de8a9a6a431f0
https://github.com/grafana/grafana/security/advisories/GHSA-8xmm-x63g-f6xv
https://github.com/grafana/grafana/commit/8b574e22b53aa4c5a35032a58844fd4aaaa12f5f
https://github.com/grafana/grafana/commit/c022534e3848a5d45c0b3face23b43aa44e4400a
https://github.com/grafana/grafana/pull/62143
Comment 2 Witek Bedyk 2023-02-06 11:08:55 UTC 
Package upgraded to version 8.5.20 in the development project server:monitoring:

https://build.opensuse.org/request/show/1063390
Comment 4 Witek Bedyk 2023-03-03 09:22:37 UTC 
Bugfix release for SLE codestreams is planned together with SUSE Manager MU on June 22, 2023.
Comment 5 Maintenance Automation 2023-03-20 16:30:21 UTC 
SUSE-SU-2023:0821-1: An update that solves four vulnerabilities can now be installed.

Category: security (important)
Bug References: 1207749, 1207750, 1208065, 1208293
CVE References: CVE-2022-23552, CVE-2022-39324, CVE-2022-41723, CVE-2022-46146
Sources used:
openSUSE Leap 15.4 (src): grafana-8.5.20-150200.3.35.1
SUSE Package Hub 15 15-SP4 (src): grafana-8.5.20-150200.3.35.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 6 Maintenance Automation 2023-03-20 16:30:44 UTC 
SUSE-SU-2023:0812-1: An update that solves four vulnerabilities and has four fixes can now be installed.

Category: security (important)
Bug References: 1201059, 1205599, 1205759, 1207352, 1207749, 1207750, 1208065, 1208293
CVE References: CVE-2022-23552, CVE-2022-39324, CVE-2022-41723, CVE-2022-46146
Sources used:
openSUSE Leap 15.4 (src): supportutils-plugin-salt-1.2.2-150000.3.13.1, dracut-saltboot-0.1.1674034019.a93ff61-150000.1.47.1, spacecmd-4.3.19-150000.3.95.1
SUSE Manager Client Tools for SLE 15 (src): supportutils-plugin-salt-1.2.2-150000.3.13.1, spacewalk-client-tools-4.3.15-150000.3.77.1, dracut-saltboot-0.1.1674034019.a93ff61-150000.1.47.1, uyuni-proxy-systemd-services-4.3.8-150000.1.12.1, grafana-8.5.20-150000.1.42.1, spacecmd-4.3.19-150000.3.95.1
SUSE Manager Client Tools for SLE Micro 5 (src): dracut-saltboot-0.1.1674034019.a93ff61-150000.1.47.1, uyuni-proxy-systemd-services-4.3.8-150000.1.12.1
Basesystem Module 15-SP4 (src): supportutils-plugin-salt-1.2.2-150000.3.13.1
SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): supportutils-plugin-salt-1.2.2-150000.3.13.1
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): supportutils-plugin-salt-1.2.2-150000.3.13.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): supportutils-plugin-salt-1.2.2-150000.3.13.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): supportutils-plugin-salt-1.2.2-150000.3.13.1
SUSE Linux Enterprise Real Time 15 SP3 (src): supportutils-plugin-salt-1.2.2-150000.3.13.1
SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): supportutils-plugin-salt-1.2.2-150000.3.13.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): supportutils-plugin-salt-1.2.2-150000.3.13.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): supportutils-plugin-salt-1.2.2-150000.3.13.1
SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): supportutils-plugin-salt-1.2.2-150000.3.13.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): supportutils-plugin-salt-1.2.2-150000.3.13.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): supportutils-plugin-salt-1.2.2-150000.3.13.1
SUSE Manager Proxy 4.2 (src): supportutils-plugin-salt-1.2.2-150000.3.13.1
SUSE Manager Retail Branch Server 4.2 (src): supportutils-plugin-salt-1.2.2-150000.3.13.1
SUSE Manager Server 4.2 (src): supportutils-plugin-salt-1.2.2-150000.3.13.1
SUSE Enterprise Storage 7.1 (src): supportutils-plugin-salt-1.2.2-150000.3.13.1
SUSE Enterprise Storage 7 (src): supportutils-plugin-salt-1.2.2-150000.3.13.1
SUSE CaaS Platform 4.0 (src): supportutils-plugin-salt-1.2.2-150000.3.13.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 Maintenance Automation 2023-03-20 16:30:52 UTC 
SUSE-SU-2023:0811-1: An update that solves four vulnerabilities and has two fixes can now be installed.

Category: security (important)
Bug References: 1205759, 1207352, 1207749, 1207750, 1208065, 1208293
CVE References: CVE-2022-23552, CVE-2022-39324, CVE-2022-41723, CVE-2022-46146
Sources used:
SUSE Manager Client Tools for SLE 12 (src): spacewalk-client-tools-4.3.15-52.86.1, grafana-8.5.20-1.42.1, spacecmd-4.3.19-38.118.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Maintenance Automation 2024-01-23 20:30:17 UTC 
SUSE-SU-2024:0196-1: An update that solves 44 vulnerabilities, contains 14 features and has 35 security fixes can now be installed.

Category: security (moderate)
Bug References: 1172110, 1176460, 1180816, 1180942, 1181119, 1181935, 1183684, 1187725, 1188061, 1188571, 1189520, 1191454, 1192154, 1192383, 1192696, 1192763, 1193492, 1193686, 1193688, 1197507, 1198903, 1199810, 1200142, 1200480, 1200591, 1200968, 1200970, 1201003, 1201059, 1201535, 1201539, 1202614, 1202945, 1203283, 1203596, 1203597, 1203599, 1204032, 1204126, 1204302, 1204303, 1204304, 1204305, 1204501, 1205207, 1205225, 1205227, 1205599, 1205759, 1207352, 1207749, 1207750, 1207830, 1208046, 1208049, 1208060, 1208062, 1208065, 1208270, 1208293, 1208298, 1208612, 1208692, 1208719, 1208819, 1208821, 1208965, 1209113, 1209645, 1210458, 1210640, 1210907, 1211525, 1212099, 1212100, 1212279, 1212641, 1218843, 1218844
CVE References: CVE-2020-7753, CVE-2021-20178, CVE-2021-20180, CVE-2021-20191, CVE-2021-20228, CVE-2021-3447, CVE-2021-3583, CVE-2021-3620, CVE-2021-36222, CVE-2021-3711, CVE-2021-3807, CVE-2021-3918, CVE-2021-41174, CVE-2021-41244, CVE-2021-43138, CVE-2021-43798, CVE-2021-43813, CVE-2021-43815, CVE-2022-0155, CVE-2022-23552, CVE-2022-27664, CVE-2022-29170, CVE-2022-31097, CVE-2022-31107, CVE-2022-31123, CVE-2022-31130, CVE-2022-32149, CVE-2022-35957, CVE-2022-36062, CVE-2022-39201, CVE-2022-39229, CVE-2022-39306, CVE-2022-39307, CVE-2022-39324, CVE-2022-41715, CVE-2022-41723, CVE-2022-46146, CVE-2023-0507, CVE-2023-0594, CVE-2023-1387, CVE-2023-1410, CVE-2023-2183, CVE-2023-2801, CVE-2023-3128
Jira References: MSQA-718, PED-2145, PED-2617, PED-3576, PED-3694, PED-4556, PED-5405, PED-5406, SLE-23422, SLE-23439, SLE-23631, SLE-24133, SLE-24565, SLE-24791
Sources used:
SUSE Manager Client Tools Beta for SLE Micro 5 (src): golang-github-QubitProducts-exporter_exporter-0.4.0-159000.4.6.1, prometheus-blackbox_exporter-0.24.0-159000.3.6.1, uyuni-proxy-systemd-services-5.0.1-159000.3.9.1, dracut-saltboot-0.1.1681904360.84ef141-159000.3.30.1
SUSE Manager Client Tools Beta for SLE 15 (src): python-pyvmomi-6.7.3-159000.3.6.1, golang-github-QubitProducts-exporter_exporter-0.4.0-159000.4.6.1, supportutils-plugin-salt-1.2.2-159000.5.9.1, uyuni-proxy-systemd-services-5.0.1-159000.3.9.1, mgr-push-5.0.1-159000.4.21.1, golang-github-lusitaniae-apache_exporter-1.0.0-159000.4.12.1, rhnlib-5.0.1-159000.6.30.1, golang-github-prometheus-prometheus-2.45.0-159000.6.33.1, spacewalk-client-tools-5.0.1-159000.6.48.1, uyuni-common-libs-5.0.1-159000.3.33.1, dracut-saltboot-0.1.1681904360.84ef141-159000.3.30.1, golang-github-boynux-squid_exporter-1.6-159000.4.9.1, ansible-2.9.27-159000.3.9.1, prometheus-postgres_exporter-0.10.1-159000.3.6.1, grafana-9.5.8-159000.4.24.1, spacecmd-5.0.1-159000.6.42.1, python-hwdata-2.3.5-159000.5.13.1, prometheus-blackbox_exporter-0.24.0-159000.3.6.1, supportutils-plugin-susemanager-client-5.0.1-159000.6.15.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Maintenance Automation 2024-01-23 20:30:47 UTC 
SUSE-SU-2024:0191-1: An update that solves 45 vulnerabilities, contains 17 features and has 30 security fixes can now be installed.

Category: security (moderate)
Bug References: 1047218, 1172110, 1188571, 1189520, 1191454, 1192154, 1192383, 1192696, 1192763, 1193492, 1193686, 1193688, 1194873, 1195726, 1195727, 1195728, 1196338, 1196652, 1197507, 1198903, 1199810, 1200480, 1200591, 1200725, 1201003, 1201059, 1201535, 1201539, 1203283, 1203596, 1203597, 1203599, 1204032, 1204089, 1204126, 1204302, 1204303, 1204304, 1204305, 1204501, 1205207, 1205225, 1205227, 1205759, 1207352, 1207749, 1207750, 1207830, 1208046, 1208049, 1208051, 1208060, 1208062, 1208064, 1208065, 1208270, 1208293, 1208298, 1208612, 1208692, 1208719, 1208819, 1208821, 1208965, 1209113, 1209645, 1210458, 1210907, 1211525, 1212099, 1212100, 1212279, 1212641, 1218843, 1218844
CVE References: CVE-2020-7753, CVE-2021-36222, CVE-2021-3711, CVE-2021-3807, CVE-2021-3918, CVE-2021-39226, CVE-2021-41174, CVE-2021-41244, CVE-2021-43138, CVE-2021-43798, CVE-2021-43813, CVE-2021-43815, CVE-2022-0155, CVE-2022-21673, CVE-2022-21698, CVE-2022-21702, CVE-2022-21703, CVE-2022-21713, CVE-2022-23552, CVE-2022-27191, CVE-2022-27664, CVE-2022-29170, CVE-2022-31097, CVE-2022-31107, CVE-2022-31123, CVE-2022-31130, CVE-2022-32149, CVE-2022-35957, CVE-2022-36062, CVE-2022-39201, CVE-2022-39229, CVE-2022-39306, CVE-2022-39307, CVE-2022-39324, CVE-2022-41715, CVE-2022-41723, CVE-2022-46146, CVE-2023-0507, CVE-2023-0594, CVE-2023-1387, CVE-2023-1410, CVE-2023-2183, CVE-2023-2801, CVE-2023-3128, CVE-2023-40577
Jira References: MSQA-718, PED-2145, PED-2617, PED-3576, PED-3578, PED-3694, PED-4556, PED-5405, PED-5406, PED-7353, SLE-23422, SLE-23439, SLE-24238, SLE-24239, SLE-24565, SLE-24791, SUMA-114
Sources used:
SUSE Manager Client Tools Beta for SLE 12 (src): rhnlib-5.0.1-24.30.3, spacecmd-5.0.1-41.42.3, grafana-9.5.8-4.21.2, prometheus-postgres_exporter-0.10.1-3.6.4, golang-github-prometheus-node_exporter-1.5.0-4.15.4, golang-github-QubitProducts-exporter_exporter-0.4.0-4.6.2, system-user-grafana-1.0.0-3.7.2, kiwi-desc-saltboot-0.1.1687520761.cefb248-4.15.2, golang-github-prometheus-prometheus-2.45.0-4.33.3, supportutils-plugin-susemanager-client-5.0.1-9.15.2, uyuni-common-libs-5.0.1-3.33.3, prometheus-blackbox_exporter-0.24.0-3.6.3, golang-github-lusitaniae-apache_exporter-1.0.0-4.12.4, golang-github-prometheus-alertmanager-0.26.0-4.12.4, system-user-prometheus-1.0.0-3.7.2, python-hwdata-2.3.5-15.12.2, golang-github-boynux-squid_exporter-1.6-4.9.2, supportutils-plugin-salt-1.2.2-9.9.2, golang-github-prometheus-promu-0.14.0-4.12.2, mgr-push-5.0.1-4.21.4

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.