Bugzilla – Bug 1197515
VUL-0: CVE-2022-26148: grafana: information leak when integrated with Zabbix
Last modified: 2022-07-26 08:03:07 UTC
rh#2066563 An issue was discovered in Grafana through 7.3.4, when integrated with Zabbix. The Zabbix password can be found in the api_jsonrpc.php HTML source code. When the user logs in and allows the user to register, one can right click to view the source code and use Ctrl-F to search for password in api_jsonrpc.php to discover the Zabbix account password and URL address. https://2k8.org/post-319.html References: https://bugzilla.redhat.com/show_bug.cgi?id=2066563 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-26148 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26148 https://2k8.org/post-319.html
I can't see any upstream acknowledgment
SOC 8/9 CLM don't deploy Grafana, so won't be affected. SOC 8/9 Crowbar do deploy Grafana, but don't deploy Zabbix, so shouldn't be affected.
based on comment #2, back to Security team.
Witold are you maintaining the following packages? If so, could you submit the patch? - SUSE:SLE-12:Update/grafana - SUSE:SLE-15:Update/grafana
We either ship a newer version of Grafana (8.3.5) or don't ship Zabbix in our products, so we're not affected. Closing.