Bug 1204305 (CVE-2022-31130) - VUL-0: CVE-2022-31130: grafana: data source and plugin proxy endpoints leaking authentication tokens to some destination plugins
Summary: VUL-0: CVE-2022-31130: grafana: data source and plugin proxy endpoints leakin...
Status: RESOLVED FIXED
Alias: CVE-2022-31130
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: monitoring-devel
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/345077/
Whiteboard: CVSSv3.1:SUSE:CVE-2022-31130:4.4:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2022-10-14 06:19 UTC by Alexander Bergmann
Modified: 2024-08-08 15:11 UTC (History)
8 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2022-10-14 06:19:27 UTC 
rh#2131146

CVE-2022-31130: Data source and plugin proxy endpoints leaking authentication tokens to some destination plugins 

A security researcher contacted Grafana Labs to disclose a vulnerability with the GitLab data source plugin that could leak the API key to GitLab. After further analysis the vulnerability impacts data source and plugin proxy endpoints with authentication tokens, as a result the destination plugin could receive a Grafana authentication token of the user.

Affected versions: Grafana <= 9.1.x

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2131146
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-31130
https://github.com/grafana/grafana/commit/4dd56e4dabce10007bf4ba1059bf54178c35b177
https://github.com/grafana/grafana/commit/9da278c044ba605eb5a1886c48df9a2cb0d3885f
https://github.com/grafana/grafana/releases/tag/v9.1.8
https://www.cve.org/CVERecord?id=CVE-2022-31130
http://www.cvedetails.com/cve/CVE-2022-31130/
https://github.com/grafana/grafana/security/advisories/GHSA-jv32-5578-pxjc
Comment 2 Witek Bedyk 2022-11-03 14:07:39 UTC 
The bugfix is released upstream in version 8.5.14.
I suggested upgrading from 8.5.13 to 8.5.14.

https://github.com/SUSE/spacewalk/issues/19410
Comment 6 Swamp Workflow Management 2023-02-10 17:42:59 UTC 
SUSE-SU-2023:0353-1: An update that solves 6 vulnerabilities, contains one feature and has 6 fixes is now available.

Category: security (moderate)
Bug References: 1172110,1204032,1204126,1204302,1204303,1204304,1204305,1205207,1205225,1205227,1205599,1206470
CVE References: CVE-2022-31123,CVE-2022-31130,CVE-2022-39201,CVE-2022-39229,CVE-2022-39306,CVE-2022-39307
JIRA References: PED-2617
Sources used:
openSUSE Leap 15.4 (src):    dracut-saltboot-0.1.1673279145.e7616bd-150000.1.44.1, spacecmd-4.3.18-150000.3.92.1
SUSE Manager Tools for SLE Micro 5 (src):    dracut-saltboot-0.1.1673279145.e7616bd-150000.1.44.1
SUSE Manager Tools 15 (src):    dracut-saltboot-0.1.1673279145.e7616bd-150000.1.44.1, grafana-8.5.15-150000.1.39.1, mgr-osad-4.3.7-150000.1.42.1, mgr-push-4.3.5-150000.1.24.2, rhnlib-4.3.5-150000.3.40.1, spacecmd-4.3.18-150000.3.92.1, spacewalk-client-tools-4.3.14-150000.3.74.1, uyuni-common-libs-4.3.7-150000.1.30.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 Swamp Workflow Management 2023-02-10 17:45:17 UTC 
SUSE-SU-2023:0362-1: An update that fixes 6 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1204302,1204303,1204304,1204305,1205225,1205227
CVE References: CVE-2022-31123,CVE-2022-31130,CVE-2022-39201,CVE-2022-39229,CVE-2022-39306,CVE-2022-39307
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    grafana-8.5.15-150200.3.32.1
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP4 (src):    grafana-8.5.15-150200.3.32.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Swamp Workflow Management 2023-02-10 17:54:53 UTC 
SUSE-SU-2023:0352-1: An update that solves 6 vulnerabilities, contains one feature and has 5 fixes is now available.

Category: security (moderate)
Bug References: 1172110,1204032,1204126,1204302,1204303,1204304,1204305,1205207,1205225,1205227,1206470
CVE References: CVE-2022-31123,CVE-2022-31130,CVE-2022-39201,CVE-2022-39229,CVE-2022-39306,CVE-2022-39307
JIRA References: PED-2617
Sources used:
SUSE Manager Tools 12 (src):    grafana-8.5.15-1.39.1, kiwi-desc-saltboot-0.1.1673279145.e7616bd-1.32.1, mgr-osad-4.3.7-1.42.1, mgr-push-4.3.5-1.24.1, rhnlib-4.3.5-21.46.1, spacecmd-4.3.18-38.115.1, spacewalk-client-tools-4.3.14-52.83.1, uyuni-common-libs-4.3.7-1.30.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Gianluca Gabrielli 2023-04-07 15:00:37 UTC 
Hi maintainers, the following packages are missing the patch. Please submit.

monitoring-devel@suse.de
 - SUSE:SLE-15-SP1:Update:Products:SES6:Update/grafana
 - SUSE:SLE-15:Update:Products:ManagerToolsBeta:Update/grafana
 - SUSE:SLE-12:Update:Products:ManagerToolsBeta:Update/grafana

cloud-bugs@suse.de
 - SUSE:SLE-12-SP4:Update:Products:Cloud9:Update/grafana
 - SUSE:SLE-12-SP3:Update:Products:Cloud8:Update/grafana
Comment 12 Maintenance Automation 2024-01-23 20:30:14 UTC 
SUSE-SU-2024:0196-1: An update that solves 44 vulnerabilities, contains 14 features and has 35 security fixes can now be installed.

Category: security (moderate)
Bug References: 1172110, 1176460, 1180816, 1180942, 1181119, 1181935, 1183684, 1187725, 1188061, 1188571, 1189520, 1191454, 1192154, 1192383, 1192696, 1192763, 1193492, 1193686, 1193688, 1197507, 1198903, 1199810, 1200142, 1200480, 1200591, 1200968, 1200970, 1201003, 1201059, 1201535, 1201539, 1202614, 1202945, 1203283, 1203596, 1203597, 1203599, 1204032, 1204126, 1204302, 1204303, 1204304, 1204305, 1204501, 1205207, 1205225, 1205227, 1205599, 1205759, 1207352, 1207749, 1207750, 1207830, 1208046, 1208049, 1208060, 1208062, 1208065, 1208270, 1208293, 1208298, 1208612, 1208692, 1208719, 1208819, 1208821, 1208965, 1209113, 1209645, 1210458, 1210640, 1210907, 1211525, 1212099, 1212100, 1212279, 1212641, 1218843, 1218844
CVE References: CVE-2020-7753, CVE-2021-20178, CVE-2021-20180, CVE-2021-20191, CVE-2021-20228, CVE-2021-3447, CVE-2021-3583, CVE-2021-3620, CVE-2021-36222, CVE-2021-3711, CVE-2021-3807, CVE-2021-3918, CVE-2021-41174, CVE-2021-41244, CVE-2021-43138, CVE-2021-43798, CVE-2021-43813, CVE-2021-43815, CVE-2022-0155, CVE-2022-23552, CVE-2022-27664, CVE-2022-29170, CVE-2022-31097, CVE-2022-31107, CVE-2022-31123, CVE-2022-31130, CVE-2022-32149, CVE-2022-35957, CVE-2022-36062, CVE-2022-39201, CVE-2022-39229, CVE-2022-39306, CVE-2022-39307, CVE-2022-39324, CVE-2022-41715, CVE-2022-41723, CVE-2022-46146, CVE-2023-0507, CVE-2023-0594, CVE-2023-1387, CVE-2023-1410, CVE-2023-2183, CVE-2023-2801, CVE-2023-3128
Jira References: MSQA-718, PED-2145, PED-2617, PED-3576, PED-3694, PED-4556, PED-5405, PED-5406, SLE-23422, SLE-23439, SLE-23631, SLE-24133, SLE-24565, SLE-24791
Sources used:
SUSE Manager Client Tools Beta for SLE Micro 5 (src): golang-github-QubitProducts-exporter_exporter-0.4.0-159000.4.6.1, prometheus-blackbox_exporter-0.24.0-159000.3.6.1, uyuni-proxy-systemd-services-5.0.1-159000.3.9.1, dracut-saltboot-0.1.1681904360.84ef141-159000.3.30.1
SUSE Manager Client Tools Beta for SLE 15 (src): python-pyvmomi-6.7.3-159000.3.6.1, golang-github-QubitProducts-exporter_exporter-0.4.0-159000.4.6.1, supportutils-plugin-salt-1.2.2-159000.5.9.1, uyuni-proxy-systemd-services-5.0.1-159000.3.9.1, mgr-push-5.0.1-159000.4.21.1, golang-github-lusitaniae-apache_exporter-1.0.0-159000.4.12.1, rhnlib-5.0.1-159000.6.30.1, golang-github-prometheus-prometheus-2.45.0-159000.6.33.1, spacewalk-client-tools-5.0.1-159000.6.48.1, uyuni-common-libs-5.0.1-159000.3.33.1, dracut-saltboot-0.1.1681904360.84ef141-159000.3.30.1, golang-github-boynux-squid_exporter-1.6-159000.4.9.1, ansible-2.9.27-159000.3.9.1, prometheus-postgres_exporter-0.10.1-159000.3.6.1, grafana-9.5.8-159000.4.24.1, spacecmd-5.0.1-159000.6.42.1, python-hwdata-2.3.5-159000.5.13.1, prometheus-blackbox_exporter-0.24.0-159000.3.6.1, supportutils-plugin-susemanager-client-5.0.1-159000.6.15.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Maintenance Automation 2024-01-23 20:30:46 UTC 
SUSE-SU-2024:0191-1: An update that solves 45 vulnerabilities, contains 17 features and has 30 security fixes can now be installed.

Category: security (moderate)
Bug References: 1047218, 1172110, 1188571, 1189520, 1191454, 1192154, 1192383, 1192696, 1192763, 1193492, 1193686, 1193688, 1194873, 1195726, 1195727, 1195728, 1196338, 1196652, 1197507, 1198903, 1199810, 1200480, 1200591, 1200725, 1201003, 1201059, 1201535, 1201539, 1203283, 1203596, 1203597, 1203599, 1204032, 1204089, 1204126, 1204302, 1204303, 1204304, 1204305, 1204501, 1205207, 1205225, 1205227, 1205759, 1207352, 1207749, 1207750, 1207830, 1208046, 1208049, 1208051, 1208060, 1208062, 1208064, 1208065, 1208270, 1208293, 1208298, 1208612, 1208692, 1208719, 1208819, 1208821, 1208965, 1209113, 1209645, 1210458, 1210907, 1211525, 1212099, 1212100, 1212279, 1212641, 1218843, 1218844
CVE References: CVE-2020-7753, CVE-2021-36222, CVE-2021-3711, CVE-2021-3807, CVE-2021-3918, CVE-2021-39226, CVE-2021-41174, CVE-2021-41244, CVE-2021-43138, CVE-2021-43798, CVE-2021-43813, CVE-2021-43815, CVE-2022-0155, CVE-2022-21673, CVE-2022-21698, CVE-2022-21702, CVE-2022-21703, CVE-2022-21713, CVE-2022-23552, CVE-2022-27191, CVE-2022-27664, CVE-2022-29170, CVE-2022-31097, CVE-2022-31107, CVE-2022-31123, CVE-2022-31130, CVE-2022-32149, CVE-2022-35957, CVE-2022-36062, CVE-2022-39201, CVE-2022-39229, CVE-2022-39306, CVE-2022-39307, CVE-2022-39324, CVE-2022-41715, CVE-2022-41723, CVE-2022-46146, CVE-2023-0507, CVE-2023-0594, CVE-2023-1387, CVE-2023-1410, CVE-2023-2183, CVE-2023-2801, CVE-2023-3128, CVE-2023-40577
Jira References: MSQA-718, PED-2145, PED-2617, PED-3576, PED-3578, PED-3694, PED-4556, PED-5405, PED-5406, PED-7353, SLE-23422, SLE-23439, SLE-24238, SLE-24239, SLE-24565, SLE-24791, SUMA-114
Sources used:
SUSE Manager Client Tools Beta for SLE 12 (src): rhnlib-5.0.1-24.30.3, spacecmd-5.0.1-41.42.3, grafana-9.5.8-4.21.2, prometheus-postgres_exporter-0.10.1-3.6.4, golang-github-prometheus-node_exporter-1.5.0-4.15.4, golang-github-QubitProducts-exporter_exporter-0.4.0-4.6.2, system-user-grafana-1.0.0-3.7.2, kiwi-desc-saltboot-0.1.1687520761.cefb248-4.15.2, golang-github-prometheus-prometheus-2.45.0-4.33.3, supportutils-plugin-susemanager-client-5.0.1-9.15.2, uyuni-common-libs-5.0.1-3.33.3, prometheus-blackbox_exporter-0.24.0-3.6.3, golang-github-lusitaniae-apache_exporter-1.0.0-4.12.4, golang-github-prometheus-alertmanager-0.26.0-4.12.4, system-user-prometheus-1.0.0-3.7.2, python-hwdata-2.3.5-15.12.2, golang-github-boynux-squid_exporter-1.6-4.9.2, supportutils-plugin-salt-1.2.2-9.9.2, golang-github-prometheus-promu-0.14.0-4.12.2, mgr-push-5.0.1-4.21.4

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.