Bugzilla – Bug 1204303
VUL-0: CVE-2022-39201: grafana: Data source and plugin proxy endpoints could leak the authentication cookie to some destination plugins
Last modified: 2024-08-08 15:08:32 UTC
rh#2131148 CVE-2022-39201: Data source and plugin proxy endpoints could leak the authentication cookie to some destination plugins Grafana could leak the authentication cookie of users to plugins. The vulnerability impacts data source and plugin proxy endpoints under certain conditions. Affected versions: Grafana <= 9.1.x References: https://bugzilla.redhat.com/show_bug.cgi?id=2131148 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-39201 https://www.cve.org/CVERecord?id=CVE-2022-39201 https://github.com/grafana/grafana/commit/c658816f5229d17f877579250c07799d3bbaebc9 https://github.com/grafana/grafana/commit/b571acc1dc130a33f24742c1f93b93216da6cf57 https://github.com/grafana/grafana/security/advisories/GHSA-x744-mm8v-vpgr https://github.com/grafana/grafana/releases/tag/v9.1.8
The bugfix is released upstream in version 8.5.14. I suggested upgrading from 8.5.13 to 8.5.14. https://github.com/SUSE/spacewalk/issues/19410
SUSE-SU-2023:0353-1: An update that solves 6 vulnerabilities, contains one feature and has 6 fixes is now available. Category: security (moderate) Bug References: 1172110,1204032,1204126,1204302,1204303,1204304,1204305,1205207,1205225,1205227,1205599,1206470 CVE References: CVE-2022-31123,CVE-2022-31130,CVE-2022-39201,CVE-2022-39229,CVE-2022-39306,CVE-2022-39307 JIRA References: PED-2617 Sources used: openSUSE Leap 15.4 (src): dracut-saltboot-0.1.1673279145.e7616bd-150000.1.44.1, spacecmd-4.3.18-150000.3.92.1 SUSE Manager Tools for SLE Micro 5 (src): dracut-saltboot-0.1.1673279145.e7616bd-150000.1.44.1 SUSE Manager Tools 15 (src): dracut-saltboot-0.1.1673279145.e7616bd-150000.1.44.1, grafana-8.5.15-150000.1.39.1, mgr-osad-4.3.7-150000.1.42.1, mgr-push-4.3.5-150000.1.24.2, rhnlib-4.3.5-150000.3.40.1, spacecmd-4.3.18-150000.3.92.1, spacewalk-client-tools-4.3.14-150000.3.74.1, uyuni-common-libs-4.3.7-150000.1.30.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:0362-1: An update that fixes 6 vulnerabilities is now available. Category: security (moderate) Bug References: 1204302,1204303,1204304,1204305,1205225,1205227 CVE References: CVE-2022-31123,CVE-2022-31130,CVE-2022-39201,CVE-2022-39229,CVE-2022-39306,CVE-2022-39307 JIRA References: Sources used: openSUSE Leap 15.4 (src): grafana-8.5.15-150200.3.32.1 SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP4 (src): grafana-8.5.15-150200.3.32.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:0352-1: An update that solves 6 vulnerabilities, contains one feature and has 5 fixes is now available. Category: security (moderate) Bug References: 1172110,1204032,1204126,1204302,1204303,1204304,1204305,1205207,1205225,1205227,1206470 CVE References: CVE-2022-31123,CVE-2022-31130,CVE-2022-39201,CVE-2022-39229,CVE-2022-39306,CVE-2022-39307 JIRA References: PED-2617 Sources used: SUSE Manager Tools 12 (src): grafana-8.5.15-1.39.1, kiwi-desc-saltboot-0.1.1673279145.e7616bd-1.32.1, mgr-osad-4.3.7-1.42.1, mgr-push-4.3.5-1.24.1, rhnlib-4.3.5-21.46.1, spacecmd-4.3.18-38.115.1, spacewalk-client-tools-4.3.14-52.83.1, uyuni-common-libs-4.3.7-1.30.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Hi maintainers, the following packages are missing the patch. Please submit. monitoring-devel@suse.de - SUSE:SLE-15-SP1:Update:Products:SES6:Update/grafana - SUSE:SLE-15:Update:Products:ManagerToolsBeta:Update/grafana - SUSE:SLE-12:Update:Products:ManagerToolsBeta:Update/grafana cloud-bugs@suse.de - SUSE:SLE-12-SP4:Update:Products:Cloud9:Update/grafana - SUSE:SLE-12-SP3:Update:Products:Cloud8:Update/grafana
SUSE-SU-2024:0196-1: An update that solves 44 vulnerabilities, contains 14 features and has 35 security fixes can now be installed. Category: security (moderate) Bug References: 1172110, 1176460, 1180816, 1180942, 1181119, 1181935, 1183684, 1187725, 1188061, 1188571, 1189520, 1191454, 1192154, 1192383, 1192696, 1192763, 1193492, 1193686, 1193688, 1197507, 1198903, 1199810, 1200142, 1200480, 1200591, 1200968, 1200970, 1201003, 1201059, 1201535, 1201539, 1202614, 1202945, 1203283, 1203596, 1203597, 1203599, 1204032, 1204126, 1204302, 1204303, 1204304, 1204305, 1204501, 1205207, 1205225, 1205227, 1205599, 1205759, 1207352, 1207749, 1207750, 1207830, 1208046, 1208049, 1208060, 1208062, 1208065, 1208270, 1208293, 1208298, 1208612, 1208692, 1208719, 1208819, 1208821, 1208965, 1209113, 1209645, 1210458, 1210640, 1210907, 1211525, 1212099, 1212100, 1212279, 1212641, 1218843, 1218844 CVE References: CVE-2020-7753, CVE-2021-20178, CVE-2021-20180, CVE-2021-20191, CVE-2021-20228, CVE-2021-3447, CVE-2021-3583, CVE-2021-3620, CVE-2021-36222, CVE-2021-3711, CVE-2021-3807, CVE-2021-3918, CVE-2021-41174, CVE-2021-41244, CVE-2021-43138, CVE-2021-43798, CVE-2021-43813, CVE-2021-43815, CVE-2022-0155, CVE-2022-23552, CVE-2022-27664, CVE-2022-29170, CVE-2022-31097, CVE-2022-31107, CVE-2022-31123, CVE-2022-31130, CVE-2022-32149, CVE-2022-35957, CVE-2022-36062, CVE-2022-39201, CVE-2022-39229, CVE-2022-39306, CVE-2022-39307, CVE-2022-39324, CVE-2022-41715, CVE-2022-41723, CVE-2022-46146, CVE-2023-0507, CVE-2023-0594, CVE-2023-1387, CVE-2023-1410, CVE-2023-2183, CVE-2023-2801, CVE-2023-3128 Jira References: MSQA-718, PED-2145, PED-2617, PED-3576, PED-3694, PED-4556, PED-5405, PED-5406, SLE-23422, SLE-23439, SLE-23631, SLE-24133, SLE-24565, SLE-24791 Sources used: SUSE Manager Client Tools Beta for SLE Micro 5 (src): golang-github-QubitProducts-exporter_exporter-0.4.0-159000.4.6.1, prometheus-blackbox_exporter-0.24.0-159000.3.6.1, uyuni-proxy-systemd-services-5.0.1-159000.3.9.1, dracut-saltboot-0.1.1681904360.84ef141-159000.3.30.1 SUSE Manager Client Tools Beta for SLE 15 (src): python-pyvmomi-6.7.3-159000.3.6.1, golang-github-QubitProducts-exporter_exporter-0.4.0-159000.4.6.1, supportutils-plugin-salt-1.2.2-159000.5.9.1, uyuni-proxy-systemd-services-5.0.1-159000.3.9.1, mgr-push-5.0.1-159000.4.21.1, golang-github-lusitaniae-apache_exporter-1.0.0-159000.4.12.1, rhnlib-5.0.1-159000.6.30.1, golang-github-prometheus-prometheus-2.45.0-159000.6.33.1, spacewalk-client-tools-5.0.1-159000.6.48.1, uyuni-common-libs-5.0.1-159000.3.33.1, dracut-saltboot-0.1.1681904360.84ef141-159000.3.30.1, golang-github-boynux-squid_exporter-1.6-159000.4.9.1, ansible-2.9.27-159000.3.9.1, prometheus-postgres_exporter-0.10.1-159000.3.6.1, grafana-9.5.8-159000.4.24.1, spacecmd-5.0.1-159000.6.42.1, python-hwdata-2.3.5-159000.5.13.1, prometheus-blackbox_exporter-0.24.0-159000.3.6.1, supportutils-plugin-susemanager-client-5.0.1-159000.6.15.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:0191-1: An update that solves 45 vulnerabilities, contains 17 features and has 30 security fixes can now be installed. Category: security (moderate) Bug References: 1047218, 1172110, 1188571, 1189520, 1191454, 1192154, 1192383, 1192696, 1192763, 1193492, 1193686, 1193688, 1194873, 1195726, 1195727, 1195728, 1196338, 1196652, 1197507, 1198903, 1199810, 1200480, 1200591, 1200725, 1201003, 1201059, 1201535, 1201539, 1203283, 1203596, 1203597, 1203599, 1204032, 1204089, 1204126, 1204302, 1204303, 1204304, 1204305, 1204501, 1205207, 1205225, 1205227, 1205759, 1207352, 1207749, 1207750, 1207830, 1208046, 1208049, 1208051, 1208060, 1208062, 1208064, 1208065, 1208270, 1208293, 1208298, 1208612, 1208692, 1208719, 1208819, 1208821, 1208965, 1209113, 1209645, 1210458, 1210907, 1211525, 1212099, 1212100, 1212279, 1212641, 1218843, 1218844 CVE References: CVE-2020-7753, CVE-2021-36222, CVE-2021-3711, CVE-2021-3807, CVE-2021-3918, CVE-2021-39226, CVE-2021-41174, CVE-2021-41244, CVE-2021-43138, CVE-2021-43798, CVE-2021-43813, CVE-2021-43815, CVE-2022-0155, CVE-2022-21673, CVE-2022-21698, CVE-2022-21702, CVE-2022-21703, CVE-2022-21713, CVE-2022-23552, CVE-2022-27191, CVE-2022-27664, CVE-2022-29170, CVE-2022-31097, CVE-2022-31107, CVE-2022-31123, CVE-2022-31130, CVE-2022-32149, CVE-2022-35957, CVE-2022-36062, CVE-2022-39201, CVE-2022-39229, CVE-2022-39306, CVE-2022-39307, CVE-2022-39324, CVE-2022-41715, CVE-2022-41723, CVE-2022-46146, CVE-2023-0507, CVE-2023-0594, CVE-2023-1387, CVE-2023-1410, CVE-2023-2183, CVE-2023-2801, CVE-2023-3128, CVE-2023-40577 Jira References: MSQA-718, PED-2145, PED-2617, PED-3576, PED-3578, PED-3694, PED-4556, PED-5405, PED-5406, PED-7353, SLE-23422, SLE-23439, SLE-24238, SLE-24239, SLE-24565, SLE-24791, SUMA-114 Sources used: SUSE Manager Client Tools Beta for SLE 12 (src): rhnlib-5.0.1-24.30.3, spacecmd-5.0.1-41.42.3, grafana-9.5.8-4.21.2, prometheus-postgres_exporter-0.10.1-3.6.4, golang-github-prometheus-node_exporter-1.5.0-4.15.4, golang-github-QubitProducts-exporter_exporter-0.4.0-4.6.2, system-user-grafana-1.0.0-3.7.2, kiwi-desc-saltboot-0.1.1687520761.cefb248-4.15.2, golang-github-prometheus-prometheus-2.45.0-4.33.3, supportutils-plugin-susemanager-client-5.0.1-9.15.2, uyuni-common-libs-5.0.1-3.33.3, prometheus-blackbox_exporter-0.24.0-3.6.3, golang-github-lusitaniae-apache_exporter-1.0.0-4.12.4, golang-github-prometheus-alertmanager-0.26.0-4.12.4, system-user-prometheus-1.0.0-3.7.2, python-hwdata-2.3.5-15.12.2, golang-github-boynux-squid_exporter-1.6-4.9.2, supportutils-plugin-salt-1.2.2-9.9.2, golang-github-prometheus-promu-0.14.0-4.12.2, mgr-push-5.0.1-4.21.4 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.