Bug 1207750 (CVE-2022-39324) - VUL-0: CVE-2022-39324: grafana: Grafana is an open-source platform for monitoring and observability. Prior to versions 8.5.16 and 9.2.8, malicious user can create a snapshot and arbitrarily choose the `originalUrl` parameter by editing the
Summary: VUL-0: CVE-2022-39324: grafana: Grafana is an open-source platform for monito...
Status: RESOLVED FIXED
Alias: CVE-2022-39324
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Witek Bedyk
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/355609/
Whiteboard: CVSSv3.1:SUSE:CVE-2022-39324:6.7:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2023-01-30 09:17 UTC by Stoyan Manolov
Modified: 2024-01-23 20:30 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Stoyan Manolov 2023-01-30 09:17:27 UTC 
CVE-2022-39324

Grafana is an open-source platform for monitoring and observability. Prior to
versions 8.5.16 and 9.2.8, malicious user can create a snapshot and arbitrarily
choose the `originalUrl` parameter by editing the query, thanks to a web proxy.
When another user opens the URL of the snapshot, they will be presented with the
regular web interface delivered by the trusted Grafana server. The `Open
original dashboard` button no longer points to the to the real original
dashboard but to the attacker’s injected URL. This issue is fixed in versions
8.5.16 and 9.2.8.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-39324
https://www.cve.org/CVERecord?id=CVE-2022-39324
https://github.com/grafana/grafana/security/advisories/GHSA-4724-7jwc-3fpw
https://github.com/grafana/grafana/commit/239888f22983010576bb3a9135a7294e88c0c74a
https://github.com/grafana/grafana/commit/d7dcea71ea763780dc286792a0afd560bff2985c
https://github.com/grafana/grafana/pull/60232
https://github.com/grafana/grafana/pull/60256
Comment 2 Witek Bedyk 2023-02-06 11:09:11 UTC 
Package upgraded to version 8.5.20 in the development project server:monitoring:

https://build.opensuse.org/request/show/1063390
Comment 4 Witek Bedyk 2023-03-03 09:24:54 UTC 
Bugfix release for SLE codestreams is planned together with SUSE Manager MU on June 22, 2023.
Comment 5 Maintenance Automation 2023-03-20 16:30:21 UTC 
SUSE-SU-2023:0821-1: An update that solves four vulnerabilities can now be installed.

Category: security (important)
Bug References: 1207749, 1207750, 1208065, 1208293
CVE References: CVE-2022-23552, CVE-2022-39324, CVE-2022-41723, CVE-2022-46146
Sources used:
openSUSE Leap 15.4 (src): grafana-8.5.20-150200.3.35.1
SUSE Package Hub 15 15-SP4 (src): grafana-8.5.20-150200.3.35.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 6 Maintenance Automation 2023-03-20 16:30:44 UTC 
SUSE-SU-2023:0812-1: An update that solves four vulnerabilities and has four fixes can now be installed.

Category: security (important)
Bug References: 1201059, 1205599, 1205759, 1207352, 1207749, 1207750, 1208065, 1208293
CVE References: CVE-2022-23552, CVE-2022-39324, CVE-2022-41723, CVE-2022-46146
Sources used:
openSUSE Leap 15.4 (src): supportutils-plugin-salt-1.2.2-150000.3.13.1, dracut-saltboot-0.1.1674034019.a93ff61-150000.1.47.1, spacecmd-4.3.19-150000.3.95.1
SUSE Manager Client Tools for SLE 15 (src): supportutils-plugin-salt-1.2.2-150000.3.13.1, spacewalk-client-tools-4.3.15-150000.3.77.1, dracut-saltboot-0.1.1674034019.a93ff61-150000.1.47.1, uyuni-proxy-systemd-services-4.3.8-150000.1.12.1, grafana-8.5.20-150000.1.42.1, spacecmd-4.3.19-150000.3.95.1
SUSE Manager Client Tools for SLE Micro 5 (src): dracut-saltboot-0.1.1674034019.a93ff61-150000.1.47.1, uyuni-proxy-systemd-services-4.3.8-150000.1.12.1
Basesystem Module 15-SP4 (src): supportutils-plugin-salt-1.2.2-150000.3.13.1
SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): supportutils-plugin-salt-1.2.2-150000.3.13.1
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): supportutils-plugin-salt-1.2.2-150000.3.13.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): supportutils-plugin-salt-1.2.2-150000.3.13.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): supportutils-plugin-salt-1.2.2-150000.3.13.1
SUSE Linux Enterprise Real Time 15 SP3 (src): supportutils-plugin-salt-1.2.2-150000.3.13.1
SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): supportutils-plugin-salt-1.2.2-150000.3.13.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): supportutils-plugin-salt-1.2.2-150000.3.13.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): supportutils-plugin-salt-1.2.2-150000.3.13.1
SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): supportutils-plugin-salt-1.2.2-150000.3.13.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): supportutils-plugin-salt-1.2.2-150000.3.13.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): supportutils-plugin-salt-1.2.2-150000.3.13.1
SUSE Manager Proxy 4.2 (src): supportutils-plugin-salt-1.2.2-150000.3.13.1
SUSE Manager Retail Branch Server 4.2 (src): supportutils-plugin-salt-1.2.2-150000.3.13.1
SUSE Manager Server 4.2 (src): supportutils-plugin-salt-1.2.2-150000.3.13.1
SUSE Enterprise Storage 7.1 (src): supportutils-plugin-salt-1.2.2-150000.3.13.1
SUSE Enterprise Storage 7 (src): supportutils-plugin-salt-1.2.2-150000.3.13.1
SUSE CaaS Platform 4.0 (src): supportutils-plugin-salt-1.2.2-150000.3.13.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 Maintenance Automation 2023-03-20 16:30:52 UTC 
SUSE-SU-2023:0811-1: An update that solves four vulnerabilities and has two fixes can now be installed.

Category: security (important)
Bug References: 1205759, 1207352, 1207749, 1207750, 1208065, 1208293
CVE References: CVE-2022-23552, CVE-2022-39324, CVE-2022-41723, CVE-2022-46146
Sources used:
SUSE Manager Client Tools for SLE 12 (src): spacewalk-client-tools-4.3.15-52.86.1, grafana-8.5.20-1.42.1, spacecmd-4.3.19-38.118.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Maintenance Automation 2024-01-23 20:30:17 UTC 
SUSE-SU-2024:0196-1: An update that solves 44 vulnerabilities, contains 14 features and has 35 security fixes can now be installed.

Category: security (moderate)
Bug References: 1172110, 1176460, 1180816, 1180942, 1181119, 1181935, 1183684, 1187725, 1188061, 1188571, 1189520, 1191454, 1192154, 1192383, 1192696, 1192763, 1193492, 1193686, 1193688, 1197507, 1198903, 1199810, 1200142, 1200480, 1200591, 1200968, 1200970, 1201003, 1201059, 1201535, 1201539, 1202614, 1202945, 1203283, 1203596, 1203597, 1203599, 1204032, 1204126, 1204302, 1204303, 1204304, 1204305, 1204501, 1205207, 1205225, 1205227, 1205599, 1205759, 1207352, 1207749, 1207750, 1207830, 1208046, 1208049, 1208060, 1208062, 1208065, 1208270, 1208293, 1208298, 1208612, 1208692, 1208719, 1208819, 1208821, 1208965, 1209113, 1209645, 1210458, 1210640, 1210907, 1211525, 1212099, 1212100, 1212279, 1212641, 1218843, 1218844
CVE References: CVE-2020-7753, CVE-2021-20178, CVE-2021-20180, CVE-2021-20191, CVE-2021-20228, CVE-2021-3447, CVE-2021-3583, CVE-2021-3620, CVE-2021-36222, CVE-2021-3711, CVE-2021-3807, CVE-2021-3918, CVE-2021-41174, CVE-2021-41244, CVE-2021-43138, CVE-2021-43798, CVE-2021-43813, CVE-2021-43815, CVE-2022-0155, CVE-2022-23552, CVE-2022-27664, CVE-2022-29170, CVE-2022-31097, CVE-2022-31107, CVE-2022-31123, CVE-2022-31130, CVE-2022-32149, CVE-2022-35957, CVE-2022-36062, CVE-2022-39201, CVE-2022-39229, CVE-2022-39306, CVE-2022-39307, CVE-2022-39324, CVE-2022-41715, CVE-2022-41723, CVE-2022-46146, CVE-2023-0507, CVE-2023-0594, CVE-2023-1387, CVE-2023-1410, CVE-2023-2183, CVE-2023-2801, CVE-2023-3128
Jira References: MSQA-718, PED-2145, PED-2617, PED-3576, PED-3694, PED-4556, PED-5405, PED-5406, SLE-23422, SLE-23439, SLE-23631, SLE-24133, SLE-24565, SLE-24791
Sources used:
SUSE Manager Client Tools Beta for SLE Micro 5 (src): golang-github-QubitProducts-exporter_exporter-0.4.0-159000.4.6.1, prometheus-blackbox_exporter-0.24.0-159000.3.6.1, uyuni-proxy-systemd-services-5.0.1-159000.3.9.1, dracut-saltboot-0.1.1681904360.84ef141-159000.3.30.1
SUSE Manager Client Tools Beta for SLE 15 (src): python-pyvmomi-6.7.3-159000.3.6.1, golang-github-QubitProducts-exporter_exporter-0.4.0-159000.4.6.1, supportutils-plugin-salt-1.2.2-159000.5.9.1, uyuni-proxy-systemd-services-5.0.1-159000.3.9.1, mgr-push-5.0.1-159000.4.21.1, golang-github-lusitaniae-apache_exporter-1.0.0-159000.4.12.1, rhnlib-5.0.1-159000.6.30.1, golang-github-prometheus-prometheus-2.45.0-159000.6.33.1, spacewalk-client-tools-5.0.1-159000.6.48.1, uyuni-common-libs-5.0.1-159000.3.33.1, dracut-saltboot-0.1.1681904360.84ef141-159000.3.30.1, golang-github-boynux-squid_exporter-1.6-159000.4.9.1, ansible-2.9.27-159000.3.9.1, prometheus-postgres_exporter-0.10.1-159000.3.6.1, grafana-9.5.8-159000.4.24.1, spacecmd-5.0.1-159000.6.42.1, python-hwdata-2.3.5-159000.5.13.1, prometheus-blackbox_exporter-0.24.0-159000.3.6.1, supportutils-plugin-susemanager-client-5.0.1-159000.6.15.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Maintenance Automation 2024-01-23 20:30:47 UTC 
SUSE-SU-2024:0191-1: An update that solves 45 vulnerabilities, contains 17 features and has 30 security fixes can now be installed.

Category: security (moderate)
Bug References: 1047218, 1172110, 1188571, 1189520, 1191454, 1192154, 1192383, 1192696, 1192763, 1193492, 1193686, 1193688, 1194873, 1195726, 1195727, 1195728, 1196338, 1196652, 1197507, 1198903, 1199810, 1200480, 1200591, 1200725, 1201003, 1201059, 1201535, 1201539, 1203283, 1203596, 1203597, 1203599, 1204032, 1204089, 1204126, 1204302, 1204303, 1204304, 1204305, 1204501, 1205207, 1205225, 1205227, 1205759, 1207352, 1207749, 1207750, 1207830, 1208046, 1208049, 1208051, 1208060, 1208062, 1208064, 1208065, 1208270, 1208293, 1208298, 1208612, 1208692, 1208719, 1208819, 1208821, 1208965, 1209113, 1209645, 1210458, 1210907, 1211525, 1212099, 1212100, 1212279, 1212641, 1218843, 1218844
CVE References: CVE-2020-7753, CVE-2021-36222, CVE-2021-3711, CVE-2021-3807, CVE-2021-3918, CVE-2021-39226, CVE-2021-41174, CVE-2021-41244, CVE-2021-43138, CVE-2021-43798, CVE-2021-43813, CVE-2021-43815, CVE-2022-0155, CVE-2022-21673, CVE-2022-21698, CVE-2022-21702, CVE-2022-21703, CVE-2022-21713, CVE-2022-23552, CVE-2022-27191, CVE-2022-27664, CVE-2022-29170, CVE-2022-31097, CVE-2022-31107, CVE-2022-31123, CVE-2022-31130, CVE-2022-32149, CVE-2022-35957, CVE-2022-36062, CVE-2022-39201, CVE-2022-39229, CVE-2022-39306, CVE-2022-39307, CVE-2022-39324, CVE-2022-41715, CVE-2022-41723, CVE-2022-46146, CVE-2023-0507, CVE-2023-0594, CVE-2023-1387, CVE-2023-1410, CVE-2023-2183, CVE-2023-2801, CVE-2023-3128, CVE-2023-40577
Jira References: MSQA-718, PED-2145, PED-2617, PED-3576, PED-3578, PED-3694, PED-4556, PED-5405, PED-5406, PED-7353, SLE-23422, SLE-23439, SLE-24238, SLE-24239, SLE-24565, SLE-24791, SUMA-114
Sources used:
SUSE Manager Client Tools Beta for SLE 12 (src): rhnlib-5.0.1-24.30.3, spacecmd-5.0.1-41.42.3, grafana-9.5.8-4.21.2, prometheus-postgres_exporter-0.10.1-3.6.4, golang-github-prometheus-node_exporter-1.5.0-4.15.4, golang-github-QubitProducts-exporter_exporter-0.4.0-4.6.2, system-user-grafana-1.0.0-3.7.2, kiwi-desc-saltboot-0.1.1687520761.cefb248-4.15.2, golang-github-prometheus-prometheus-2.45.0-4.33.3, supportutils-plugin-susemanager-client-5.0.1-9.15.2, uyuni-common-libs-5.0.1-3.33.3, prometheus-blackbox_exporter-0.24.0-3.6.3, golang-github-lusitaniae-apache_exporter-1.0.0-4.12.4, golang-github-prometheus-alertmanager-0.26.0-4.12.4, system-user-prometheus-1.0.0-3.7.2, python-hwdata-2.3.5-15.12.2, golang-github-boynux-squid_exporter-1.6-4.9.2, supportutils-plugin-salt-1.2.2-9.9.2, golang-github-prometheus-promu-0.14.0-4.12.2, mgr-push-5.0.1-4.21.4

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.