FreshPorts - VuXML

Grafana Labs reports:

When setting up Grafana, there is an option to enable JWT authentication. Enabling this will allow users to authenticate towards the Grafana instance with a special header (default X-JWT-Assertion ).

In Grafana, there is an additional way to authenticate using JWT called URL login where the token is passed as a query parameter.

When using this option, a JWT token is passed to the data source as a header, which leads to exposure of sensitive information to an unauthorized party.

The CVSS score for this vulnerability is 4.2 Medium

ge 9.1.0 lt 9.2.17

ge 9.3.0 lt 9.3.13

ge 9.4.0 lt 9.4.9

Grafana Labs reports:

When a user adds a Graphite data source, they can then use the data source in a dashboard. This capability contains a feature to use Functions. Once a function is selected, a small tooltip appears when hovering over the name of the function. This tooltip allows you to delete the selected Function from your query or show the Function Description. However, no sanitization is done when adding this description to the DOM.

Since it is not uncommon to connect to public data sources, an attacker could host a Graphite instance with modified Function Descriptions containing XSS payloads. When the victim uses it in a query and accidentally hovers over the Function Description, an attacker-controlled XSS payload will be executed.

The severity of this vulnerability is of CVSSv3.1 5.7 Medium (CVSS: AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N (5.7)).

< 8.5.22

ge 9.0.0 lt 9.2.15

ge 9.3.0 lt 9.3.11

ge 9.4.0 lt 9.4.7

< 8.5.22

< 9.2.15

ge 9.3.0 lt 9.3.11

ge 9.4.0 lt 9.4.7

Grafana Labs reports:

The vulnerability impacts instances where Grafana basic authentication is enabled.

Grafana has a verify_email_enabled configuration option. When this option is enabled, users are required to confirm their email addresses before the sign-up process is complete. However, the email is only checked at the time of the sign-up. No further verification is carried out if a user’s email address is updated after the initial sign-up. Moreover, Grafana allows using an email address as the user’s login name, and no verification is ever carried out for this email address.

This means that even if the verify_email_enabled configuration option is enabled, users can use unverified email addresses to log into Grafana if the email address has been changed after the sign up, or if an email address is set as the login name.

The CVSS score for this vulnerability is [5.4 Medium] (CVSS).

< 9.5.16

ge 10.0.0 lt 10.0.11

ge 10.1.0 lt 10.1.7

ge 10.2.0 lt 10.2.4

ge 10.3.0 lt 10.3.3

< 9.5.16

< 10.0.11

ge 10.1.0 lt 10.1.7

ge 10.2.0 lt 10.2.4

ge 10.3.0 lt 10.3.3

Grafana Labs reports:

An attacker can exploit this vulnerability to escalate privilege from editor to admin by tricking an authenticated admin to click on a link. (Note: Grafana Alerting is activated by default in Grafana 9.0.)

ge 8.3.0 lt 8.3.10

ge 8.4.0 lt 8.4.10

ge 8.5.0 lt 8.5.9

ge 9.0.0 lt 9.0.3

ge 9.1.0 lt 9.2.7

ge 8.3.0 lt 8.3.10

ge 8.4.0 lt 8.4.10

ge 8.5.0 lt 8.5.9

< 9.0.3

ge 9.1.0 lt 9.2.7

Grafana Labs reports:

On September 7, as a result of an internal security audit, we discovered a security vulnerability in Grafana’s basic authentication related to the usage of username and email address.

n Grafana, a user’s username and email address are unique fields, which means no other user can have the same username or email address as another user.

In addition, a user can have an email address as a username, and the Grafana login allows users to sign in with either username or email address. This creates an unusual behavior, where user_1 can register with one email address and user_2 can register their username as user_1’s email address. As a result, user_1 would be prevented from signing in to Grafana, since user_1 password won’t match with user_2 email address.

The CVSS score for this vulnerability is 4.3 moderate (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L).

ge 8.0.0 lt 8.5.14

ge 9.0.0 lt 9.1.8

ge 8.0.0 lt 8.5.14

ge 9.0.0 lt 9.1.8

Grafana Labs reports:

On 2022-12-16 during an internal audit of Grafana, a member of the security team found a stored XSS vulnerability affecting the core plugin GeoMap.

The stored XSS vulnerability was possible due to SVG-files weren't properly sanitized and allowed arbitrary JavaScript to be executed in the context of the currently authorized user of the Grafana instance.

ge 8.1.0 lt 8.5.16

ge 9.0.0 lt 9.2.10

ge 9.3.0 lt 9.3.4

ge 8.1.0 lt 8.5.16

ge 9.0.0 lt 9.2.10

ge 9.3.0 lt 9.3.4

Grafana Labs reports:

An issue in how go handles backticks (`) with Javascript can lead to an injection of arbitrary code into go templates. While Grafana Labs software contains potentially vulnerable versions of go, we have not identified any exploitable use cases at this time.

The CVSS score for this vulnerability is 0.0 (adjusted), 9.8 (base).

< 8.5.24

ge 9.0.0 lt 9.2.17

ge 9.3.0 lt 9.3.13

ge 9.4.0 lt 9.4.9

< 8.5.24

< 9.2.17

ge 9.3.0 lt 9.3.13

ge 9.4.0 lt 9.4.9

Grafana Labs reports:

Grafana can allow an attacker in the Viewer role to send alerts by API Alert - Test. This option, however, is not available in the user panel UI for the Viewer role.

The CVSS score for this vulnerability is 4.1 Medium (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N).

ge 8.0.0 lt 8.5.26

ge 9.0.0 lt 9.2.19

ge 9.3.0 lt 9.3.15

ge 9.4.0 lt 9.4.12

ge 9.5.0 lt 9.5.3

ge 8.0.0 lt 8.5.26

< 9.2.19

ge 9.3.0 lt 9.3.15

ge 9.4.0 lt 9.4.12

ge 9.5.0 lt 9.5.3

Grafana Labs reports:

During an internal audit of Grafana on January 25, a member of the security team found a stored XSS vulnerability affecting the core geomap plugin.

The stored XSS vulnerability was possible because map attributions weren’t properly sanitized, allowing arbitrary JavaScript to be executed in the context of the currently authorized user of the Grafana instance.

The CVSS score for this vulnerability is 7.3 High (CVSS:7.3/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N).

< 8.5.21

ge 9.0.0 lt 9.2.13

ge 9.3.0 lt 9.3.8

< 8.5.21

ge 9.0.0 lt 9.2.13

ge 9.3.0 lt 9.3.8

Grafana Labs reports:

During an internal audit of Grafana on January 30, a member of the engineering team found a stored XSS vulnerability affecting the TraceView panel.

The stored XSS vulnerability was possible because the value of a span’s attributes/resources were not properly sanitized, and this will be rendered when the span’s attributes/resources are expanded.

The CVSS score for this vulnerability is 7.3 High (CVSS:7.3/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N).

< 8.5.21

ge 9.0.0 lt 9.2.13

ge 9.3.0 lt 9.3.8

< 8.5.21

ge 9.0.0 lt 9.2.13

ge 9.3.0 lt 9.3.8

Grafana Labs reports:

Grafana admins can invite other members to the organization they are an admin for. When admins add members to the organization, non existing users get an email invite, existing members are added directly to the organization. When an invite link is sent, it allows users to sign up with whatever username/email address the user chooses and become a member of the organization.

The CVSS score for this vulnerability is 6.4 Moderate

ge 8.0.0 lt 8.5.15

ge 9.0.0 lt 9.2.4

ge 8.0.0 lt 8.5.15

ge 9.0.0 lt 9.2.4

Grafana Labs reports:

A third-party penetration test of Grafana found a vulnerability in the snapshot functionality. The value of the originalUrl parameter is automatically generated. The purpose of the presented originalUrl parameter is to provide a user who views the snapshot with the possibility to click on the Local Snapshot button in the Grafana web UI and be presented with the dashboard that the snapshot captured. The value of the originalUrl parameter can be arbitrarily chosen by a malicious user that creates the snapshot. (Note: This can be done by editing the query thanks to a web proxy like Burp.)

We have assessed this vulnerability as having a CVSS score of 6.7 MEDIUM (CVSS:6.7/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L).

ge 8.0.0 lt 8.5.16

ge 9.0.0 lt 9.2.10

ge 9.3.0 lt 9.3.4

ge 8.0.0 lt 8.5.16

ge 9.0.0 lt 9.2.10

ge 9.3.0 lt 9.3.4

Grafana Labs reports:

On August 9 an internal security review identified a vulnerability in the Grafana which allows an escalation from Admin privileges to Server Admin when Auth proxy authentication is used.

Auth proxy allows to authenticate a user by only providing the username (or email) in a X-WEBAUTH-USER HTTP header: the trust assumption is that a front proxy will take care of authentication and that Grafana server is publicly reachable only with this front proxy.

Datasource proxy breaks this assumption:

• it is possible to configure a fake datasource pointing to a localhost Grafana install with a X-WEBAUTH-USER HTTP header containing admin username.
• This fake datasource can be called publicly via this proxying feature.

The CVSS score for this vulnerability is 6.6 Moderate (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

ge 2.1.0 lt 8.5.13

ge 9.0.0 lt 9.0.9

ge 9.1.0 lt 9.1.6

ge 7.0

ge 8.0.0 lt 8.5.13

ge 9.0.0 lt 9.0.9

ge 9.1.0 lt 9.1.6

Grafana Labs reports:

On September 7th as a result of an internal security audit we have discovered that Grafana could leak the authentication cookie of users to plugins. After further analysis the vulnerability impacts data source and plugin proxy endpoints under certain conditions.

We believe that this vulnerability is rated at CVSS 6.8 (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H)

ge 5.0.0 lt 8.5.14

ge 9.0.0 lt 9.1.8

ge 7.0.0

ge 8.0.0 lt 8.5.14

ge 9.0.0 lt 9.1.8

Grafana Labs reports:

The vulnerability impacts Grafana Cloud and Grafana Enterprise instances, and it is exploitable if a user who should not be able to access all data sources is granted permissions to create a data source.

By default, only organization Administrators are allowed to create a data source and have full access to all data sources. All other users need to be explicitly granted permission to create a data source, which then means they could exploit this vulnerability.

When a user creates a data source via the API, they can specify data source UID. If the UID is set to an asterisk (*), the user gains permissions to query, update, and delete all data sources in the organization. The exploit, however, does not stretch across organizations — to exploit the vulnerability in several organizations, a user would need permissions to create data sources in each organization.

The vulnerability comes from a lack of UID validation. When evaluating permissions, we interpret an asterisk (*) as a wild card for all resources. Therefore, we should treat it as a reserved value, and not allow the creation of a resource with the UID set to an asterisk.

The CVSS score for this vulnerability is 6 Medium.

ge 8.5.0 lt 9.5.17

ge 10.0.0 lt 10.0.12

ge 10.1.0 lt 10.1.8

ge 10.2.0 lt 10.2.5

ge 10.3.0 lt 10.3.4

< 9.5.17

Grafana Labs reports:

On July 4th as a result of an internal security audit we have discovered a bypass in the plugin signature verification by exploiting a versioning flaw.

We believe that this vulnerability is rated at CVSS 6.1 (CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:L).

ge 7.0.0 lt 8.5.14

ge 9.0.0 lt 9.1.8

ge 7.0.0

ge 8.0.0 lt 8.5.14

ge 9.0.0 lt 9.1.8

Grafana Labs reports:

Grafana validates Azure Active Directory accounts based on the email claim. On Azure AD, the profile email field is not unique across Azure AD tenants. This can enable a Grafana account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant Azure AD OAuth application.

The CVSS score for this vulnerability is 9.4 Critical.

ge 6.7.0 lt 8.5.27

ge 9.0.0 lt 9.2.20

ge 9.3.0 lt 9.3.16

ge 9.4.0 lt 9.4.13

ge 9.5.0 lt 9.5.5

ge 10.0.0 lt 10.0.1

< 8.5.27

< 9.2.20

ge 9.3.0 lt 9.3.16

ge 9.4.0 lt 9.4.13

ge 9.5.0 lt 9.5.5

< 10.0.1

Grafana Labs reports:

When using the forget password on the login page, a POST request is made to the /api/user/password/sent-reset-email URL. When the username or email does not exist, a JSON response contains a “user not found” message.

The CVSS score for this vulnerability is 5.3 Moderate

ge 8.0.0 lt 8.5.15

ge 9.0.0 lt 9.2.4

ge 8.0.0 lt 8.5.15

ge 9.0.0 lt 9.2.4

Grafana Labs reports:

On June 26 a security researcher contacted Grafana Labs to disclose a vulnerability with the GitLab data source plugin that could leak the API key to GitLab. After further analysis the vulnerability impacts data source and plugin proxy endpoints with authentication tokens but under some conditions.

We believe that this vulnerability is rated at CVSS 4.9 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N)

ge 7.0.0 lt 8.5.14

ge 9.0.0 lt 9.1.8

ge 7.0.0

ge 8.0.0 lt 8.5.14

ge 9.0.0 lt 9.1.8