Security update for grafana
SUSE Security Update: Security update for grafana| Announcement ID: | SUSE-SU-2022:3676-1 |
| Rating: | important |
| References: | #1188571 #1189520 #1192383 #1192763 #1193492 #1193686 #1194873 #1195726 #1195727 #1195728 #1201535 #1201539 #1203596 #1203597 |
| Cross-References: | CVE-2021-36222 CVE-2021-3711 CVE-2021-41174 CVE-2021-41244 CVE-2021-43798 CVE-2021-43815 CVE-2022-21673 CVE-2022-21702 CVE-2022-21703 CVE-2022-21713 CVE-2022-31097 CVE-2022-31107 CVE-2022-35957 CVE-2022-36062 |
| Affected Products: |
|
An update that fixes 14 vulnerabilities, contains four features is now available.
Description:
This update for grafana fixes the following issues:
Updated to version 8.5.13 (jsc#PED-2145, jsc#SLE-23439, jsc#SLE-23422,
jsc#SLE-24565):
- CVE-2022-36062: Fixed RBAC folders/dashboards privilege escalation (bsc#1203596).
- CVE-2022-35957: Fixed escalation from admin to server admin when auth proxy is used (bsc#1203597).
- CVE-2022-31107: Fixed OAuth account takeover (bsc#1201539).
- CVE-2022-31097: Fixed XSS vulnerability in the Unified Alerting (bsc#1201535).
- CVE-2022-21702: Fixed XSS vulnerability in handling data sources (bsc#1195726).
- CVE-2022-21703: Fixed cross-origin request forgery vulnerability (bsc#1195727).
- CVE-2022-21713: Fixed Insecure Direct Object Reference vulnerability in Teams API (bsc#1195728).
- CVE-2022-21673: Fixed missing error return in GetUserInfo if no user was found (bsc#1194873).
- CVE-2021-43815: Fixed directory traversal for .csv files (bsc#1193686).
- CVE-2021-41244: Fixed incorrect access control vulnerability(bsc#1192763).
- CVE-2021-41174: Fixed XSS vulnerability on unauthenticated pages through interpolation binding expressions for AngularJS in URL (bsc#1192383).
- CVE-2021-3711: Fixed SM2 Decryption Buffer Overflow (bsc#1189520).
- CVE-2021-36222: Fixed a null pointer dereference in the KDC (bsc#1188571).
- CVE-2021-43798: Fixed arbitrary file read in the graph native plugin (bsc#1193492).
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- SUSE Enterprise Storage 6:
zypper in -t patch SUSE-Storage-6-2022-3676=1
Package List:
- SUSE Enterprise Storage 6 (aarch64 x86_64):
- grafana-8.5.13-150100.3.12.1
- grafana-debuginfo-8.5.13-150100.3.12.1
References:
- https://www.suse.com/security/cve/CVE-2021-36222.html
- https://www.suse.com/security/cve/CVE-2021-3711.html
- https://www.suse.com/security/cve/CVE-2021-41174.html
- https://www.suse.com/security/cve/CVE-2021-41244.html
- https://www.suse.com/security/cve/CVE-2021-43798.html
- https://www.suse.com/security/cve/CVE-2021-43815.html
- https://www.suse.com/security/cve/CVE-2022-21673.html
- https://www.suse.com/security/cve/CVE-2022-21702.html
- https://www.suse.com/security/cve/CVE-2022-21703.html
- https://www.suse.com/security/cve/CVE-2022-21713.html
- https://www.suse.com/security/cve/CVE-2022-31097.html
- https://www.suse.com/security/cve/CVE-2022-31107.html
- https://www.suse.com/security/cve/CVE-2022-35957.html
- https://www.suse.com/security/cve/CVE-2022-36062.html
- https://bugzilla.suse.com/1188571
- https://bugzilla.suse.com/1189520
- https://bugzilla.suse.com/1192383
- https://bugzilla.suse.com/1192763
- https://bugzilla.suse.com/1193492
- https://bugzilla.suse.com/1193686
- https://bugzilla.suse.com/1194873
- https://bugzilla.suse.com/1195726
- https://bugzilla.suse.com/1195727
- https://bugzilla.suse.com/1195728
- https://bugzilla.suse.com/1201535
- https://bugzilla.suse.com/1201539
- https://bugzilla.suse.com/1203596
- https://bugzilla.suse.com/1203597
Run SAP
SUSE for Public Cloud
Security
