{"type":"TYPE_SECURITY","shortCode":"RL","name":"RLSA-2022:7519","synopsis":"Moderate: grafana security, bug fix, and enhancement update","severity":"SEVERITY_MODERATE","topic":"An update for grafana is now available for Rocky Linux 8.\nRocky Enterprise Software Foundation Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.","description":"Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB. \nThe following packages have been upgraded to a later upstream version: grafana (7.5.15). (BZ#2055348)\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\nAdditional Changes:\nFor detailed information on changes in this release, see the Rocky Linux 8.7 Release Notes linked from the References section.","solution":null,"affectedProducts":["Rocky Linux 8"],"fixes":[{"ticket":"2044628","sourceBy":"Red Hat","sourceLink":"https:\/\/bugzilla.redhat.com\/show_bug.cgi?id=2044628","description":"CVE-2022-21673 grafana: Forward OAuth Identity Token can allow users to access some data sources"},{"ticket":"2045880","sourceBy":"Red Hat","sourceLink":"https:\/\/bugzilla.redhat.com\/show_bug.cgi?id=2045880","description":"CVE-2022-21698 prometheus\/client_golang: Denial of service using InstrumentHandlerCounter"},{"ticket":"2050648","sourceBy":"Red Hat","sourceLink":"https:\/\/bugzilla.redhat.com\/show_bug.cgi?id=2050648","description":"CVE-2022-21702 grafana: XSS vulnerability in data source handling"},{"ticket":"2050742","sourceBy":"Red Hat","sourceLink":"https:\/\/bugzilla.redhat.com\/show_bug.cgi?id=2050742","description":"CVE-2022-21703 grafana: CSRF vulnerability can lead to privilege escalation"},{"ticket":"2050743","sourceBy":"Red Hat","sourceLink":"https:\/\/bugzilla.redhat.com\/show_bug.cgi?id=2050743","description":"CVE-2022-21713 grafana: IDOR vulnerability can lead to information disclosure"},{"ticket":"2055348","sourceBy":"Red Hat","sourceLink":"https:\/\/bugzilla.redhat.com\/show_bug.cgi?id=2055348","description":"Rebase of Grafana in RHEL 8.7"},{"ticket":"2065290","sourceBy":"Red Hat","sourceLink":"https:\/\/bugzilla.redhat.com\/show_bug.cgi?id=2065290","description":"CVE-2021-23648 sanitize-url: XSS due to improper sanitization in sanitizeUrl function"},{"ticket":"2107342","sourceBy":"Red Hat","sourceLink":"https:\/\/bugzilla.redhat.com\/show_bug.cgi?id=2107342","description":"CVE-2022-30631 golang: compress\/gzip: stack exhaustion in Reader.Read"},{"ticket":"2107371","sourceBy":"Red Hat","sourceLink":"https:\/\/bugzilla.redhat.com\/show_bug.cgi?id=2107371","description":"CVE-2022-30630 golang: io\/fs: stack exhaustion in Glob"},{"ticket":"2107374","sourceBy":"Red Hat","sourceLink":"https:\/\/bugzilla.redhat.com\/show_bug.cgi?id=2107374","description":"CVE-2022-1705 golang: net\/http: improper sanitization of Transfer-Encoding header"},{"ticket":"2107376","sourceBy":"Red Hat","sourceLink":"https:\/\/bugzilla.redhat.com\/show_bug.cgi?id=2107376","description":"CVE-2022-1962 golang: go\/parser: stack exhaustion in all Parse* functions"},{"ticket":"2107383","sourceBy":"Red Hat","sourceLink":"https:\/\/bugzilla.redhat.com\/show_bug.cgi?id=2107383","description":"CVE-2022-32148 golang: net\/http\/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working"},{"ticket":"2107386","sourceBy":"Red Hat","sourceLink":"https:\/\/bugzilla.redhat.com\/show_bug.cgi?id=2107386","description":"CVE-2022-30632 golang: path\/filepath: stack exhaustion in Glob"},{"ticket":"2107388","sourceBy":"Red Hat","sourceLink":"https:\/\/bugzilla.redhat.com\/show_bug.cgi?id=2107388","description":"CVE-2022-30635 golang: encoding\/gob: stack exhaustion in Decoder.Decode"},{"ticket":"2107390","sourceBy":"Red Hat","sourceLink":"https:\/\/bugzilla.redhat.com\/show_bug.cgi?id=2107390","description":"CVE-2022-28131 golang: encoding\/xml: stack exhaustion in Decoder.Skip"},{"ticket":"2107392","sourceBy":"Red Hat","sourceLink":"https:\/\/bugzilla.redhat.com\/show_bug.cgi?id=2107392","description":"CVE-2022-30633 golang: encoding\/xml: stack exhaustion in Unmarshal"}],"cves":[{"name":"CVE-2021-23648","sourceBy":"Red Hat","sourceLink":"https:\/\/access.redhat.com\/hydra\/rest\/securitydata\/cve\/CVE-2021-23648.json","cvss3ScoringVector":"CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:R\/S:U\/C:L\/I:L\/A:N","cvss3BaseScore":"5.4","cwe":"CWE-79"},{"name":"CVE-2022-21673","sourceBy":"Red Hat","sourceLink":"https:\/\/access.redhat.com\/hydra\/rest\/securitydata\/cve\/CVE-2022-21673.json","cvss3ScoringVector":"CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:N\/S:U\/C:L\/I:N\/A:N","cvss3BaseScore":"4.3","cwe":"CWE-200->CWE-201"},{"name":"CVE-2022-21702","sourceBy":"Red Hat","sourceLink":"https:\/\/access.redhat.com\/hydra\/rest\/securitydata\/cve\/CVE-2022-21702.json","cvss3ScoringVector":"CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:R\/S:C\/C:H\/I:N\/A:N","cvss3BaseScore":"6.8","cwe":"CWE-79"},{"name":"CVE-2022-21703","sourceBy":"Red Hat","sourceLink":"https:\/\/access.redhat.com\/hydra\/rest\/securitydata\/cve\/CVE-2022-21703.json","cvss3ScoringVector":"CVSS:3.1\/AV:N\/AC:H\/PR:N\/UI:R\/S:U\/C:H\/I:H\/A:N","cvss3BaseScore":"6.8","cwe":"CWE-352"},{"name":"CVE-2022-21713","sourceBy":"Red Hat","sourceLink":"https:\/\/access.redhat.com\/hydra\/rest\/securitydata\/cve\/CVE-2022-21713.json","cvss3ScoringVector":"CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:N\/S:U\/C:L\/I:N\/A:N","cvss3BaseScore":"4.3","cwe":"CWE-863->CWE-425"}],"references":[],"publishedAt":"2022-11-13T07:55:50.617439Z","rpms":{},"rebootSuggested":false,"buildReferences":[]}