{"type":"TYPE_SECURITY","shortCode":"RL","name":"RLSA-2022:8057","synopsis":"Important: grafana security, bug fix, and enhancement update","severity":"SEVERITY_IMPORTANT","topic":"An update for grafana is now available for Rocky Linux 9.\nRocky Enterprise Software Foundation Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.","description":"Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB. \nThe following packages have been upgraded to a later upstream version: grafana (7.5.15). (BZ#2055349)\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\nAdditional Changes:\nFor detailed information on changes in this release, see the Rocky Linux 9.1 Release Notes linked from the References section.","solution":null,"affectedProducts":["Rocky Linux 8"],"fixes":[{"ticket":"2044628","sourceBy":"Red Hat","sourceLink":"https:\/\/bugzilla.redhat.com\/show_bug.cgi?id=2044628","description":"CVE-2022-21673 grafana: Forward OAuth Identity Token can allow users to access some data sources"},{"ticket":"2045880","sourceBy":"Red Hat","sourceLink":"https:\/\/bugzilla.redhat.com\/show_bug.cgi?id=2045880","description":"CVE-2022-21698 prometheus\/client_golang: Denial of service using InstrumentHandlerCounter"},{"ticket":"2050648","sourceBy":"Red Hat","sourceLink":"https:\/\/bugzilla.redhat.com\/show_bug.cgi?id=2050648","description":"CVE-2022-21702 grafana: XSS vulnerability in data source handling"},{"ticket":"2050742","sourceBy":"Red Hat","sourceLink":"https:\/\/bugzilla.redhat.com\/show_bug.cgi?id=2050742","description":"CVE-2022-21703 grafana: CSRF vulnerability can lead to privilege escalation"},{"ticket":"2050743","sourceBy":"Red Hat","sourceLink":"https:\/\/bugzilla.redhat.com\/show_bug.cgi?id=2050743","description":"CVE-2022-21713 grafana: IDOR vulnerability can lead to information disclosure"},{"ticket":"2055349","sourceBy":"Red Hat","sourceLink":"https:\/\/bugzilla.redhat.com\/show_bug.cgi?id=2055349","description":"Rebase of Grafana in RHEL 9.1"},{"ticket":"2065290","sourceBy":"Red Hat","sourceLink":"https:\/\/bugzilla.redhat.com\/show_bug.cgi?id=2065290","description":"CVE-2021-23648 sanitize-url: XSS due to improper sanitization in sanitizeUrl function"},{"ticket":"2104367","sourceBy":"Red Hat","sourceLink":"https:\/\/bugzilla.redhat.com\/show_bug.cgi?id=2104367","description":"CVE-2022-31107 grafana: OAuth account takeover"},{"ticket":"2107342","sourceBy":"Red Hat","sourceLink":"https:\/\/bugzilla.redhat.com\/show_bug.cgi?id=2107342","description":"CVE-2022-30631 golang: compress\/gzip: stack exhaustion in Reader.Read"},{"ticket":"2107371","sourceBy":"Red Hat","sourceLink":"https:\/\/bugzilla.redhat.com\/show_bug.cgi?id=2107371","description":"CVE-2022-30630 golang: io\/fs: stack exhaustion in Glob"},{"ticket":"2107374","sourceBy":"Red Hat","sourceLink":"https:\/\/bugzilla.redhat.com\/show_bug.cgi?id=2107374","description":"CVE-2022-1705 golang: net\/http: improper sanitization of Transfer-Encoding header"},{"ticket":"2107376","sourceBy":"Red Hat","sourceLink":"https:\/\/bugzilla.redhat.com\/show_bug.cgi?id=2107376","description":"CVE-2022-1962 golang: go\/parser: stack exhaustion in all Parse* functions"},{"ticket":"2107383","sourceBy":"Red Hat","sourceLink":"https:\/\/bugzilla.redhat.com\/show_bug.cgi?id=2107383","description":"CVE-2022-32148 golang: net\/http\/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working"},{"ticket":"2107386","sourceBy":"Red Hat","sourceLink":"https:\/\/bugzilla.redhat.com\/show_bug.cgi?id=2107386","description":"CVE-2022-30632 golang: path\/filepath: stack exhaustion in Glob"},{"ticket":"2107388","sourceBy":"Red Hat","sourceLink":"https:\/\/bugzilla.redhat.com\/show_bug.cgi?id=2107388","description":"CVE-2022-30635 golang: encoding\/gob: stack exhaustion in Decoder.Decode"},{"ticket":"2107390","sourceBy":"Red Hat","sourceLink":"https:\/\/bugzilla.redhat.com\/show_bug.cgi?id=2107390","description":"CVE-2022-28131 golang: encoding\/xml: stack exhaustion in Decoder.Skip"},{"ticket":"2107392","sourceBy":"Red Hat","sourceLink":"https:\/\/bugzilla.redhat.com\/show_bug.cgi?id=2107392","description":"CVE-2022-30633 golang: encoding\/xml: stack exhaustion in Unmarshal"}],"cves":[{"name":"CVE-2022-1705","sourceBy":"Red Hat","sourceLink":"https:\/\/access.redhat.com\/hydra\/rest\/securitydata\/cve\/CVE-2022-1705.json","cvss3ScoringVector":"CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:L\/I:L\/A:N","cvss3BaseScore":"6.5","cwe":""},{"name":"CVE-2022-1962","sourceBy":"Red Hat","sourceLink":"https:\/\/access.redhat.com\/hydra\/rest\/securitydata\/cve\/CVE-2022-1962.json","cvss3ScoringVector":"CVSS:3.1\/AV:L\/AC:L\/PR:L\/UI:N\/S:U\/C:N\/I:N\/A:H","cvss3BaseScore":"5.5","cwe":"CWE-1325"},{"name":"CVE-2022-21698","sourceBy":"Red Hat","sourceLink":"https:\/\/access.redhat.com\/hydra\/rest\/securitydata\/cve\/CVE-2022-21698.json","cvss3ScoringVector":"CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:N\/I:N\/A:H","cvss3BaseScore":"7.5","cwe":"CWE-772"},{"name":"CVE-2022-28131","sourceBy":"Red Hat","sourceLink":"https:\/\/access.redhat.com\/hydra\/rest\/securitydata\/cve\/CVE-2022-28131.json","cvss3ScoringVector":"CVSS:3.1\/AV:L\/AC:L\/PR:N\/UI:N\/S:U\/C:L\/I:L\/A:H","cvss3BaseScore":"7.3","cwe":"CWE-1325"},{"name":"CVE-2022-30630","sourceBy":"Red Hat","sourceLink":"https:\/\/access.redhat.com\/hydra\/rest\/securitydata\/cve\/CVE-2022-30630.json","cvss3ScoringVector":"CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:N\/I:N\/A:H","cvss3BaseScore":"7.5","cwe":"CWE-1325"},{"name":"CVE-2022-30631","sourceBy":"Red Hat","sourceLink":"https:\/\/access.redhat.com\/hydra\/rest\/securitydata\/cve\/CVE-2022-30631.json","cvss3ScoringVector":"CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:N\/I:N\/A:H","cvss3BaseScore":"7.5","cwe":"CWE-1325"},{"name":"CVE-2022-30632","sourceBy":"Red Hat","sourceLink":"https:\/\/access.redhat.com\/hydra\/rest\/securitydata\/cve\/CVE-2022-30632.json","cvss3ScoringVector":"CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:N\/I:N\/A:H","cvss3BaseScore":"7.5","cwe":"CWE-1325"},{"name":"CVE-2022-30633","sourceBy":"Red Hat","sourceLink":"https:\/\/access.redhat.com\/hydra\/rest\/securitydata\/cve\/CVE-2022-30633.json","cvss3ScoringVector":"CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:N\/I:N\/A:H","cvss3BaseScore":"7.5","cwe":"CWE-1325"},{"name":"CVE-2022-30635","sourceBy":"Red Hat","sourceLink":"https:\/\/access.redhat.com\/hydra\/rest\/securitydata\/cve\/CVE-2022-30635.json","cvss3ScoringVector":"CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:N\/I:N\/A:H","cvss3BaseScore":"7.5","cwe":"CWE-1325"},{"name":"CVE-2022-32148","sourceBy":"Red Hat","sourceLink":"https:\/\/access.redhat.com\/hydra\/rest\/securitydata\/cve\/CVE-2022-32148.json","cvss3ScoringVector":"CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:L\/I:N\/A:N","cvss3BaseScore":"5.3","cwe":""}],"references":[],"publishedAt":"2023-01-30T05:27:10.028150Z","rpms":{},"rebootSuggested":false,"buildReferences":[]}

Rocky Linux: RLSA-2022:8057 grafana security

January 30, 2023
An update for grafana is now available for Rocky Linux 9. Rocky Enterprise Software Foundation Product Security has rated this update as having a security impact of Important

Summary

An update for grafana is now available for Rocky Linux 9. Rocky Enterprise Software Foundation Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.


RPMs

References

No References

CVEs

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-1705.json

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-1962.json

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-21698.json

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-28131.json

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-30630.json

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-30631.json

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-30632.json

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-30633.json

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-30635.json

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-32148.json

Severity
Name: RLSA-2022:8057
Affected Products: Rocky Linux 8

Fixes

https://bugzilla.redhat.com/show_bug.cgi?id=2044628

https://bugzilla.redhat.com/show_bug.cgi?id=2045880

https://bugzilla.redhat.com/show_bug.cgi?id=2050648

https://bugzilla.redhat.com/show_bug.cgi?id=2050742

https://bugzilla.redhat.com/show_bug.cgi?id=2050743

https://bugzilla.redhat.com/show_bug.cgi?id=2055349

https://bugzilla.redhat.com/show_bug.cgi?id=2065290

https://bugzilla.redhat.com/show_bug.cgi?id=2104367

https://bugzilla.redhat.com/show_bug.cgi?id=2107342

https://bugzilla.redhat.com/show_bug.cgi?id=2107371

https://bugzilla.redhat.com/show_bug.cgi?id=2107374

https://bugzilla.redhat.com/show_bug.cgi?id=2107376

https://bugzilla.redhat.com/show_bug.cgi?id=2107383

https://bugzilla.redhat.com/show_bug.cgi?id=2107386

https://bugzilla.redhat.com/show_bug.cgi?id=2107388

https://bugzilla.redhat.com/show_bug.cgi?id=2107390

https://bugzilla.redhat.com/show_bug.cgi?id=2107392


Related News

The End of the Road for Linux 6.11: A Call to Upgrade to Kernel 6.12
3 - 5 min read
The Linux kernel community recently issued an EOL announcement regarding the 6.11 kernel series, urging sysadmins to upgrade quickly to 6.12 . This
A Linux Admin
3 - 6 min read
As 2025 approaches, we Linux admins are facing new and often unseen cloud-native security obstacles. While skilled at mitigating known risks,
Leveraging Insights from the Linux Foundation
3 - 5 min read
The Linux Foundation's recent Census III report provides critical insights for Linux administrators, information security professionals, and anyone
Chrome 131 Released: Emergency Security Update Fixes Over a Dozen Significant Vulns
3 - 6 min read
Google recently unveiled a critical security update to their popular web browser, Google Chrome, addressing over a dozen significant security
From Wayland Fixes to Security Boosts: Examining Qt 6.8.1
3 - 6 min read
The recent Qt 6.8.1 release brings significant updates and improvements, strengthening its reputation as a secure and reliable application
Exploring Arch Linux 2024.12.01: Security Implications & Notable Enhancements for Linux Admins
3 - 6 min read
The Arch Linux 2024.12.01 ISO release marks an impressive milestone, offering cutting-edge updates that enhance functionality, streamline
Deck the Halls with Enhanced Security: Linux Kernel 6.13
3 - 5 min read
As Linux admins and infosec professionals prepare for the holiday season, there's much cause for celebration this year! Linus Torvalds recently made
Lessons from Bootkitty: Securing Linux Systems Against UEFI Intrusions
3 - 5 min read
New Linux security threats mark critical junctures that challenge existing policies and test security protocols to their limit. One such milestone

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved