Grafana is an open-source platform for monitoring and observability. Prior to versions 8.5.16 and 9.2.8, malicious user can create a snapshot and arbitrarily choose the `originalUrl` parameter by editing the query, thanks to a web proxy. When another user opens the URL of the snapshot, they will be presented with the regular web interface delivered by the trusted Grafana server. The `Open original dashboard` button no longer points to the to the real original dashboard but to the attacker’s injected URL. This issue is fixed in versions 8.5.16 and 9.2.8.

The remote Redhat Enterprise Linux 8 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched.

  - grafana: session control failure may lead to information disclosure (CVE-2022-32275)

  - protobufjs: prototype pollution using user-controlled protobuf message (CVE-2023-36665)

  - The package protobufjs before 6.11.3 are vulnerable to Prototype Pollution which can allow an attacker to     add/modify properties of the Object.prototype. This vulnerability can occur in multiple ways: 1. by     providing untrusted user input to util.setProperty or to ReflectionObject.setParsedOption functions 2. by     parsing/loading .proto files (CVE-2022-25878)

Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package is installed.

The remote Oracle Linux 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the ELSA-2023-6420 advisory.

    - resolve CVE-2023-39325 CVE-2023-44487 rapid stream resets can cause excessive work
    - resolve CVE-2023-3128 grafana: account takeover possible when using Azure AD OAuth
    - resolve CVE-2022-39229 grafana: Using email as a username can prevent other users from signing in
    - resolve CVE-2022-2880 CVE-2022-41715 grafana: various flaws
    - resolve CVE-2022-35957 grafana: Escalation from admin to server admin when auth proxy is used     (rhbz#2125530)
    - resolve CVE-2022-1962 golang: go/parser: stack exhaustion in all Parse* functions
    - resolve CVE-2022-1705 golang: net/http: improper sanitization of Transfer-Encoding header
    - resolve CVE-2022-32148 golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not     working
    - resolve CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read
    - resolve CVE-2022-30630 golang: io/fs: stack exhaustion in Glob
    - resolve CVE-2022-30632 golang: path/filepath: stack exhaustion in Glob
    - resolve CVE-2022-30635 golang: encoding/gob: stack exhaustion in Decoder.Decode
    - resolve CVE-2022-28131 golang: encoding/xml: stack exhaustion in Decoder.Skip
    - resolve CVE-2022-30633 golang: encoding/xml: stack exhaustion in Unmarshal
    - resolve CVE-2022-31107 grafana: OAuth account takeover
    - resolve CVE-2022-21673 grafana: Forward OAuth Identity Token can allow users to access some data sources
    - resolve CVE-2022-21702 grafana: XSS vulnerability in data source handling
    - resolve CVE-2022-21703 grafana: CSRF vulnerability can lead to privilege escalation
    - resolve CVE-2022-21713 grafana: IDOR vulnerability can lead to information disclosure
    - resolve CVE-2021-23648 sanitize-url: XSS
    - resolve CVE-2022-21698 prometheus/client_golang: Denial of service using InstrumentHandlerCounter
    - resolve CVE-2021-44716 golang: net/http: limit growth of header canonicalization cache

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2023:6420 advisory.

    Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB &     OpenTSDB.

    Security Fix(es):

    * grafana: persistent xss in grafana core plugins (CVE-2022-23552)

    * grafana: plugin signature bypass (CVE-2022-31123)

    * grafana: data source and plugin proxy endpoints leaking authentication tokens to some destination     plugins (CVE-2022-31130)

    * grafana: Data source and plugin proxy endpoints could leak the authentication cookie to some destination     plugins (CVE-2022-39201)

    * grafana: email addresses and usernames cannot be trusted (CVE-2022-39306)

    * grafana: User enumeration via forget password (CVE-2022-39307)

    * grafana: Spoofing of the originalUrl parameter of snapshots (CVE-2022-39324)

    * golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717)

    * golang: net/http, net/textproto: denial of service from excessive memory allocation (CVE-2023-24534)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

    Additional Changes:

    For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.3 Release Notes     linked from the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:0821-1 advisory.

  - Grafana is an open-source platform for monitoring and observability. Starting with the 8.1 branch and     prior to versions 8.5.16, 9.2.10, and 9.3.4, Grafana had a stored XSS vulnerability affecting the core     plugin GeoMap. The stored XSS vulnerability was possible because SVG files weren't properly sanitized and     allowed arbitrary JavaScript to be executed in the context of the currently authorized user of the Grafana     instance. An attacker needs to have the Editor role in order to change a panel to include either an     external URL to a SVG-file containing JavaScript, or use the `data:` scheme to load an inline SVG-file     containing JavaScript. This means that vertical privilege escalation is possible, where a user with Editor     role can change to a known password for a user having Admin role if the user with Admin role executes     malicious JavaScript viewing a dashboard. Users may upgrade to version 8.5.16, 9.2.10, or 9.3.4 to receive     a fix. (CVE-2022-23552)

  - Grafana is an open-source platform for monitoring and observability. Prior to versions 8.5.16 and 9.2.8,     malicious user can create a snapshot and arbitrarily choose the `originalUrl` parameter by editing the     query, thanks to a web proxy. When another user opens the URL of the snapshot, they will be presented with     the regular web interface delivered by the trusted Grafana server. The `Open original dashboard` button no     longer points to the to the real original dashboard but to the attacker's injected URL. This issue is     fixed in versions 8.5.16 and 9.2.8. (CVE-2022-39324)

  - A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient     to cause a denial of service from a small number of small requests. (CVE-2022-41723)

  - Prometheus Exporter Toolkit is a utility package to build exporters. Prior to versions 0.7.2 and 0.8.2, if     someone has access to a Prometheus web.yml file and users' bcrypted passwords, they can bypass security by     poisoning the built-in authentication cache. Versions 0.7.2 and 0.8.2 contain a fix for the issue. There     is no workaround, but attacker must have access to the hashed password to use this functionality.
    (CVE-2022-46146)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:0812-1 advisory.

  - Grafana is an open-source platform for monitoring and observability. Starting with the 8.1 branch and     prior to versions 8.5.16, 9.2.10, and 9.3.4, Grafana had a stored XSS vulnerability affecting the core     plugin GeoMap. The stored XSS vulnerability was possible because SVG files weren't properly sanitized and     allowed arbitrary JavaScript to be executed in the context of the currently authorized user of the Grafana     instance. An attacker needs to have the Editor role in order to change a panel to include either an     external URL to a SVG-file containing JavaScript, or use the `data:` scheme to load an inline SVG-file     containing JavaScript. This means that vertical privilege escalation is possible, where a user with Editor     role can change to a known password for a user having Admin role if the user with Admin role executes     malicious JavaScript viewing a dashboard. Users may upgrade to version 8.5.16, 9.2.10, or 9.3.4 to receive     a fix. (CVE-2022-23552)

  - Grafana is an open-source platform for monitoring and observability. Prior to versions 8.5.16 and 9.2.8,     malicious user can create a snapshot and arbitrarily choose the `originalUrl` parameter by editing the     query, thanks to a web proxy. When another user opens the URL of the snapshot, they will be presented with     the regular web interface delivered by the trusted Grafana server. The `Open original dashboard` button no     longer points to the to the real original dashboard but to the attacker's injected URL. This issue is     fixed in versions 8.5.16 and 9.2.8. (CVE-2022-39324)

  - A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient     to cause a denial of service from a small number of small requests. (CVE-2022-41723)

  - Prometheus Exporter Toolkit is a utility package to build exporters. Prior to versions 0.7.2 and 0.8.2, if     someone has access to a Prometheus web.yml file and users' bcrypted passwords, they can bypass security by     poisoning the built-in authentication cache. Versions 0.7.2 and 0.8.2 contain a fix for the issue. There     is no workaround, but attacker must have access to the hashed password to use this functionality.
    (CVE-2022-46146)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the e6281d88-a7a7-11ed-8d6a-6c3be5272acd advisory.

  - Grafana is an open-source platform for monitoring and observability. Prior to versions 8.5.16 and 9.2.8,     malicious user can create a snapshot and arbitrarily choose the `originalUrl` parameter by editing the     query, thanks to a web proxy. When another user opens the URL of the snapshot, they will be presented with     the regular web interface delivered by the trusted Grafana server. The `Open original dashboard` button no     longer points to the to the real original dashboard but to the attacker's injected URL. This issue is     fixed in versions 8.5.16 and 9.2.8. (CVE-2022-39324)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
199102	RHEL 8 : grafana (Unpatched Vulnerability)	Nessus	Red Hat Local Security Checks	critical
185870	Oracle Linux 9 : grafana (ELSA-2023-6420)	Nessus	Oracle Linux Local Security Checks	high
185127	RHEL 9 : grafana (RHSA-2023:6420)	Nessus	Red Hat Local Security Checks	high
173225	SUSE SLED15 / SLES15 / openSUSE 15 Security Update : grafana (SUSE-SU-2023:0821-1)	Nessus	SuSE Local Security Checks	high
173218	SUSE SLED15 / SLES15 / openSUSE 15 Security Update : SUSE Manager Client Tools (SUSE-SU-2023:0812-1)	Nessus	SuSE Local Security Checks	high
171247	FreeBSD : Grafana -- Spoofing originalUrl of snapshots (e6281d88-a7a7-11ed-8d6a-6c3be5272acd)	Nessus	FreeBSD Local Security Checks	low

Detections

Analytics

CVE-2022-39324

low

Tenable Plugins

critical

high

high

high

high

low