SUSE SLED15 / SLES15 / openSUSE 15 Security Update : grafana (SUSE-SU-2023:0362-1)

high Nessus Plugin ID 171401

Language:

Synopsis

The remote SUSE host is missing one or more security updates.

Description

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:0362-1 advisory.

- Grafana is an open source observability and data visualization platform. Versions prior to 9.1.8 and 8.5.14 are vulnerable to a bypass in the plugin signature verification. An attacker can convince a server admin to download and successfully run a malicious plugin even though unsigned plugins are not allowed.
Versions 9.1.8 and 8.5.14 contain a patch for this issue. As a workaround, do not install plugins downloaded from untrusted sources. (CVE-2022-31123)

- Grafana is an open source observability and data visualization platform. Versions of Grafana for endpoints prior to 9.1.8 and 8.5.14 could leak authentication tokens to some destination plugins under some conditions. The vulnerability impacts data source and plugin proxy endpoints with authentication tokens.
The destination plugin could receive a user's Grafana authentication token. Versions 9.1.8 and 8.5.14 contain a patch for this issue. As a workaround, do not use API keys, JWT authentication, or any HTTP Header based authentication. (CVE-2022-31130)

- Grafana is an open source observability and data visualization platform. Starting with version 5.0.0-beta1 and prior to versions 8.5.14 and 9.1.8, Grafana could leak the authentication cookie of users to plugins.
The vulnerability impacts data source and plugin proxy endpoints under certain conditions. The destination plugin could receive a user's Grafana authentication cookie. Versions 9.1.8 and 8.5.14 contain a patch for this issue. There are no known workarounds. (CVE-2022-39201)

- Grafana is an open source data visualization platform for metrics, logs, and traces. Versions prior to 9.1.8 and 8.5.14 allow one user to block another user's login attempt by registering someone else'e email address as a username. A Grafana user's username and email address are unique fields, that means no other user can have the same username or email address as another user. A user can have an email address as a username. However, the login system allows users to log in with either username or email address. Since Grafana allows a user to log in with either their username or email address, this creates an usual behavior where `user_1` can register with one email address and `user_2` can register their username as `user_1`'s email address. This prevents `user_1` logging into the application since `user_1`'s password won't match with `user_2`'s email address. Versions 9.1.8 and 8.5.14 contain a patch. There are no workarounds for this issue. (CVE-2022-39229)

- Grafana is an open-source platform for monitoring and observability. Versions prior to 9.2.4, or 8.5.15 on the 8.X branch, are subject to Improper Input Validation. Grafana admins can invite other members to the organization they are an admin for. When admins add members to the organization, non existing users get an email invite, existing members are added directly to the organization. When an invite link is sent, it allows users to sign up with whatever username/email address the user chooses and become a member of the organization. This introduces a vulnerability which can be used with malicious intent. This issue is patched in version 9.2.4, and has been backported to 8.5.15. There are no known workarounds.
(CVE-2022-39306)

- Grafana is an open-source platform for monitoring and observability. When using the forget password on the login page, a POST request is made to the `/api/user/password/sent-reset-email` URL. When the username or email does not exist, a JSON response contains a user not found message. This leaks information to unauthenticated users and introduces a security risk. This issue has been patched in 9.2.4 and backported to 8.5.15. There are no known workarounds. (CVE-2022-39307)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected grafana package.

See Also

https://bugzilla.suse.com/1204302

https://bugzilla.suse.com/1204303

https://bugzilla.suse.com/1204304

https://bugzilla.suse.com/1204305

https://bugzilla.suse.com/1205225

https://bugzilla.suse.com/1205227

https://www.suse.com/security/cve/CVE-2022-31123

https://www.suse.com/security/cve/CVE-2022-31130

https://www.suse.com/security/cve/CVE-2022-39201

https://www.suse.com/security/cve/CVE-2022-39229

https://www.suse.com/security/cve/CVE-2022-39306

https://www.suse.com/security/cve/CVE-2022-39307

http://www.nessus.org/u?2ee72f12

Plugin Details

Severity: High

ID: 171401

File Name: suse_SU-2023-0362-1.nasl

Version: 1.3

Type: local

Agent: unix

Published: 2/14/2023

Updated: 7/14/2023

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 9.4

Temporal Score: 7

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:N

CVSS Score Source: CVE-2022-39306

CVSS v3

Risk Factor: High

Base Score: 8.1

Temporal Score: 7.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:suse_linux:grafana, cpe:/o:novell:suse_linux:15

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 2/10/2023

Vulnerability Publication Date: 10/13/2022

Reference Information

CVE: CVE-2022-31123, CVE-2022-31130, CVE-2022-39201, CVE-2022-39229, CVE-2022-39306, CVE-2022-39307

SuSE: SUSE-SU-2023:0362-1