SUSE-SU-2022:3676-1: important: Security update for grafana
sle-security-updates at lists.suse.com
sle-security-updates at lists.suse.com
Thu Oct 20 16:22:19 UTC 2022
SUSE Security Update: Security update for grafana
______________________________________________________________________________
Announcement ID: SUSE-SU-2022:3676-1
Rating: important
References: #1188571 #1189520 #1192383 #1192763 #1193492
#1193686 #1194873 #1195726 #1195727 #1195728
#1201535 #1201539 #1203596 #1203597 PED-2145
SLE-23422 SLE-23439 SLE-24565
Cross-References: CVE-2021-36222 CVE-2021-3711 CVE-2021-41174
CVE-2021-41244 CVE-2021-43798 CVE-2021-43815
CVE-2022-21673 CVE-2022-21702 CVE-2022-21703
CVE-2022-21713 CVE-2022-31097 CVE-2022-31107
CVE-2022-35957 CVE-2022-36062
CVSS scores:
CVE-2021-36222 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2021-36222 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2021-3711 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2021-3711 (SUSE): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2021-41174 (NVD) : 6.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:N
CVE-2021-41174 (SUSE): 6.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:N
CVE-2021-41244 (NVD) : 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CVE-2021-41244 (SUSE): 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CVE-2021-43798 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE-2021-43798 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE-2021-43815 (NVD) : 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CVE-2021-43815 (SUSE): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CVE-2022-21673 (NVD) : 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CVE-2022-21673 (SUSE): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CVE-2022-21702 (NVD) : 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CVE-2022-21702 (SUSE): 6.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N
CVE-2022-21703 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2022-21703 (SUSE): 6.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
CVE-2022-21713 (NVD) : 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CVE-2022-21713 (SUSE): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CVE-2022-31097 (NVD) : 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CVE-2022-31097 (SUSE): 7.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
CVE-2022-31107 (NVD) : 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2022-31107 (SUSE): 7.1 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L
CVE-2022-35957 (NVD) : 6.6 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
CVE-2022-35957 (SUSE): 6.6 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
CVE-2022-36062 (NVD) : 3.8 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
CVE-2022-36062 (SUSE): 6.4 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L
Affected Products:
SUSE Enterprise Storage 6
______________________________________________________________________________
An update that fixes 14 vulnerabilities, contains four
features is now available.
Description:
This update for grafana fixes the following issues:
Updated to version 8.5.13 (jsc#PED-2145, jsc#SLE-23439, jsc#SLE-23422,
jsc#SLE-24565):
- CVE-2022-36062: Fixed RBAC folders/dashboards privilege escalation
(bsc#1203596).
- CVE-2022-35957: Fixed escalation from admin to server admin when auth
proxy is used (bsc#1203597).
- CVE-2022-31107: Fixed OAuth account takeover (bsc#1201539).
- CVE-2022-31097: Fixed XSS vulnerability in the Unified Alerting
(bsc#1201535).
- CVE-2022-21702: Fixed XSS vulnerability in handling data sources
(bsc#1195726).
- CVE-2022-21703: Fixed cross-origin request forgery vulnerability
(bsc#1195727).
- CVE-2022-21713: Fixed Insecure Direct Object Reference vulnerability in
Teams API (bsc#1195728).
- CVE-2022-21673: Fixed missing error return in GetUserInfo if no user was
found (bsc#1194873).
- CVE-2021-43815: Fixed directory traversal for .csv files (bsc#1193686).
- CVE-2021-41244: Fixed incorrect access control
vulnerability(bsc#1192763).
- CVE-2021-41174: Fixed XSS vulnerability on unauthenticated pages through
interpolation binding expressions for AngularJS in URL (bsc#1192383).
- CVE-2021-3711: Fixed SM2 Decryption Buffer Overflow (bsc#1189520).
- CVE-2021-36222: Fixed a null pointer dereference in the KDC
(bsc#1188571).
- CVE-2021-43798: Fixed arbitrary file read in the graph native plugin
(bsc#1193492).
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- SUSE Enterprise Storage 6:
zypper in -t patch SUSE-Storage-6-2022-3676=1
Package List:
- SUSE Enterprise Storage 6 (aarch64 x86_64):
grafana-8.5.13-150100.3.12.1
grafana-debuginfo-8.5.13-150100.3.12.1
References:
https://www.suse.com/security/cve/CVE-2021-36222.html
https://www.suse.com/security/cve/CVE-2021-3711.html
https://www.suse.com/security/cve/CVE-2021-41174.html
https://www.suse.com/security/cve/CVE-2021-41244.html
https://www.suse.com/security/cve/CVE-2021-43798.html
https://www.suse.com/security/cve/CVE-2021-43815.html
https://www.suse.com/security/cve/CVE-2022-21673.html
https://www.suse.com/security/cve/CVE-2022-21702.html
https://www.suse.com/security/cve/CVE-2022-21703.html
https://www.suse.com/security/cve/CVE-2022-21713.html
https://www.suse.com/security/cve/CVE-2022-31097.html
https://www.suse.com/security/cve/CVE-2022-31107.html
https://www.suse.com/security/cve/CVE-2022-35957.html
https://www.suse.com/security/cve/CVE-2022-36062.html
https://bugzilla.suse.com/1188571
https://bugzilla.suse.com/1189520
https://bugzilla.suse.com/1192383
https://bugzilla.suse.com/1192763
https://bugzilla.suse.com/1193492
https://bugzilla.suse.com/1193686
https://bugzilla.suse.com/1194873
https://bugzilla.suse.com/1195726
https://bugzilla.suse.com/1195727
https://bugzilla.suse.com/1195728
https://bugzilla.suse.com/1201535
https://bugzilla.suse.com/1201539
https://bugzilla.suse.com/1203596
https://bugzilla.suse.com/1203597
More information about the sle-security-updates
mailing list