CVE-2022-23552
Severity CVSS v4.0:
Pending analysis
Type:
CWE-79
Cross-Site Scripting (XSS)
Publication date:
27/01/2023
Last modified:
07/11/2023
Description
Grafana is an open-source platform for monitoring and observability. Starting with the 8.1 branch and prior to versions 8.5.16, 9.2.10, and 9.3.4, Grafana had a stored XSS vulnerability affecting the core plugin GeoMap. The stored XSS vulnerability was possible because SVG files weren&#39;t properly sanitized and allowed arbitrary JavaScript to be executed in the context of the currently authorized user of the Grafana instance. <br />
<br />
An attacker needs to have the Editor role in order to change a panel to include either an external URL to a SVG-file containing JavaScript, or use the `data:` scheme to load an inline SVG-file containing JavaScript. This means that vertical privilege escalation is possible, where a user with Editor role can change to a known password for a user having Admin role if the user with Admin role executes malicious JavaScript viewing a dashboard. <br />
<br />
Users may upgrade to version 8.5.16, 9.2.10, or 9.3.4 to receive a fix.
Impact
Base Score 3.x
5.40
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:* | 8.1.0 (including) | 8.5.16 (excluding) |
| cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:* | 9.0.0 (including) | 9.2.10 (excluding) |
| cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:* | 9.3.0 (including) | 9.3.4 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://github.com/grafana/grafana/commit/1c8a50b36973bd59a1cc5f34c30de8a9a6a431f0
- https://github.com/grafana/grafana/commit/8b574e22b53aa4c5a35032a58844fd4aaaa12f5f
- https://github.com/grafana/grafana/commit/c022534e3848a5d45c0b3face23b43aa44e4400a
- https://github.com/grafana/grafana/pull/62143
- https://github.com/grafana/grafana/security/advisories/GHSA-8xmm-x63g-f6xv