drucken bookmarks versenden konfigurieren admin pdf Sicherheit: Mehrere Probleme in grafana und system-user-grafana
Name: |
Mehrere Probleme in grafana und system-user-grafana |
|
ID: |
SUSE-SU-2021:1233-1 |
|
Distribution: |
SUSE |
|
Plattformen: |
SUSE Enterprise Storage 6, SUSE Manager Tools 15 |
|
Datum: |
Fr, 16. April 2021, 00:13 |
|
Referenzen: |
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12052
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13379
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24303
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19499
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15043
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18623
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12245 |
|
Applikationen: |
system-user-grafana, Grafana |
|
Originalnachricht |
SUSE Security Update: Security update for grafana and system-user-grafana ______________________________________________________________________________
Announcement ID: SUSE-SU-2021:1233-1 Rating: moderate References: #1148383 #1170557 #1170657 #1172409 #1172450 #1175951 #1178243 Cross-References: CVE-2018-18623 CVE-2019-15043 CVE-2019-19499 CVE-2020-12052 CVE-2020-12245 CVE-2020-13379 CVE-2020-24303 CVSS scores: CVE-2018-18623 (NVD) : 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2018-18623 (SUSE): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2019-15043 (NVD) : 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2019-15043 (SUSE): 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H CVE-2019-19499 (NVD) : 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVE-2019-19499 (SUSE): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVE-2020-12052 (NVD) : 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2020-12052 (SUSE): 6.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N CVE-2020-12245 (NVD) : 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2020-12245 (SUSE): 6.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N CVE-2020-13379 (NVD) : 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H CVE-2020-13379 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2020-24303 (NVD) : 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2020-24303 (SUSE): 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Affected Products: SUSE Manager Tools 15 SUSE Enterprise Storage 6 ______________________________________________________________________________
An update that fixes 7 vulnerabilities is now available.
Description:
This update for grafana and system-user-grafana fixes the following issues:
- Updated grafana to upstream version 7.3.1 * CVE-2019-15043: In Grafana 2.x through 6.x before 6.3.4, parts of the HTTP API allow unauthenticated use. This makes it possible to run a denial of service attack against the server running Grafana * CVE-2020-12245: Grafana before 6.7.3 allows table-panel XSS via column.title or cellLinkTooltip (bsc#1170557) * CVE-2020-13379: The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client. This can be used to gain information about the network that Grafana is running on. Furthermore, passing invalid URL objects could be used for DOS'ing Grafana via SegFault (bsc#1172409) * CVE-2019-15043: In Grafana 2.x through 6.x before 6.3.4, parts of the HTTP API allow unauthenticated use. This makes it possible to run a denial of service attack against the server running Grafana (bsc#1148383) * CVE-2020-12052: Grafana version below 6.7.3 is vulnerable for annotation popup XSS (bsc#1170657) * CVE-2020-24303: Grafana before 7.1.0-beta 1 allows XSS via a query alias for the ElasticSearch datasource. (bsc#1178243) * CVE-2018-18623: Grafana 5.3.1 has XSS via the "Dashboard > Text Panel" screen (bsc#1172450) * CVE-2019-19499: Grafana versions below or equal to 6.4.3 has an Arbitrary File Read vulnerability, which could be exploited by an authenticated attacker that has privileges to modify the data source configurations (bsc#1175951)
* Please refer to this package's changelog to get a full list of all changes (including bug fixes etc.)
- Initial shipment of system-user-grafana to SES 6
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- SUSE Manager Tools 15:
zypper in -t patch SUSE-SLE-Manager-Tools-15-2021-1233=1
- SUSE Enterprise Storage 6:
zypper in -t patch SUSE-Storage-6-2021-1233=1
Package List:
- SUSE Manager Tools 15 (noarch):
system-user-grafana-1.0.0-3.9.1
- SUSE Enterprise Storage 6 (aarch64 x86_64):
grafana-7.3.1-3.6.1
- SUSE Enterprise Storage 6 (noarch):
system-user-grafana-1.0.0-3.9.1
References:
https://www.suse.com/security/cve/CVE-2018-18623.html https://www.suse.com/security/cve/CVE-2019-15043.html https://www.suse.com/security/cve/CVE-2019-19499.html https://www.suse.com/security/cve/CVE-2020-12052.html https://www.suse.com/security/cve/CVE-2020-12245.html https://www.suse.com/security/cve/CVE-2020-13379.html https://www.suse.com/security/cve/CVE-2020-24303.html https://bugzilla.suse.com/1148383 https://bugzilla.suse.com/1170557 https://bugzilla.suse.com/1170657 https://bugzilla.suse.com/1172409 https://bugzilla.suse.com/1172450 https://bugzilla.suse.com/1175951 https://bugzilla.suse.com/1178243
|
|
|
|