SUSE Package Hub - SUSE-SLE-Module-Packagehub-Subpackages-15-SP4-2023-362

Update Info

SUSE-SLE-Module-Packagehub-Subpackages-15-SP4-2023-362

Security update for grafana

Type: security

Severity: moderate

Issued: 2023-02-10

Description:

This update for grafana fixes the following issues:

- Version update from 8.5.13 to 8.5.15 (jsc#PED-2617):
  * CVE-2022-39306: Security fix for privilege escalation (bsc#1205225)
  * CVE-2022-39307: Omit error from http response when user does not exists (bsc#1205227)
  * CVE-2022-39201: Do not forward login cookie in outgoing requests (bsc#1204303)
  * CVE-2022-31130: Make proxy endpoints not leak sensitive HTTP headers (bsc#1204305)
  * CVE-2022-31123: Fix plugin signature bypass (bsc#1204302)
  * CVE-2022-39229: Fix blocking other users from signing in (bsc#1204304)

References

CVE: CVE-2022-39307
CVE: CVE-2022-39306
CVE: CVE-2022-39229
CVE: CVE-2022-39201
CVE: CVE-2022-31130
CVE: CVE-2022-31123
Bugzilla: 1205227 VUL-0: CVE-2022-39307: grafana: user enumeration via forget password
Bugzilla: 1205225 VUL-0: CVE-2022-39306: grafana: email addresses and usernames cannot be trusted
Bugzilla: 1204305 VUL-0: CVE-2022-31130: grafana: data source and plugin proxy endpoints leaking authentication tokens to some destination plugins
Bugzilla: 1204304 VUL-0: CVE-2022-39229: grafana: using email as a username can block other users from signing in
Bugzilla: 1204303 VUL-0: CVE-2022-39201: grafana: Data source and plugin proxy endpoints could leak the authentication cookie to some destination plugins
Bugzilla: 1204302 VUL-0: CVE-2022-31123: grafana: plugin signature bypass

Packages

grafana-8.5.15-150200.3.32.1