SUSE Package Hub - SUSE-SLE-Module-Packagehub-Subpackages-15-SP4-2023-821

Update Info

SUSE-SLE-Module-Packagehub-Subpackages-15-SP4-2023-821

Security update for grafana

Type: security

Severity: important

Issued: 2023-03-20

Description:

This update for grafana fixes the following issues:

- CVE-2022-23552: Fixed SVG processing by adding a dompurify preprocessor step (bsc#1207749).
- CVE-2022-39324: Fixed originalUrl spoof security issue (bsc#1207750).
- CVE-2022-41723: Fixed go issue to avoid quadratic complexity in HPACK decoding (bsc#1208293).
- CVE-2022-46146: Fixed basic authentication bypass by updating the exporter toolkit (bsc#1208065).
- Trim leading and trailing whitespaces from email and username on signup
- Fix invitation validation: Check whether the provided email address is the same as where the invitation is sent

References

CVE: CVE-2022-46146
CVE: CVE-2022-41723
CVE: CVE-2022-39324
CVE: CVE-2022-23552
Bugzilla: 1208293 VUL-0: CVE-2022-41723: grafana: go1.19,go1.20: net/http: avoid quadratic complexity in HPACK decoding
Bugzilla: 1208065 VUL-0: CVE-2022-46146: grafana: prometheus/exporter-toolkit: authentication bypass via cache poisoning
Bugzilla: 1207750 VUL-0: CVE-2022-39324: grafana: Grafana is an open-source platform for monitoring and observability. Prior to versions 8.5.16 and 9.2.8, malicious user can create a snapshot and arbitrarily choose the `originalUrl` parameter by editing the
Bugzilla: 1207749 VUL-0: CVE-2022-23552: grafana: Grafana is an open-source platform for monitoring and observability. Starting with the 8.1 branch and prior to versions 8.5.16, 9.2.10, and 9.3.4, Grafana had a stored XSS vulnerability affecting the core plu

Packages

grafana-8.5.20-150200.3.35.1