CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
AI Score
Confidence
High
EPSS
Percentile
70.5%
The remote Oracle Linux 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the ELSA-2023-6420 advisory.
Grafana is an open-source platform for monitoring and observability. Starting with the 8.1 branch and prior to versions 8.5.16, 9.2.10, and 9.3.4, Grafana had a stored XSS vulnerability affecting the core plugin GeoMap. The stored XSS vulnerability was possible because SVG files weren’t properly sanitized and allowed arbitrary JavaScript to be executed in the context of the currently authorized user of the Grafana instance. An attacker needs to have the Editor role in order to change a panel to include either an external URL to a SVG-file containing JavaScript, or use the data:
scheme to load an inline SVG-file containing JavaScript. This means that vertical privilege escalation is possible, where a user with Editor role can change to a known password for a user having Admin role if the user with Admin role executes malicious JavaScript viewing a dashboard. Users may upgrade to version 8.5.16, 9.2.10, or 9.3.4 to receive a fix. (CVE-2022-23552)
Grafana is an open source observability and data visualization platform. Starting with version 5.0.0-beta1 and prior to versions 8.5.14 and 9.1.8, Grafana could leak the authentication cookie of users to plugins.
The vulnerability impacts data source and plugin proxy endpoints under certain conditions. The destination plugin could receive a user’s Grafana authentication cookie. Versions 9.1.8 and 8.5.14 contain a patch for this issue. There are no known workarounds. (CVE-2022-39201)
Grafana is an open-source platform for monitoring and observability. When using the forget password on the login page, a POST request is made to the /api/user/password/sent-reset-email
URL. When the username or email does not exist, a JSON response contains a user not found message. This leaks information to unauthenticated users and introduces a security risk. This issue has been patched in 9.2.4 and backported to 8.5.15. There are no known workarounds. (CVE-2022-39307)
Grafana is an open-source platform for monitoring and observability. Versions prior to 9.2.4, or 8.5.15 on the 8.X branch, are subject to Improper Input Validation. Grafana admins can invite other members to the organization they are an admin for. When admins add members to the organization, non existing users get an email invite, existing members are added directly to the organization. When an invite link is sent, it allows users to sign up with whatever username/email address the user chooses and become a member of the organization. This introduces a vulnerability which can be used with malicious intent. This issue is patched in version 9.2.4, and has been backported to 8.5.15. There are no known workarounds.
(CVE-2022-39306)
Grafana is an open-source platform for monitoring and observability. Prior to versions 8.5.16 and 9.2.8, malicious user can create a snapshot and arbitrarily choose the originalUrl
parameter by editing the query, thanks to a web proxy. When another user opens the URL of the snapshot, they will be presented with the regular web interface delivered by the trusted Grafana server. The Open original dashboard
button no longer points to the to the real original dashboard but to the attacker’s injected URL. This issue is fixed in versions 8.5.16 and 9.2.8. (CVE-2022-39324)
Grafana is an open source observability and data visualization platform. Versions prior to 9.1.8 and 8.5.14 are vulnerable to a bypass in the plugin signature verification. An attacker can convince a server admin to download and successfully run a malicious plugin even though unsigned plugins are not allowed.
Versions 9.1.8 and 8.5.14 contain a patch for this issue. As a workaround, do not install plugins downloaded from untrusted sources. (CVE-2022-31123)
Grafana is an open source observability and data visualization platform. Versions of Grafana for endpoints prior to 9.1.8 and 8.5.14 could leak authentication tokens to some destination plugins under some conditions. The vulnerability impacts data source and plugin proxy endpoints with authentication tokens.
The destination plugin could receive a user’s Grafana authentication token. Versions 9.1.8 and 8.5.14 contain a patch for this issue. As a workaround, do not use API keys, JWT authentication, or any HTTP Header based authentication. (CVE-2022-31130)
An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection. (CVE-2022-41717)
HTTP and MIME header parsing can allocate large amounts of memory, even when parsing small inputs, potentially leading to a denial of service. Certain unusual patterns of input data can cause the common function used to parse HTTP and MIME headers to allocate substantially more memory than required to hold the parsed headers. An attacker can exploit this behavior to cause an HTTP server to allocate large amounts of memory from a small request, potentially leading to memory exhaustion and a denial of service.
With fix, header parsing now correctly allocates only the memory required to hold parsed headers.
(CVE-2023-24534)
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Oracle Linux Security Advisory ELSA-2023-6420.
##
include('compat.inc');
if (description)
{
script_id(185870);
script_version("1.0");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/11/16");
script_cve_id(
"CVE-2022-23552",
"CVE-2022-31123",
"CVE-2022-31130",
"CVE-2022-39201",
"CVE-2022-39306",
"CVE-2022-39307",
"CVE-2022-39324",
"CVE-2022-41717",
"CVE-2023-24534"
);
script_xref(name:"IAVB", value:"2022-B-0059-S");
script_xref(name:"IAVB", value:"2023-B-0022-S");
script_name(english:"Oracle Linux 9 : grafana (ELSA-2023-6420)");
script_set_attribute(attribute:"synopsis", value:
"The remote Oracle Linux host is missing one or more security updates.");
script_set_attribute(attribute:"description", value:
"The remote Oracle Linux 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the
ELSA-2023-6420 advisory.
- Grafana is an open-source platform for monitoring and observability. Starting with the 8.1 branch and
prior to versions 8.5.16, 9.2.10, and 9.3.4, Grafana had a stored XSS vulnerability affecting the core
plugin GeoMap. The stored XSS vulnerability was possible because SVG files weren't properly sanitized and
allowed arbitrary JavaScript to be executed in the context of the currently authorized user of the Grafana
instance. An attacker needs to have the Editor role in order to change a panel to include either an
external URL to a SVG-file containing JavaScript, or use the `data:` scheme to load an inline SVG-file
containing JavaScript. This means that vertical privilege escalation is possible, where a user with Editor
role can change to a known password for a user having Admin role if the user with Admin role executes
malicious JavaScript viewing a dashboard. Users may upgrade to version 8.5.16, 9.2.10, or 9.3.4 to receive
a fix. (CVE-2022-23552)
- Grafana is an open source observability and data visualization platform. Starting with version 5.0.0-beta1
and prior to versions 8.5.14 and 9.1.8, Grafana could leak the authentication cookie of users to plugins.
The vulnerability impacts data source and plugin proxy endpoints under certain conditions. The destination
plugin could receive a user's Grafana authentication cookie. Versions 9.1.8 and 8.5.14 contain a patch for
this issue. There are no known workarounds. (CVE-2022-39201)
- Grafana is an open-source platform for monitoring and observability. When using the forget password on the
login page, a POST request is made to the `/api/user/password/sent-reset-email` URL. When the username or
email does not exist, a JSON response contains a user not found message. This leaks information to
unauthenticated users and introduces a security risk. This issue has been patched in 9.2.4 and backported
to 8.5.15. There are no known workarounds. (CVE-2022-39307)
- Grafana is an open-source platform for monitoring and observability. Versions prior to 9.2.4, or 8.5.15 on
the 8.X branch, are subject to Improper Input Validation. Grafana admins can invite other members to the
organization they are an admin for. When admins add members to the organization, non existing users get an
email invite, existing members are added directly to the organization. When an invite link is sent, it
allows users to sign up with whatever username/email address the user chooses and become a member of the
organization. This introduces a vulnerability which can be used with malicious intent. This issue is
patched in version 9.2.4, and has been backported to 8.5.15. There are no known workarounds.
(CVE-2022-39306)
- Grafana is an open-source platform for monitoring and observability. Prior to versions 8.5.16 and 9.2.8,
malicious user can create a snapshot and arbitrarily choose the `originalUrl` parameter by editing the
query, thanks to a web proxy. When another user opens the URL of the snapshot, they will be presented with
the regular web interface delivered by the trusted Grafana server. The `Open original dashboard` button no
longer points to the to the real original dashboard but to the attacker's injected URL. This issue is
fixed in versions 8.5.16 and 9.2.8. (CVE-2022-39324)
- Grafana is an open source observability and data visualization platform. Versions prior to 9.1.8 and
8.5.14 are vulnerable to a bypass in the plugin signature verification. An attacker can convince a server
admin to download and successfully run a malicious plugin even though unsigned plugins are not allowed.
Versions 9.1.8 and 8.5.14 contain a patch for this issue. As a workaround, do not install plugins
downloaded from untrusted sources. (CVE-2022-31123)
- Grafana is an open source observability and data visualization platform. Versions of Grafana for endpoints
prior to 9.1.8 and 8.5.14 could leak authentication tokens to some destination plugins under some
conditions. The vulnerability impacts data source and plugin proxy endpoints with authentication tokens.
The destination plugin could receive a user's Grafana authentication token. Versions 9.1.8 and 8.5.14
contain a patch for this issue. As a workaround, do not use API keys, JWT authentication, or any HTTP
Header based authentication. (CVE-2022-31130)
- An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server
connections contain a cache of HTTP header keys sent by the client. While the total number of entries in
this cache is capped, an attacker sending very large keys can cause the server to allocate approximately
64 MiB per open connection. (CVE-2022-41717)
- HTTP and MIME header parsing can allocate large amounts of memory, even when parsing small inputs,
potentially leading to a denial of service. Certain unusual patterns of input data can cause the common
function used to parse HTTP and MIME headers to allocate substantially more memory than required to hold
the parsed headers. An attacker can exploit this behavior to cause an HTTP server to allocate large
amounts of memory from a small request, potentially leading to memory exhaustion and a denial of service.
With fix, header parsing now correctly allocates only the memory required to hold parsed headers.
(CVE-2023-24534)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://linux.oracle.com/errata/ELSA-2023-6420.html");
script_set_attribute(attribute:"solution", value:
"Update the affected grafana package.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:N");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-39306");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2022/10/13");
script_set_attribute(attribute:"patch_publication_date", value:"2023/11/11");
script_set_attribute(attribute:"plugin_publication_date", value:"2023/11/16");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:linux:9:3:appstream_base");
script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:linux:9::appstream");
script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:9");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:grafana");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_set_attribute(attribute:"stig_severity", value:"I");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Oracle Linux Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/local_checks_enabled");
exit(0);
}
include('rpm.inc');
if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item('Host/OracleLinux')) audit(AUDIT_OS_NOT, 'Oracle Linux');
var os_release = get_kb_item("Host/RedHat/release");
if (isnull(os_release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:os_release)) audit(AUDIT_OS_NOT, 'Oracle Linux');
var os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:os_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Oracle Linux');
os_ver = os_ver[1];
if (! preg(pattern:"^9([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, 'Oracle Linux 9', 'Oracle Linux ' + os_ver);
if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Oracle Linux', cpu);
var pkgs = [
{'reference':'grafana-9.2.10-7.el9_3', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE},
{'reference':'grafana-9.2.10-7.el9_3', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE}
];
var flag = 0;
foreach var package_array ( pkgs ) {
var reference = NULL;
var _release = NULL;
var sp = NULL;
var _cpu = NULL;
var el_string = NULL;
var rpm_spec_vers_cmp = NULL;
var epoch = NULL;
var allowmaj = NULL;
var exists_check = NULL;
if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
if (!empty_or_null(package_array['release'])) _release = 'EL' + package_array['release'];
if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];
if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];
if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];
if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];
if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];
if (reference && _release) {
if (exists_check) {
if (rpm_exists(release:_release, rpm:exists_check) && rpm_check(release:_release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;
} else {
if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;
}
}
}
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : rpm_report_get()
);
exit(0);
}
else
{
var tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'grafana');
}
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23552
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31123
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31130
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39201
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39306
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39307
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39324
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41717
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24534
linux.oracle.com/errata/ELSA-2023-6420.html
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
AI Score
Confidence
High
EPSS
Percentile
70.5%