The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:0362-1 advisory.
Grafana is an open source observability and data visualization platform. Versions prior to 9.1.8 and 8.5.14 are vulnerable to a bypass in the plugin signature verification. An attacker can convince a server admin to download and successfully run a malicious plugin even though unsigned plugins are not allowed.
Versions 9.1.8 and 8.5.14 contain a patch for this issue. As a workaround, do not install plugins downloaded from untrusted sources. (CVE-2022-31123)
Grafana is an open source observability and data visualization platform. Versions of Grafana for endpoints prior to 9.1.8 and 8.5.14 could leak authentication tokens to some destination plugins under some conditions. The vulnerability impacts data source and plugin proxy endpoints with authentication tokens.
The destination plugin could receive a userโs Grafana authentication token. Versions 9.1.8 and 8.5.14 contain a patch for this issue. As a workaround, do not use API keys, JWT authentication, or any HTTP Header based authentication. (CVE-2022-31130)
Grafana is an open source observability and data visualization platform. Starting with version 5.0.0-beta1 and prior to versions 8.5.14 and 9.1.8, Grafana could leak the authentication cookie of users to plugins.
The vulnerability impacts data source and plugin proxy endpoints under certain conditions. The destination plugin could receive a userโs Grafana authentication cookie. Versions 9.1.8 and 8.5.14 contain a patch for this issue. There are no known workarounds. (CVE-2022-39201)
Grafana is an open source data visualization platform for metrics, logs, and traces. Versions prior to 9.1.8 and 8.5.14 allow one user to block another userโs login attempt by registering someone elseโe email address as a username. A Grafana userโs username and email address are unique fields, that means no other user can have the same username or email address as another user. A user can have an email address as a username. However, the login system allows users to log in with either username or email address. Since Grafana allows a user to log in with either their username or email address, this creates an usual behavior where user_1
can register with one email address and user_2
can register their username as user_1
โs email address. This prevents user_1
logging into the application since user_1
โs password wonโt match with user_2
โs email address. Versions 9.1.8 and 8.5.14 contain a patch. There are no workarounds for this issue. (CVE-2022-39229)
Grafana is an open-source platform for monitoring and observability. Versions prior to 9.2.4, or 8.5.15 on the 8.X branch, are subject to Improper Input Validation. Grafana admins can invite other members to the organization they are an admin for. When admins add members to the organization, non existing users get an email invite, existing members are added directly to the organization. When an invite link is sent, it allows users to sign up with whatever username/email address the user chooses and become a member of the organization. This introduces a vulnerability which can be used with malicious intent. This issue is patched in version 9.2.4, and has been backported to 8.5.15. There are no known workarounds.
(CVE-2022-39306)
Grafana is an open-source platform for monitoring and observability. When using the forget password on the login page, a POST request is made to the /api/user/password/sent-reset-email
URL. When the username or email does not exist, a JSON response contains a user not found message. This leaks information to unauthenticated users and introduces a security risk. This issue has been patched in 9.2.4 and backported to 8.5.15. There are no known workarounds. (CVE-2022-39307)
Note that Nessus has not tested for these issues but has instead relied only on the applicationโs self-reported version number.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The package checks in this plugin were extracted from
# SUSE update advisory SUSE-SU-2023:0362-1. The text itself
# is copyright (C) SUSE.
##
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(171401);
script_version("1.3");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/07/14");
script_cve_id(
"CVE-2022-31123",
"CVE-2022-31130",
"CVE-2022-39201",
"CVE-2022-39229",
"CVE-2022-39306",
"CVE-2022-39307"
);
script_xref(name:"SuSE", value:"SUSE-SU-2023:0362-1");
script_name(english:"SUSE SLED15 / SLES15 / openSUSE 15 Security Update : grafana (SUSE-SU-2023:0362-1)");
script_set_attribute(attribute:"synopsis", value:
"The remote SUSE host is missing one or more security updates.");
script_set_attribute(attribute:"description", value:
"The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has a package installed that is
affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:0362-1 advisory.
- Grafana is an open source observability and data visualization platform. Versions prior to 9.1.8 and
8.5.14 are vulnerable to a bypass in the plugin signature verification. An attacker can convince a server
admin to download and successfully run a malicious plugin even though unsigned plugins are not allowed.
Versions 9.1.8 and 8.5.14 contain a patch for this issue. As a workaround, do not install plugins
downloaded from untrusted sources. (CVE-2022-31123)
- Grafana is an open source observability and data visualization platform. Versions of Grafana for endpoints
prior to 9.1.8 and 8.5.14 could leak authentication tokens to some destination plugins under some
conditions. The vulnerability impacts data source and plugin proxy endpoints with authentication tokens.
The destination plugin could receive a user's Grafana authentication token. Versions 9.1.8 and 8.5.14
contain a patch for this issue. As a workaround, do not use API keys, JWT authentication, or any HTTP
Header based authentication. (CVE-2022-31130)
- Grafana is an open source observability and data visualization platform. Starting with version 5.0.0-beta1
and prior to versions 8.5.14 and 9.1.8, Grafana could leak the authentication cookie of users to plugins.
The vulnerability impacts data source and plugin proxy endpoints under certain conditions. The destination
plugin could receive a user's Grafana authentication cookie. Versions 9.1.8 and 8.5.14 contain a patch for
this issue. There are no known workarounds. (CVE-2022-39201)
- Grafana is an open source data visualization platform for metrics, logs, and traces. Versions prior to
9.1.8 and 8.5.14 allow one user to block another user's login attempt by registering someone else'e email
address as a username. A Grafana user's username and email address are unique fields, that means no other
user can have the same username or email address as another user. A user can have an email address as a
username. However, the login system allows users to log in with either username or email address. Since
Grafana allows a user to log in with either their username or email address, this creates an usual
behavior where `user_1` can register with one email address and `user_2` can register their username as
`user_1`'s email address. This prevents `user_1` logging into the application since `user_1`'s password
won't match with `user_2`'s email address. Versions 9.1.8 and 8.5.14 contain a patch. There are no
workarounds for this issue. (CVE-2022-39229)
- Grafana is an open-source platform for monitoring and observability. Versions prior to 9.2.4, or 8.5.15 on
the 8.X branch, are subject to Improper Input Validation. Grafana admins can invite other members to the
organization they are an admin for. When admins add members to the organization, non existing users get an
email invite, existing members are added directly to the organization. When an invite link is sent, it
allows users to sign up with whatever username/email address the user chooses and become a member of the
organization. This introduces a vulnerability which can be used with malicious intent. This issue is
patched in version 9.2.4, and has been backported to 8.5.15. There are no known workarounds.
(CVE-2022-39306)
- Grafana is an open-source platform for monitoring and observability. When using the forget password on the
login page, a POST request is made to the `/api/user/password/sent-reset-email` URL. When the username or
email does not exist, a JSON response contains a user not found message. This leaks information to
unauthenticated users and introduces a security risk. This issue has been patched in 9.2.4 and backported
to 8.5.15. There are no known workarounds. (CVE-2022-39307)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1204302");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1204303");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1204304");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1204305");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1205225");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1205227");
script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2022-31123");
script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2022-31130");
script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2022-39201");
script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2022-39229");
script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2022-39306");
script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2022-39307");
# https://lists.suse.com/pipermail/sle-security-updates/2023-February/013726.html
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?2ee72f12");
script_set_attribute(attribute:"solution", value:
"Update the affected grafana package.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:N");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-39306");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2022/10/13");
script_set_attribute(attribute:"patch_publication_date", value:"2023/02/10");
script_set_attribute(attribute:"plugin_publication_date", value:"2023/02/14");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:grafana");
script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:15");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"SuSE Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
exit(0);
}
include('rpm.inc');
if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item("Host/SuSE/release");
if (isnull(os_release) || os_release !~ "^(SLED|SLES|SUSE)") audit(AUDIT_OS_NOT, "SUSE / openSUSE");
var os_ver = pregmatch(pattern: "^(SLE(S|D)(?:_SAP)?\d+|SUSE([\d.]+))", string:os_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'SUSE / openSUSE');
os_ver = os_ver[1];
if (! preg(pattern:"^(SLED15|SLED_SAP15|SLES15|SLES_SAP15|SUSE15\.4)$", string:os_ver)) audit(AUDIT_OS_NOT, 'SUSE SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15', 'SUSE / openSUSE (' + os_ver + ')');
if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'SUSE / openSUSE (' + os_ver + ')', cpu);
var service_pack = get_kb_item("Host/SuSE/patchlevel");
if (isnull(service_pack)) service_pack = "0";
if (os_ver == "SLED15" && (! preg(pattern:"^(4)$", string:service_pack))) audit(AUDIT_OS_NOT, "SLED15 SP4", os_ver + " SP" + service_pack);
if (os_ver == "SLED_SAP15" && (! preg(pattern:"^(4)$", string:service_pack))) audit(AUDIT_OS_NOT, "SLED_SAP15 SP4", os_ver + " SP" + service_pack);
if (os_ver == "SLES15" && (! preg(pattern:"^(4)$", string:service_pack))) audit(AUDIT_OS_NOT, "SLES15 SP4", os_ver + " SP" + service_pack);
if (os_ver == "SLES_SAP15" && (! preg(pattern:"^(4)$", string:service_pack))) audit(AUDIT_OS_NOT, "SLES_SAP15 SP4", os_ver + " SP" + service_pack);
var pkgs = [
{'reference':'grafana-8.5.15-150200.3.32.1', 'sp':'4', 'release':'SLED_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15.4']},
{'reference':'grafana-8.5.15-150200.3.32.1', 'sp':'4', 'release':'SLES_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15.4']},
{'reference':'grafana-8.5.15-150200.3.32.1', 'sp':'4', 'release':'SLED15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-release-15.4', 'sle-module-packagehub-subpackages-release-15.4', 'sled-release-15.4', 'sles-release-15.4']},
{'reference':'grafana-8.5.15-150200.3.32.1', 'sp':'4', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-release-15.4', 'sle-module-packagehub-subpackages-release-15.4', 'sled-release-15.4', 'sles-release-15.4']},
{'reference':'grafana-8.5.15-150200.3.32.1', 'release':'SUSE15.4', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['openSUSE-release-15.4']}
];
var ltss_caveat_required = FALSE;
var flag = 0;
foreach var package_array ( pkgs ) {
var reference = NULL;
var _release = NULL;
var sp = NULL;
var _cpu = NULL;
var exists_check = NULL;
var rpm_spec_vers_cmp = NULL;
if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
if (!empty_or_null(package_array['release'])) _release = package_array['release'];
if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];
if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];
if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
if (reference && _release) {
if (exists_check) {
var check_flag = 0;
foreach var check (exists_check) {
if (!rpm_exists(release:_release, rpm:check)) continue;
check_flag++;
}
if (!check_flag) continue;
}
if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;
}
}
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : rpm_report_get()
);
exit(0);
}
else
{
var tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'grafana');
}
Vendor | Product | Version | CPE |
---|---|---|---|
novell | suse_linux | grafana | p-cpe:/a:novell:suse_linux:grafana |
novell | suse_linux | 15 | cpe:/o:novell:suse_linux:15 |
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31123
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31130
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39201
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39229
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39306
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39307
www.nessus.org/u?2ee72f12
bugzilla.suse.com/1204302
bugzilla.suse.com/1204303
bugzilla.suse.com/1204304
bugzilla.suse.com/1204305
bugzilla.suse.com/1205225
bugzilla.suse.com/1205227
www.suse.com/security/cve/CVE-2022-31123
www.suse.com/security/cve/CVE-2022-31130
www.suse.com/security/cve/CVE-2022-39201
www.suse.com/security/cve/CVE-2022-39229
www.suse.com/security/cve/CVE-2022-39306
www.suse.com/security/cve/CVE-2022-39307