Moderate: grafana security, bug fix, and enhancement update

2020-11-0312:26:41

Google

osv.dev

grafana

security update

xss

vulnerabilities

arbitrary file read

AI Score

5.8

Confidence

High

EPSS

0.005

Percentile

77.0%

JSON

Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB.

The following packages have been upgraded to a later upstream version: grafana (6.7.4). (BZ#1807323)

Security Fix(es):

grafana: XSS vulnerability via a column style on the “Dashboard > Table Panel” screen (CVE-2018-18624)
grafana: arbitrary file read via MySQL data source (CVE-2019-19499)
grafana: stored XSS (CVE-2020-11110)
grafana: XSS annotation popup vulnerability (CVE-2020-12052)
grafana: XSS via column.title or cellLinkTooltip (CVE-2020-12245)
grafana: information disclosure through world-readable /var/lib/grafana/grafana.db (CVE-2020-12458)
grafana: information disclosure through world-readable grafana configuration files (CVE-2020-12459)
grafana: XSS via the OpenTSDB datasource (CVE-2020-13430)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.