grafana-7.5.7-1.2 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10818-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z grafana-7.5.7-1.2 on GA media These are all security issues fixed in the grafana-7.5.7-1.2 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10818 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2018-19039/ SUSE CVE CVE-2018-19039 page https://www.suse.com/security/cve/CVE-2019-15043/ SUSE CVE CVE-2019-15043 page https://www.suse.com/security/cve/CVE-2020-12245/ SUSE CVE CVE-2020-12245 page https://www.suse.com/security/cve/CVE-2020-13379/ SUSE CVE CVE-2020-13379 page https://www.suse.com/security/cve/CVE-2021-27962/ SUSE CVE CVE-2021-27962 page https://www.suse.com/security/cve/CVE-2021-28146/ SUSE CVE CVE-2021-28146 page https://www.suse.com/security/cve/CVE-2021-28148/ SUSE CVE CVE-2021-28148 page openSUSE Tumbleweed grafana-7.5.7-1.2 grafana-7.5.7-1.2 as a component of openSUSE Tumbleweed Grafana before 4.6.5 and 5.x before 5.3.3 allows remote authenticated users to read arbitrary files by leveraging Editor or Admin permissions. CVE-2018-19039 openSUSE Tumbleweed:grafana-7.5.7-1.2 moderate 4 AV:N/AC:L/Au:S/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-19039.html CVE-2018-19039 https://bugzilla.suse.com/1115960 SUSE Bug 1115960 In Grafana 2.x through 6.x before 6.3.4, parts of the HTTP API allow unauthenticated use. This makes it possible to run a denial of service attack against the server running Grafana. CVE-2019-15043 openSUSE Tumbleweed:grafana-7.5.7-1.2 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-15043.html CVE-2019-15043 https://bugzilla.suse.com/1148383 SUSE Bug 1148383 Grafana before 6.7.3 allows table-panel XSS via column.title or cellLinkTooltip. CVE-2020-12245 openSUSE Tumbleweed:grafana-7.5.7-1.2 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-12245.html CVE-2020-12245 https://bugzilla.suse.com/1170557 SUSE Bug 1170557 The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client. This can be used to gain information about the network that Grafana is running on. Furthermore, passing invalid URL objects could be used for DOS'ing Grafana via SegFault. CVE-2020-13379 openSUSE Tumbleweed:grafana-7.5.7-1.2 important 6.4 AV:N/AC:L/Au:N/C:P/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-13379.html CVE-2020-13379 https://bugzilla.suse.com/1172409 SUSE Bug 1172409 Grafana Enterprise 7.2.x and 7.3.x before 7.3.10 and 7.4.x before 7.4.5 allows a dashboard editor to bypass a permission check concerning a data source they should not be able to access. CVE-2021-27962 openSUSE Tumbleweed:grafana-7.5.7-1.2 moderate 4.9 AV:N/AC:M/Au:S/C:P/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-27962.html CVE-2021-27962 https://bugzilla.suse.com/1184371 SUSE Bug 1184371 The team sync HTTP API in Grafana Enterprise 7.4.x before 7.4.5 has an Incorrect Access Control issue. On Grafana instances using an external authentication service, this vulnerability allows any authenticated user to add external groups to existing teams. This can be used to grant a user team permissions that the user isn't supposed to have. CVE-2021-28146 openSUSE Tumbleweed:grafana-7.5.7-1.2 moderate 4 AV:N/AC:L/Au:S/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-28146.html CVE-2021-28146 https://bugzilla.suse.com/1183811 SUSE Bug 1183811 One of the usage insights HTTP API endpoints in Grafana Enterprise 6.x before 6.7.6, 7.x before 7.3.10, and 7.4.x before 7.4.5 is accessible without any authentication. This allows any unauthenticated user to send an unlimited number of requests to the endpoint, leading to a denial of service (DoS) attack against a Grafana Enterprise instance. CVE-2021-28148 openSUSE Tumbleweed:grafana-7.5.7-1.2 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-28148.html CVE-2021-28148 https://bugzilla.suse.com/1183813 SUSE Bug 1183813