grafana-9.3.6-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:12723 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z grafana-9.3.6-1.1 on GA media These are all security issues fixed in the grafana-9.3.6-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-12723 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:12723 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2020-7753/ SUSE CVE CVE-2020-7753 page https://www.suse.com/security/cve/CVE-2021-3807/ SUSE CVE CVE-2021-3807 page https://www.suse.com/security/cve/CVE-2021-3918/ SUSE CVE CVE-2021-3918 page https://www.suse.com/security/cve/CVE-2021-43138/ SUSE CVE CVE-2021-43138 page https://www.suse.com/security/cve/CVE-2022-0155/ SUSE CVE CVE-2022-0155 page https://www.suse.com/security/cve/CVE-2022-27664/ SUSE CVE CVE-2022-27664 page https://www.suse.com/security/cve/CVE-2022-32149/ SUSE CVE CVE-2022-32149 page openSUSE Tumbleweed grafana-9.3.6-1.1 grafana-9.3.6-1.1 as a component of openSUSE Tumbleweed All versions of package trim are vulnerable to Regular Expression Denial of Service (ReDoS) via trim(). CVE-2020-7753 openSUSE Tumbleweed:grafana-9.3.6-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-7753.html CVE-2020-7753 https://bugzilla.suse.com/1218843 SUSE Bug 1218843 ansi-regex is vulnerable to Inefficient Regular Expression Complexity CVE-2021-3807 openSUSE Tumbleweed:grafana-9.3.6-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-3807.html CVE-2021-3807 https://bugzilla.suse.com/1192154 SUSE Bug 1192154 json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') CVE-2021-3918 openSUSE Tumbleweed:grafana-9.3.6-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-3918.html CVE-2021-3918 https://bugzilla.suse.com/1192696 SUSE Bug 1192696 In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution. CVE-2021-43138 openSUSE Tumbleweed:grafana-9.3.6-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-43138.html CVE-2021-43138 https://bugzilla.suse.com/1200480 SUSE Bug 1200480 follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor CVE-2022-0155 openSUSE Tumbleweed:grafana-9.3.6-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-0155.html CVE-2022-0155 https://bugzilla.suse.com/1218844 SUSE Bug 1218844 In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error. CVE-2022-27664 openSUSE Tumbleweed:grafana-9.3.6-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-27664.html CVE-2022-27664 https://bugzilla.suse.com/1203185 SUSE Bug 1203185 https://bugzilla.suse.com/1203293 SUSE Bug 1203293 An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse. CVE-2022-32149 openSUSE Tumbleweed:grafana-9.3.6-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-32149.html CVE-2022-32149 https://bugzilla.suse.com/1204501 SUSE Bug 1204501