Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 725110 (CVE-2020-13430) - <www-apps/grafana-bin-7.1.3: XSS via the OpenTSDB datasource (CVE-2020-13430)
Summary: <www-apps/grafana-bin-7.1.3: XSS via the OpenTSDB datasource (CVE-2020-13430)
Status: RESOLVED FIXED
Alias: CVE-2020-13430
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial
Assignee: Gentoo Security
URL: https://github.com/grafana/grafana/pu...
Whiteboard: ~4 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-05-24 18:54 UTC by Sam James
Modified: 2020-11-01 22:36 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-05-24 18:54:09 UTC 
Description:
"Grafana before 7.0.0 allows tag value XSS via the OpenTSDB datasource."
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-05-24 18:54:30 UTC 
May be backported to 6.7.x as per PR?
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-07-29 06:13:58 UTC 
(In reply to Sam James from comment #1)
> May be backported to 6.7.x as per PR?

No.

https://github.com/grafana/grafana/pull/24539#issuecomment-658014066:

@rotemreiss @pyogesh2 From what I hear, we only backport critical security fixes, and recommend instead upgrading to v7 for this one.
Comment 3 Larry the Git Cow gentoo-dev 2020-08-20 00:03:44 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=77439a6401a71baa4f5531618182b52947c13708

commit 77439a6401a71baa4f5531618182b52947c13708
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2020-08-20 00:02:59 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2020-08-20 00:03:13 +0000

    www-apps/grafana-bin: bump to v7.1.3
    
    Closes: https://bugs.gentoo.org/701238
    Closes: https://bugs.gentoo.org/730336
    Bug: https://bugs.gentoo.org/725110
    Bug: https://bugs.gentoo.org/726946
    Package-Manager: Portage-3.0.3, Repoman-3.0.0
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 www-apps/grafana-bin/grafana-bin-7.1.3.ebuild | 35 +++++++++++----------------
 1 file changed, 14 insertions(+), 21 deletions(-)
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-08-20 01:00:14 UTC 
Thanks for bump. Please cleanup <7.1.3.
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2020-11-01 22:36:16 UTC 
Repository is clean, all done!