Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 908081 (CVE-2023-2183, CVE-2023-2801) - <www-apps/grafana-bin-{9.3.15,9.4.12,9.5.3}: multiple vulnerabilities
Summary: <www-apps/grafana-bin-{9.3.15,9.4.12,9.5.3}: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2023-2183, CVE-2023-2801
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial
Assignee: Gentoo Security
URL:
Whiteboard: ~4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2023-06-09 03:46 UTC by John Helmert III
Modified: 2023-06-12 04:40 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-06-09 03:46:55 UTC 
CVE-2023-2183 (https://grafana.com/security/security-advisories/cve-2023-2183/):

Grafana is an open-source platform for monitoring and observability. 

The option to send a test alert is not available from the user panel UI for users having the Viewer role. It is still possible for a user with the Viewer role to send a test alert using the API as the API does not check access to this function.

This might enable malicious users to abuse the functionality by sending multiple alert messages to e-mail and Slack, spamming users, prepare Phishing attack or block SMTP server.

Users may upgrade to version 9.5.3, 9.4.12, 9.3.15, 9.2.19 and 8.5.26 to receive a fix.

CVE-2023-2801 (https://grafana.com/security/security-advisories/cve-2023-2801/):

Grafana is an open-source platform for monitoring and observability. 

Using public dashboards users can query multiple distinct data sources using mixed queries. However such query has a possibility of crashing a Grafana instance.

The only feature that uses mixed queries at the moment is public dashboards, but it's also possible to cause this by calling the query API directly.

This might enable malicious users to crash Grafana instances through that endpoint.

Users may upgrade to version 9.4.12 and 9.5.3 to receive a fix.

Please bump each branch to a fixed version.
Comment 1 Larry the Git Cow gentoo-dev 2023-06-09 05:26:50 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=20c0b8a0f06bb127cab7a2dd7859cedc4e61da6d

commit 20c0b8a0f06bb127cab7a2dd7859cedc4e61da6d
Author:     Patrick Lauer <patrick@gentoo.org>
AuthorDate: 2023-06-09 05:26:21 +0000
Commit:     Patrick Lauer <patrick@gentoo.org>
CommitDate: 2023-06-09 05:26:49 +0000

    www-apps/grafana-bin: Bump, remove old
    
    Bug: https://bugs.gentoo.org/908081
    Signed-off-by: Patrick Lauer <patrick@gentoo.org>

 www-apps/grafana-bin/Manifest                                       | 6 +++---
 .../{grafana-bin-9.3.13.ebuild => grafana-bin-9.3.15.ebuild}        | 0
 .../{grafana-bin-9.4.9.ebuild => grafana-bin-9.4.12.ebuild}         | 0
 .../{grafana-bin-9.5.1.ebuild => grafana-bin-9.5.3.ebuild}          | 0
 4 files changed, 3 insertions(+), 3 deletions(-)