Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 903143 (CVE-2023-1410)

Summary: <www-apps/grafana-bin-{9.3.11,9.4.7}: stored XSS
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: patrick
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/grafana/bugbounty/security/advisories/GHSA-qrrg-gw7w-vp76
Whiteboard: ~4 [noglsa]
Package list:
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-03-27 00:37:30 UTC 
CVE-2023-1410 (https://grafana.com/security/security-advisories/cve-2023-1410/):

Grafana is an open-source platform for monitoring and observability. Grafana had a stored XSS vulnerability in the Graphite FunctionDescription tooltip. The stored XSS vulnerability was possible due the value of the Function Description was not properly sanitized. An attacker needs to have control over the Graphite data source in order to manipulate a function description and a Grafana admin needs to configure the data source, later a Grafana user needs to select a tampered function and hover over the description. Users may upgrade to version 8.5.22, 9.2.15 and 9.3.11 to receive a fix.

Please bump to 9.3.11, 9.4.7.
Comment 1 Larry the Git Cow gentoo-dev 2023-03-27 04:55:50 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=19fbe71dc67a48543f3a86cbce9b3405e1070bdc

commit 19fbe71dc67a48543f3a86cbce9b3405e1070bdc
Author:     Patrick Lauer <patrick@gentoo.org>
AuthorDate: 2023-03-27 04:55:17 +0000
Commit:     Patrick Lauer <patrick@gentoo.org>
CommitDate: 2023-03-27 04:55:17 +0000

    www-apps/grafana-bin: Add 9.3.11 9.4.7
    
    Also remove old
    
    Bug: https://bugs.gentoo.org/903143
    Signed-off-by: Patrick Lauer <patrick@gentoo.org>

 www-apps/grafana-bin/Manifest                      |  7 +--
 www-apps/grafana-bin/files/grafana.initd           | 36 ------------
 www-apps/grafana-bin/grafana-bin-9.3.0.ebuild      | 66 ----------------------
 ...n-9.3.8-r1.ebuild => grafana-bin-9.3.11.ebuild} |  0
 www-apps/grafana-bin/grafana-bin-9.3.2.ebuild      | 66 ----------------------
 www-apps/grafana-bin/grafana-bin-9.3.6.ebuild      | 66 ----------------------
 ...in-9.4.3-r1.ebuild => grafana-bin-9.4.7.ebuild} |  0
 7 files changed, 2 insertions(+), 239 deletions(-)