Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 725110 (CVE-2020-13430) - <www-apps/grafana-bin-7.1.3: XSS via the OpenTSDB datasource (CVE-2020-13430)
Summary: <www-apps/grafana-bin-7.1.3: XSS via the OpenTSDB datasource (CVE-2020-13430)
Status: RESOLVED FIXED
Alias: CVE-2020-13430
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://github.com/grafana/grafana/pu...
Whiteboard: ~4 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-05-24 18:54 UTC by Sam James
Modified: 2020-11-01 22:36 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-05-24 18:54:09 UTC
Description:
"Grafana before 7.0.0 allows tag value XSS via the OpenTSDB datasource."
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-05-24 18:54:30 UTC
May be backported to 6.7.x as per PR?
Comment 2 John Helmert III gentoo-dev Security 2020-07-29 06:13:58 UTC
(In reply to Sam James from comment #1)
> May be backported to 6.7.x as per PR?

No.

https://github.com/grafana/grafana/pull/24539#issuecomment-658014066:

@rotemreiss @pyogesh2 From what I hear, we only backport critical security fixes, and recommend instead upgrading to v7 for this one.
Comment 3 Larry the Git Cow gentoo-dev 2020-08-20 00:03:44 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=77439a6401a71baa4f5531618182b52947c13708

commit 77439a6401a71baa4f5531618182b52947c13708
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2020-08-20 00:02:59 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2020-08-20 00:03:13 +0000

    www-apps/grafana-bin: bump to v7.1.3
    
    Closes: https://bugs.gentoo.org/701238
    Closes: https://bugs.gentoo.org/730336
    Bug: https://bugs.gentoo.org/725110
    Bug: https://bugs.gentoo.org/726946
    Package-Manager: Portage-3.0.3, Repoman-3.0.0
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 www-apps/grafana-bin/grafana-bin-7.1.3.ebuild | 35 +++++++++++----------------
 1 file changed, 14 insertions(+), 21 deletions(-)
Comment 4 John Helmert III gentoo-dev Security 2020-08-20 01:00:14 UTC
Thanks for bump. Please cleanup <7.1.3.
Comment 5 Thomas Deutschmann gentoo-dev 2020-11-01 22:36:16 UTC
Repository is clean, all done!