Bug 1170557 - (CVE-2020-12245) VUL-0: CVE-2020-12245: grafana: XSS in table-panel via column.title or cellLinkTooltip
(CVE-2020-12245)
VUL-0: CVE-2020-12245: grafana: XSS in table-panel via column.title or cellLi...
Status: IN_PROGRESS
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Joao Cavalheiro
Security Team bot
https://smash.suse.de/issue/258456/
CVSSv3.1:SUSE:CVE-2020-12245:6.4:(AV...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-04-27 08:43 UTC by Alexandros Toptsoglou
Modified: 2021-04-15 19:51 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Alexandros Toptsoglou 2020-04-27 08:45:40 UTC
Tracked as affected SLE12, SOC7,8,9, SES5,6 and SLE15. The fix is available at [1] and seems to apply cleanly everywhere. 


[1] https://github.com/grafana/grafana/pull/23816/commits
Comment 2 Nanuk Krinner 2020-04-27 08:57:03 UTC
Joao, as grafana bugowner: Can you take a look at this? Thanks.
Comment 3 Joao Cavalheiro 2020-04-27 12:29:15 UTC
This will be solved with a version upgrade to 6.7.3, to be submitted soon to server:monitoring project. Thanks for reporting this.
Comment 4 Swamp Workflow Management 2020-04-30 17:00:06 UTC
This is an autogenerated message for OBS integration:
This bug (1170557) was mentioned in
https://build.opensuse.org/request/show/799306 Factory / grafana
Comment 7 Swamp Workflow Management 2020-06-23 16:17:14 UTC
SUSE-SU-2020:1718-1: An update that solves 6 vulnerabilities and has 13 fixes is now available.

Category: security (moderate)
Bug References: 1134195,1141661,1159284,1165572,1168310,1168340,1169604,1169800,1170104,1170231,1170288,1170557,1170595,1170684,1171687,1171906,1172075,1172462,1173072
CVE References: CVE-2019-10215,CVE-2019-15043,CVE-2020-11651,CVE-2020-11652,CVE-2020-12245,CVE-2020-13379
Sources used:
SUSE Manager Tools 12-BETA (src):    cobbler-2.6.6-52.3.2, golang-github-prometheus-prometheus-2.18.0-4.6.2, grafana-7.0.3-4.3.2, salt-3000-49.20.1, spacecmd-4.1.4-41.9.2, spacewalk-client-tools-4.1.5-55.15.2, suseRegisterInfo-4.1.2-28.6.2, uyuni-common-libs-4.1.5-3.12.2, zypp-plugin-spacewalk-1.0.7-33.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Swamp Workflow Management 2020-06-23 16:54:11 UTC
SUSE-SU-2020:1715-1: An update that solves 6 vulnerabilities and has 12 fixes is now available.

Category: security (moderate)
Bug References: 1159284,1165572,1168310,1168340,1169604,1169800,1170104,1170231,1170288,1170557,1170595,1170684,1170824,1171687,1171906,1172075,1172462,1173072
CVE References: CVE-2019-10215,CVE-2019-15043,CVE-2020-11651,CVE-2020-11652,CVE-2020-12245,CVE-2020-13379
Sources used:
SUSE Manager Tools 15-BETA (src):    dracut-saltboot-0.1.1590413773.a959db7-3.18.2, golang-github-prometheus-prometheus-2.18.0-6.6.2, grafana-7.0.3-4.3.2, koan-2.9.0-7.6.2, salt-3000-8.20.1, spacecmd-4.1.4-6.9.2, spacewalk-client-tools-4.1.5-6.15.2, suseRegisterInfo-4.1.2-6.6.2, uyuni-common-libs-4.1.5-3.12.2, zypp-plugin-spacewalk-1.0.7-6.6.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Swamp Workflow Management 2020-06-28 10:13:05 UTC
openSUSE-SU-2020:0892-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1170557
CVE References: CVE-2019-15043,CVE-2020-12245,CVE-2020-13379
Sources used:
openSUSE Leap 15.2 (src):    grafana-7.0.3-lp152.2.3.1, grafana-piechart-panel-1.4.0-lp152.2.3.1, grafana-status-panel-1.0.9-lp152.2.3.1
Comment 11 Swamp Workflow Management 2020-07-21 04:52:42 UTC
SUSE-SU-2020:1970-1: An update that solves four vulnerabilities and has 15 fixes is now available.

Category: security (moderate)
Bug References: 1113160,1134195,1138822,1141661,1142038,1143913,1148177,1153090,1153277,1154940,1154968,1155372,1163871,1165921,1168310,1170231,1170557,1171687,1172462
CVE References: CVE-2019-10215,CVE-2019-15043,CVE-2020-12245,CVE-2020-13379
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    golang-github-prometheus-node_exporter-0.18.1-1.6.2
SUSE OpenStack Cloud Crowbar 8 (src):    golang-github-prometheus-node_exporter-0.18.1-1.6.2
SUSE OpenStack Cloud 9 (src):    cobbler-2.6.6-49.26.3, golang-github-prometheus-node_exporter-0.18.1-1.6.2
SUSE OpenStack Cloud 8 (src):    cobbler-2.6.6-49.26.3, golang-github-prometheus-node_exporter-0.18.1-1.6.2
SUSE Manager Tools 12 (src):    cobbler-2.6.6-49.26.3, golang-github-prometheus-node_exporter-0.18.1-1.6.2, golang-github-prometheus-prometheus-2.18.0-1.12.2, grafana-7.0.3-1.9.3, mgr-cfg-4.1.2-1.12.3, mgr-custom-info-4.1.1-1.6.1, mgr-daemon-4.1.1-1.14.2, mgr-osad-4.1.2-1.15.2, mgr-push-4.1.1-1.6.3, mgr-virtualization-4.1.1-1.14.3, rhnlib-4.1.2-21.22.2, spacecmd-4.1.4-38.61.2, spacewalk-client-tools-4.1.5-52.32.2, spacewalk-koan-4.1.1-24.12.2, spacewalk-oscap-4.1.1-19.12.1, spacewalk-remote-utils-4.1.1-24.15.3, supportutils-plugin-susemanager-client-4.1.2-6.15.1, suseRegisterInfo-4.1.2-25.9.2, uyuni-base-4.1.1-1.3.1, uyuni-common-libs-4.1.5-1.3.2, zypp-plugin-spacewalk-1.0.7-30.21.2
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    golang-github-prometheus-node_exporter-0.18.1-1.6.2
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    golang-github-prometheus-node_exporter-0.18.1-1.6.2
SUSE Linux Enterprise Server 12-SP5 (src):    golang-github-prometheus-node_exporter-0.18.1-1.6.2
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    golang-github-prometheus-node_exporter-0.18.1-1.6.2
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    golang-github-prometheus-node_exporter-0.18.1-1.6.2
SUSE Linux Enterprise Server 12-SP3-BCL (src):    golang-github-prometheus-node_exporter-0.18.1-1.6.2
SUSE Enterprise Storage 5 (src):    golang-github-prometheus-node_exporter-0.18.1-1.6.2
HPE Helion Openstack 8 (src):    cobbler-2.6.6-49.26.3, golang-github-prometheus-node_exporter-0.18.1-1.6.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Swamp Workflow Management 2020-07-21 05:00:10 UTC
SUSE-SU-2020:1972-1: An update that solves four vulnerabilities and has 13 fixes is now available.

Category: security (moderate)
Bug References: 1113160,1138822,1142038,1148177,1153090,1153277,1154940,1154968,1155372,1163871,1165921,1168310,1170231,1170557,1170824,1171687,1172462
CVE References: CVE-2019-10215,CVE-2019-15043,CVE-2020-12245,CVE-2020-13379
Sources used:
SUSE Manager Tools 15 (src):    dracut-saltboot-0.1.1590413773.a959db7-1.12.2, golang-github-prometheus-prometheus-2.18.0-3.12.2, grafana-7.0.3-1.9.2, koan-2.9.0-4.15.2, mgr-cfg-4.1.2-1.12.4, mgr-custom-info-4.1.1-1.6.2, mgr-daemon-4.1.1-1.14.2, mgr-osad-4.1.2-1.15.2, mgr-push-4.1.1-1.6.4, mgr-virtualization-4.1.1-1.14.2, rhnlib-4.1.2-3.16.2, spacecmd-4.1.4-3.38.2, spacewalk-client-tools-4.1.5-3.23.2, spacewalk-koan-4.1.1-3.9.2, spacewalk-oscap-4.1.1-3.6.3, spacewalk-remote-utils-4.1.1-3.12.4, supportutils-plugin-susemanager-client-4.1.2-3.9.2, suseRegisterInfo-4.1.2-3.6.2, uyuni-base-4.1.1-1.3.2, uyuni-common-libs-4.1.5-1.3.2, zypp-plugin-spacewalk-1.0.7-3.12.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Swamp Workflow Management 2020-07-27 22:14:19 UTC
openSUSE-SU-2020:1105-1: An update that solves four vulnerabilities and has 13 fixes is now available.

Category: security (moderate)
Bug References: 1113160,1138822,1142038,1148177,1153090,1153277,1154940,1154968,1155372,1163871,1165921,1168310,1170231,1170557,1170824,1171687,1172462
CVE References: CVE-2019-10215,CVE-2019-15043,CVE-2020-12245,CVE-2020-13379
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    dracut-saltboot-0.1.1590413773.a959db7-lp152.2.3.1
Comment 14 OBSbugzilla Bot 2020-09-30 17:50:25 UTC
This is an autogenerated message for OBS integration:
This bug (1170557) was mentioned in
https://build.opensuse.org/request/show/838812 Backports:SLE-15 / grafana
https://build.opensuse.org/request/show/838813 Backports:SLE-15-SP1 / grafana
Comment 15 OBSbugzilla Bot 2020-10-01 09:10:07 UTC
This is an autogenerated message for OBS integration:
This bug (1170557) was mentioned in
https://build.opensuse.org/request/show/838932 Backports:SLE-15-SP2 / grafana
Comment 16 Swamp Workflow Management 2020-10-04 16:15:49 UTC
openSUSE-SU-2020:1611-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1044444,1044933,1115960,1170557
CVE References: CVE-2018-19039,CVE-2019-15043,CVE-2020-12245,CVE-2020-13379
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP1 (src):    grafana-7.1.5-bp151.2.1
Comment 17 Swamp Workflow Management 2020-10-10 16:15:35 UTC
openSUSE-SU-2020:1646-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1170557
CVE References: CVE-2020-12245,CVE-2020-13379
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP2 (src):    grafana-7.1.5-bp152.3.3.1
Comment 19 Swamp Workflow Management 2021-04-15 19:51:36 UTC
SUSE-SU-2021:1233-1: An update that fixes 7 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1148383,1170557,1170657,1172409,1172450,1175951,1178243
CVE References: CVE-2018-18623,CVE-2019-15043,CVE-2019-19499,CVE-2020-12052,CVE-2020-12245,CVE-2020-13379,CVE-2020-24303
JIRA References: 
Sources used:
SUSE Manager Tools 15 (src):    system-user-grafana-1.0.0-3.9.1
SUSE Enterprise Storage 6 (src):    grafana-7.3.1-3.6.1, system-user-grafana-1.0.0-3.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.