CVE-2022-21702: Cross site scripting in Grafana proxy
First published: Fri Feb 04 2022(Updated: )
A Cross-site scripting (XSS) vulnerability was found in the way Grafana handles data sources. This flaw allows an attacker to serve HTML content through the Grafana data source or plugin proxy and trick a user to visit this HTML page using a specially crafted link and execute a Cross-site scripting (XSS) attack. Should an existing data source connected to Grafana be compromised, it could be used to inappropriately gain access to other data sources connected to the same Grafana org.
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/grafana | <0:7.5.15-3.el8 | 0:7.5.15-3.el8 |
| redhat/grafana | <0:7.5.15-3.el9 | 0:7.5.15-3.el9 |
| Grafana Grafana | >=2.0.1<7.5.15 | |
| Grafana Grafana | >=8.0.0<8.3.5 | |
| Grafana Grafana | =2.0.0-beta1 | |
| Grafana Grafana | =2.0.0-beta3 | |
| Netapp E-series Performance Analyzer | <3.0 | |
| Fedoraproject Fedora | =34 | |
| Fedoraproject Fedora | =35 | |
| Fedoraproject Fedora | =36 | |
| redhat/grafana | <7.5.15 | 7.5.15 |
| redhat/grafana | <8.3.5 | 8.3.5 |
| go/github.com/grafana/grafana | >=8.0.0<=8.3.4 | 8.3.5 |
| go/github.com/grafana/grafana | >=2.0.0-beta1<7.5.15 | 7.5.15 |
Remedy
Please refer to the Grafana upstream advisory for possible workarounds for this issue.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2022-21702 https://nvd.nist.gov/vuln/detail/CVE-2022-21702 https://github.com/grafana/grafana/security/advisories/GHSA-xc3p-28hw-q24g https://grafana.com/blog/2022/02/08/grafana-7.5.15-and-8.3.5-released-with-moderate-severity-security-fixes/
- https://bugzilla.redhat.com/show_bug.cgi?id=2050648
- https://access.redhat.com/errata/RHSA-2022:7519
- https://access.redhat.com/errata/RHSA-2022:8057
- https://access.redhat.com/security/cve/cve-2022-21702
- https://github.com/grafana/grafana/commit/27726868b3d7c613844b55cd209ca93645c99b85
- https://github.com/grafana/grafana/security/advisories/GHSA-xc3p-28hw-q24g
- https://grafana.com/blog/2022/02/08/grafana-7.5.15-and-8.3.5-released-with-moderate-severity-security-fixes/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2PFW6Q2LXXWTFRTMTRN4ZGADFRQPKJ3D/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/36GUEPA5TPSC57DZTPYPBL6T7UPQ2FRH/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HLAQRRGNSO5MYCPAXGPH2OCSHOGHSQMQ/
- https://security.netapp.com/advisory/ntap-20220303-0005/
- https://github.com/grafana/grafana/commit/41c1cd2865fee195a76f4856905077dfff311169
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2053453
- https://nvd.nist.gov/vuln/detail/CVE-2022-21702
- https://grafana.com/blog/2022/02/08/grafana-7.5.15-and-8.3.5-released-with-moderate-severity-security-fixes
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2PFW6Q2LXXWTFRTMTRN4ZGADFRQPKJ3D
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/36GUEPA5TPSC57DZTPYPBL6T7UPQ2FRH
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HLAQRRGNSO5MYCPAXGPH2OCSHOGHSQMQ
- https://security.netapp.com/advisory/ntap-20220303-0005
- https://github.com/advisories/GHSA-xc3p-28hw-q24g (Advisory)
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2PFW6Q2LXXWTFRTMTRN4ZGADFRQPKJ3D/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/36GUEPA5TPSC57DZTPYPBL6T7UPQ2FRH/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HLAQRRGNSO5MYCPAXGPH2OCSHOGHSQMQ/
Frequently Asked Questions
What is CVE-2022-21702?
CVE-2022-21702 is a Cross-site scripting (XSS) vulnerability found in the way Grafana handles data sources.
How does the CVE-2022-21702 vulnerability in Grafana work?
In affected versions, an attacker could serve HTML content through the Grafana datasource or plugin proxy and trick a user to visit this HTML page using a specially crafted link, leading to a Cross-site Scripting (XSS) attack.
What software versions are affected by CVE-2022-21702?
The affected software versions are Grafana 7.5.15-3.el8, Grafana 7.5.15-3.el9, Grafana 7.5.15, and Grafana 8.3.5.
What is the severity of CVE-2022-21702?
The severity of CVE-2022-21702 is medium with a CVSS score of 6.8.
How can I fix the CVE-2022-21702 vulnerability in Grafana?
To fix the CVE-2022-21702 vulnerability, upgrade Grafana to versions 7.5.15 or 8.3.5.
- collector/redhat-cve
- collector/nvd-index
- agent/type
- agent/first-publish-date
- agent/remedy
- agent/weakness
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2022-21702
- agent/software-canonical-lookup
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-xc3p-28hw-q24g
- agent/softwarecombine
- agent/description
- collector/nvd-cve
- source/NVD
- agent/references
- agent/author
- collector/github-advisory
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/last-modified-date
- agent/title
- agent/event
- agent/tags
- agent/trending
- package-manager/redhat
- vendor/grafana
- canonical/grafana grafana
- version/grafana grafana/2.0.1
- version/grafana grafana/8.0.0
- version/grafana grafana/2.0.0-beta1
- version/grafana grafana/2.0.0-beta3
- vendor/netapp
- canonical/netapp e-series performance analyzer
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/34
- version/fedoraproject fedora/35
- version/fedoraproject fedora/36
- package-manager/go