What versions of Grafana are affected by CVE-2023-0594?

Versions ranging from 7.0.0 to 8.5.21 and versions ranging from 9.2.0 to 9.2.13 are affected by CVE-2023-0594.

How severe is CVE-2023-0594?

CVE-2023-0594 has a severity rating of 5.4 (high).

How can I fix CVE-2023-0594?

To fix CVE-2023-0594, upgrade to a version of Grafana that is not affected by the vulnerability.

Vulnerability/
CVE-2023-0594

high

7.3

CWE

8/2/2023

1/3/2023

2/8/2024

CVE-2023-0594: XSS

Q: What is CVE-2023-0594?

CVE-2023-0594 is a stored XSS vulnerability in the trace view visualization of Grafana.

First published: Wed Feb 08 2023(Updated: )

Grafana is an open-source platform for monitoring and observability. Starting with the 7.0 branch, Grafana had a stored XSS vulnerability in the trace view visualization. The stored XSS vulnerability was possible due the value of a span's attributes/resources were not properly sanitized and this will be rendered when the span's attributes/resources are expanded. An attacker needs to have the Editor role in order to change the value of a trace view visualization to contain JavaScript. This means that vertical privilege escalation is possible, where a user with Editor role can change to a known password for a user having Admin role if the user with Admin role executes malicious JavaScript viewing a dashboard. Users may upgrade to version 8.5.21, 9.2.13 and 9.3.8 to receive a fix.

Credit: security@grafana.com

Affected Software	Affected Version	How to fix
Grafana Grafana	>=7.0.0<8.5.21
Grafana Grafana	>=9.2.0<9.2.13
Grafana Grafana	>=9.3.0<9.3.8

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2023-0594?
CVE-2023-0594 is a stored XSS vulnerability in the trace view visualization of Grafana.
What is Grafana?
Grafana is an open-source platform for monitoring and observability.
What versions of Grafana are affected by CVE-2023-0594?
Versions ranging from 7.0.0 to 8.5.21 and versions ranging from 9.2.0 to 9.2.13 are affected by CVE-2023-0594.
How severe is CVE-2023-0594?
CVE-2023-0594 has a severity rating of 5.4 (high).
How can I fix CVE-2023-0594?
To fix CVE-2023-0594, upgrade to a version of Grafana that is not affected by the vulnerability.

collector/nvd-index
agent/type
agent/softwarecombine
agent/severity
agent/weakness
agent/author
agent/references
agent/tags
agent/description
agent/event
agent/first-publish-date
collector/redhat-bugzilla
source/Red Hat
alias/CVE-2023-0594
agent/last-modified-date
collector/mitre-cve
source/MITRE
vendor/grafana
canonical/grafana grafana
version/grafana grafana/7.0.0
version/grafana grafana/9.2.0
version/grafana grafana/9.3.0

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.