CVE-2023-0594 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2023-0594 Interim 1 9 2023-09-08T23:23:09Z current 2023-03-03T00:15:55Z 2023-09-08T23:23:09Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2023-0594 Grafana is an open-source platform for monitoring and observability. Starting with the 7.0 branch, Grafana had a stored XSS vulnerability in the trace view visualization. The stored XSS vulnerability was possible due the value of a span's attributes/resources were not properly sanitized and this will be rendered when the span's attributes/resources are expanded. An attacker needs to have the Editor role in order to change the value of a trace view visualization to contain JavaScript. This means that vertical privilege escalation is possible, where a user with Editor role can change to a known password for a user having Admin role if the user with Admin role executes malicious JavaScript viewing a dashboard. Users may upgrade to version 8.5.21, 9.2.13 and 9.3.8 to receive a fix. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://lists.suse.com/pipermail/sle-security-updates/2023-June/015141.html E-Mail link for SUSE-CU-2023:1836-1 https://lists.suse.com/pipermail/sle-updates/2023-April/028875.html E-Mail link for SUSE-SU-2023:1902-1 https://lists.suse.com/pipermail/sle-updates/2023-April/028874.html E-Mail link for SUSE-SU-2023:1903-1 https://lists.suse.com/pipermail/sle-updates/2023-April/028873.html E-Mail link for SUSE-SU-2023:1904-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings Container ses/7.1/ceph/grafana:8.5.22.3.4.77 HPE Helion OpenStack 8 SUSE Enterprise Storage 6 SUSE Linux Enterprise Module for Package Hub 15 SP4 SUSE Linux Enterprise Module for Package Hub 15 SP5 SUSE Manager Tools 12 SUSE Manager Tools 15 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud Crowbar 9 openSUSE Leap 15.4 grafana grafana-8.5.22-1.45.1 grafana-8.5.22-150000.1.45.1 grafana-8.5.22-150200.3.38.1 grafana-8.5.22-150200.3.38.1 as a component of Container ses/7.1/ceph/grafana:8.5.22.3.4.77 grafana-8.5.22-150200.3.38.1 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP4 grafana-8.5.22-150200.3.38.1 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP5 grafana-8.5.22-1.45.1 as a component of SUSE Manager Tools 12 grafana-8.5.22-150000.1.45.1 as a component of SUSE Manager Tools 15 grafana-8.5.22-150200.3.38.1 as a component of openSUSE Leap 15.4 grafana as a component of HPE Helion OpenStack 8 grafana as a component of SUSE Enterprise Storage 6 grafana as a component of SUSE Linux Enterprise Module for Package Hub 15 SP5 grafana as a component of SUSE OpenStack Cloud 8 grafana as a component of SUSE OpenStack Cloud 9 grafana as a component of SUSE OpenStack Cloud Crowbar 8 grafana as a component of SUSE OpenStack Cloud Crowbar 9 Grafana is an open-source platform for monitoring and observability. Starting with the 7.0 branch, Grafana had a stored XSS vulnerability in the trace view visualization. The stored XSS vulnerability was possible due the value of a span's attributes/resources were not properly sanitized and this will be rendered when the span's attributes/resources are expanded. An attacker needs to have the Editor role in order to change the value of a trace view visualization to contain JavaScript. This means that vertical privilege escalation is possible, where a user with Editor role can change to a known password for a user having Admin role if the user with Admin role executes malicious JavaScript viewing a dashboard. Users may upgrade to version 8.5.21, 9.2.13 and 9.3.8 to receive a fix. CVE-2023-0594 Container ses/7.1/ceph/grafana:8.5.22.3.4.77:grafana-8.5.22-150200.3.38.1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 SP5:grafana-8.5.22-150200.3.38.1 SUSE Linux Enterprise Module for Package Hub 15 SP4:grafana-8.5.22-150200.3.38.1 SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana-8.5.22-150200.3.38.1 SUSE Manager Tools 12:grafana-8.5.22-1.45.1 SUSE Manager Tools 15:grafana-8.5.22-150000.1.45.1 openSUSE Leap 15.4:grafana-8.5.22-150200.3.38.1 HPE Helion OpenStack 8:grafana SUSE OpenStack Cloud 8:grafana SUSE OpenStack Cloud 9:grafana SUSE OpenStack Cloud Crowbar 8:grafana SUSE OpenStack Cloud Crowbar 9:grafana SUSE Enterprise Storage 6:grafana SUSE Linux Enterprise Module for Package Hub 15 SP5:grafana important 7.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N