Arch Linux Security Advisory ASA-202111-5
========================================
Severity: Medium
Date    : 2021-11-05
CVE-ID  : CVE-2021-41174
Package : grafana
Type    : cross-site scripting
Remote  : Yes
Link    : https://security.archlinux.org/AVG-2517

Summary
======
The package grafana before version 8.2.3-1 is vulnerable to cross-site
scripting.

Resolution
=========
Upgrade to 8.2.3-1.

# pacman -Syu "grafana>=8.2.3-1"

The problem has been fixed upstream in version 8.2.3.

Workaround
=========
To mitigate the issue, a reverse proxy or similar can be used to block
access to block the literal string "{{" in the path.

Description
==========
A security issue has been found in Grafana before version 8.2.3. If an
attacker is able to convince a victim to visit a URL referencing a
vulnerable page, arbitrary JavaScript content may be executed within
the context of the victim's browser.

The user visiting the malicious link must be unauthenticated and the
link must be for a page that contains the login button in the menu bar.

There are two ways an unauthenticated user can open a page in Grafana
that contains the login button:
- Anonymous authentication is enabled. This means all pages in Grafana
would be open for the attack.
- The link is to an unauthenticated page. The following pages are
vulnerable:
  - /dashboard-solo/snapshot/*
  - /dashboard/snapshot/*
  - /invite/:code

The url has to be crafted to exploit AngularJS rendering and contain
the interpolation binding for AngularJS expressions. AngularJS uses
double curly braces for interpolation binding: {{ }}

An example of an expression would be:
"{{constructor.constructor(‘alert(1)’)()}}". This can be included in
the link URL like this:

https://play.grafana.org/dashboard/snapshot/%7B%7Bconstructor.construct
or('alert(1)')()%7D%7D?orgId=1

When the user follows the link and the page renders, the login button
will contain the original link with a query parameter to force a
redirect to the login page. The URL is not validated and the AngularJS
rendering engine will execute the JavaScript expression contained in
the URL.

Impact
=====
A remote attacker could execute arbitrary JavaScript code by tricking
an unauthenticated victim into opening a crafted URL.

References
=========
https://github.com/grafana/grafana/security/advisories/GHSA-3j9m-hcv9-rpj8
https://github.com/grafana/grafana/commit/34eda6123d9b21c2c0b2d0c0e6f2fb38e6cf60d5
https://github.com/grafana/grafana/commit/a3dc30546fce2e437d858c140f1ff307a04365d6
https://github.com/grafana/grafana/commit/8081dc9ee913a1bf4b98f99e78661db88a6dc1ef
https://github.com/grafana/grafana/commit/1c7ce348ce4363c55992ed5772f96981d1a86f7e
https://security.archlinux.org/CVE-2021-41174

ArchLinux: 202111-5: grafana: cross-site scripting

November 9, 2021

Summary

A security issue has been found in Grafana before version 8.2.3. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, arbitrary JavaScript content may be executed within the context of the victim's browser. The user visiting the malicious link must be unauthenticated and the link must be for a page that contains the login button in the menu bar.
There are two ways an unauthenticated user can open a page in Grafana that contains the login button: - Anonymous authentication is enabled. This means all pages in Grafana would be open for the attack. - The link is to an unauthenticated page. The following pages are vulnerable: - /dashboard-solo/snapshot/* - /dashboard/snapshot/* - /invite/:code
The url has to be crafted to exploit AngularJS rendering and contain the interpolation binding for AngularJS expressions. AngularJS uses double curly braces for interpolation binding: {{ }}
An example of an expression would be: "{{constructor.constructor(‘alert(1)’)()}}". This can be included in the link URL like this:
https://play.grafana.org/dashboard/snapshot/%7B%7Bconstructor.construct or('alert(1)')()%7D%7D?orgId=1
When the user follows the link and the page renders, the login button will contain the original link with a query parameter to force a redirect to the login page. The URL is not validated and the AngularJS rendering engine will execute the JavaScript expression contained in the URL.

Resolution

Upgrade to 8.2.3-1. # pacman -Syu "grafana>=8.2.3-1"
The problem has been fixed upstream in version 8.2.3.

References

https://github.com/grafana/grafana/security/advisories/GHSA-3j9m-hcv9-rpj8 https://github.com/grafana/grafana/commit/34eda6123d9b21c2c0b2d0c0e6f2fb38e6cf60d5 https://github.com/grafana/grafana/commit/a3dc30546fce2e437d858c140f1ff307a04365d6 https://github.com/grafana/grafana/commit/8081dc9ee913a1bf4b98f99e78661db88a6dc1ef https://github.com/grafana/grafana/commit/1c7ce348ce4363c55992ed5772f96981d1a86f7e https://security.archlinux.org/CVE-2021-41174

Severity
Package : grafana
Type : cross-site scripting
Remote : Yes
Link : https://security.archlinux.org/AVG-2517

Workaround

To mitigate the issue, a reverse proxy or similar can be used to block access to block the literal string "{{" in the path.

Related News

23.Tablet Connections Esm H320
2 - 3 min read
The release of Ubuntu 24.04 LTS , also known as Noble Numbat, brings various security enhancements and exciting new features . These improvements
4.Lock AbstractDigital Esm H320
2 - 3 min read
Tails 6.2 is a new Linux distribution release that expands its multilingual support and improves security features. The distribution is a
19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
32.Lock Code Circular Esm H320
2 - 3 min read
Linux admins and security practitioners face significant challenges in keeping their Linux systems secure amidst the constant threat of kernel bugs.
1.Penguin Landscape Esm H320
2 - 3 min read
A significant security threat, known as the Spectre v2 exploit, has been observed targeting Linux systems running on modern Intel processors. Let's
10.FingerPrint Locks Esm H320
2 - 3 min read
The recent release of I2P 2.5.0 , an anonymous P2P network that protects against online censorship, surveillance, and monitoring, has brought a slew
24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved