File _patchinfo of Package patchinfo.18437

Overview Repositories Revisions Requests Users Attributes Meta

File _patchinfo of Package patchinfo.18437

<patchinfo incident="18437">
  <issue tracker="cve" id="2019-15043"/>
  <issue tracker="cve" id="2020-12245"/>
  <issue tracker="cve" id="2020-13379"/>
  <issue tracker="cve" id="2019-15043"/>
  <issue tracker="cve" id="2020-12052"/>
  <issue tracker="cve" id="2020-24303"/>
  <issue tracker="cve" id="2018-18623"/>
  <issue tracker="cve" id="2019-19499"/>
  <issue tracker="bnc" id="1148383">VUL-0: CVE-2019-15043: grafana: unauthenticated user/client may access the Grafana snapshot HTTP API and create a denial of service</issue>
  <issue tracker="bnc" id="1170557">VUL-0: CVE-2020-12245: grafana: XSS in table-panel via column.title or cellLinkTooltip</issue>
  <issue tracker="bnc" id="1172409">VUL-0: CVE-2020-13379: grafana: 6.7.4 / 7.0.2 security update</issue>
  <issue tracker="bnc" id="1170657">VUL-0: CVE-2020-12052: grafana: XSS annotation popup vulnerability</issue>
  <issue tracker="bnc" id="1178243">VUL-1: CVE-2020-24303: grafana: XSS via a query alias for the ElasticSearch datasource</issue>
  <issue tracker="bnc" id="1172450">VUL-0: CVE-2018-18623, CVE-2018-18624, CVE-2018-18625: grafana: XSS vulnerabilities in dashboard due to an incomplete fix for CVE-2018-12099</issue>
  <issue tracker="bnc" id="1175951">VUL-0: CVE-2019-19499: grafana: arbitrary file read via MySQL data source</issue>
  <category>security</category>
  <rating>moderate</rating>
  <packager>mschnitzer</packager>
  <summary>Security update for grafana and system-user-grafana</summary>
  <description>This update for grafana and system-user-grafana fixes the following issues:

- Updated grafana to upstream version 7.3.1
  * CVE-2019-15043: In Grafana 2.x through 6.x before 6.3.4, parts of the HTTP API allow unauthenticated use.
    This makes it possible to run a denial of service attack against the server running Grafana
  * CVE-2020-12245: Grafana before 6.7.3 allows table-panel XSS via column.title or cellLinkTooltip (bsc#1170557)
  * CVE-2020-13379: The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue.
    This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and
    return its result to the user/client. This can be used to gain information about the network that Grafana is
    running on. Furthermore, passing invalid URL objects could be used for DOS'ing Grafana via SegFault (bsc#1172409)
  * CVE-2019-15043: In Grafana 2.x through 6.x before 6.3.4, parts of the HTTP API allow unauthenticated use.
    This makes it possible to run a denial of service attack against the server running Grafana (bsc#1148383)
  * CVE-2020-12052: Grafana version below 6.7.3 is vulnerable for annotation popup XSS (bsc#1170657)
  * CVE-2020-24303: Grafana before 7.1.0-beta 1 allows XSS via a query alias for the ElasticSearch datasource. (bsc#1178243)
  * CVE-2018-18623: Grafana 5.3.1 has XSS via the "Dashboard > Text Panel" screen (bsc#1172450)
  * CVE-2019-19499: Grafana versions below or equal to 6.4.3 has an Arbitrary File Read vulnerability, which
    could be exploited by an authenticated attacker that has privileges to modify the data source configurations (bsc#1175951)

* Please refer to this package's changelog to get a full list of all changes (including bug fixes etc.)

- Initial shipment of system-user-grafana to SES 6</description>
</patchinfo>

Places

File _patchinfo of Package patchinfo.18437

Places