Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-3cgw-hfw7-wc7j #1673

Closed
GoVulnBot opened this issue Mar 23, 2023 · 1 comment
Closed

x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-3cgw-hfw7-wc7j #1673

GoVulnBot opened this issue Mar 23, 2023 · 1 comment
Assignees
@jba
Labels
excluded: NOT_A_VULNERABILITY This is not a vulnerability.

Comments

@GoVulnBot
Copy link

In GitHub Security Advisory GHSA-3cgw-hfw7-wc7j, there is a vulnerability in the following Go packages or modules:

Unit Fixed Vulnerable Ranges
github.com/grafana/grafana 9.3.11 >= 9.3.0, < 9.3.11

Cross references:

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: github.com/grafana/grafana
    versions:
      - introduced: 9.3.0
        fixed: 9.3.11
    packages:
      - package: github.com/grafana/grafana
  - module: github.com/grafana/grafana
    versions:
      - introduced: 9.0.0
        fixed: 9.2.15
    packages:
      - package: github.com/grafana/grafana
  - module: github.com/grafana/grafana
    versions:
      - fixed: 8.5.22
    packages:
      - package: github.com/grafana/grafana
summary: 'Duplicate Advisory: Grafana Stored Cross-site Scripting vulnerability'
description: |-
    ## Duplicate Advisory
    This advisory has been withdrawn because it is a duplicate of [GHSA-qrrg-gw7w-vp76](https://github.com/advisories/GHSA-qrrg-gw7w-vp76). This link is maintained to preserve external references.

    ## Original Description
    Grafana is an open-source platform for monitoring and observability. Grafana had a stored XSS vulnerability in the Graphite FunctionDescription tooltip. The stored XSS vulnerability was possible due the value of the Function Description was not properly sanitized. An attacker needs to have control over the Graphite data source in order to manipulate a function description and a Grafana admin needs to configure the data source, later a Grafana user needs to select a tampered function and hover over the description. Users may upgrade to version 8.5.22, 9.2.15 and 9.3.11 to receive a fix.
ghsas:
  - GHSA-3cgw-hfw7-wc7j
references:
  - advisory: https://github.com/grafana/bugbounty/security/advisories/GHSA-qrrg-gw7w-vp76
  - web: https://nvd.nist.gov/vuln/detail/CVE-2023-1410
  - web: https://grafana.com/security/security-advisories/cve-2023-1410/
  - advisory: https://github.com/advisories/GHSA-3cgw-hfw7-wc7j
@jba jba self-assigned this Mar 23, 2023
@jba jba added the excluded: NOT_A_VULNERABILITY This is not a vulnerability. label Mar 23, 2023
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/479297 mentions this issue: data/excluded: batch add GO-2023-1674, GO-2023-1671, GO-2023-1670, GO-2023-1669, GO-2023-1668, GO-2023-1667, GO-2023-1662, GO-2023-1661, GO-2023-1660, GO-2023-1659, GO-2023-1658, GO-2023-1657, GO-2023-1656, GO-2023-1655, GO-2023-1654, GO-2023-1653, GO-2023-1673, GO-2023-1666, GO-2023-1665

@GoVulnBot GoVulnBot mentioned this issue Mar 27, 2023
Closed
This was referenced Jun 7, 2023
Closed
Closed
Closed
@GoVulnBot GoVulnBot mentioned this issue Jun 28, 2023
Closed
@GoVulnBot GoVulnBot mentioned this issue Jul 25, 2023
Closed
@GoVulnBot GoVulnBot mentioned this issue Oct 17, 2023
Closed
This was referenced Jan 31, 2024
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
@GoVulnBot GoVulnBot mentioned this issue Feb 13, 2024
Closed
@GoVulnBot GoVulnBot mentioned this issue Mar 7, 2024
Closed
@GoVulnBot GoVulnBot mentioned this issue Mar 27, 2024
Closed
@GoVulnBot GoVulnBot mentioned this issue Apr 5, 2024
Closed
This was referenced May 14, 2024
Closed
Closed
Closed
Closed
Closed
Closed
This was referenced May 15, 2024
Closed
Closed
Closed
Closed
Closed
Closed
@GoVulnBot GoVulnBot mentioned this issue Aug 20, 2024
Closed
This was referenced Oct 25, 2024
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jba jba

Labels
excluded: NOT_A_VULNERABILITY This is not a vulnerability.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@gopherbot @jba @GoVulnBot