Page MenuHomePhabricator
Create Task
Maniphest T328405

Grafana: CVE-2022-39324 CVE-2022-23552
Closed, ResolvedPublic
Actions

Description

Grafana 8.5.16 fixes two security issues, one doesn't affect us since we don't use the affected plugin and the one other is low severity (snapshots are restricted to NDA users using grafana-rw). But regardless is makes sense to stay on top of updates since the v8.5.x branch also contains other bugfixes:

CVE-2022-23552 : Stored XSS in ResourcePicker component
https://github.com/grafana/grafana/security/advisories/GHSA-8xmm-x63g-f6xv

CVE-2022-39324: Spoofing originalUrl of snapshots
https://github.com/grafana/grafana/security/advisories/GHSA-4724-7jwc-3fpw

Related Objects

Event Timeline

MoritzMuehlenhoff created this task.Jan 31 2023, 8:22 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 31 2023, 8:22 AM
fgiunchedi added a comment.Jan 31 2023, 8:43 AM

Upgrading SGTM, I don't see 8.5.16 on apt.grafana.org yet though:

https://apt.grafana.com/dists/stable/main/binary-amd64/Packages.gz

fgiunchedi added a comment.Jan 31 2023, 9:01 AM

Opened an issue with upstream re: apt repo update https://github.com/grafana/grafana/issues/62544

Stashbot added a comment.Feb 1 2023, 9:47 AM

Mentioned in SAL (#wikimedia-operations) [2023-02-01T09:47:54Z] <godog> upgrade grafana to 8.5.20 on grafana2001 - T328405

Stashbot added a comment.Feb 1 2023, 9:57 AM

Mentioned in SAL (#wikimedia-operations) [2023-02-01T09:57:04Z] <godog> upgrade grafana to 8.5.20 on grafana1002 - T328405

Stashbot added a comment.Feb 1 2023, 10:01 AM

Mentioned in SAL (#wikimedia-operations) [2023-02-01T10:01:56Z] <godog> upgrade grafana to 8.5.20 on cloudmetrics* - T328405

fgiunchedi closed this task as Resolved.Feb 1 2023, 10:16 AM
fgiunchedi claimed this task.

This is complete -- we went with 8.5.20 (the latest available, and not 8.5.16) since the latter shouldn't be used and it was mis-released.

fgiunchedi mentioned this in T328784: Grafana LDAP sync fails post upgrade.Feb 3 2023, 4:43 PM
lmata added a project: SRE Observability (FY2022/2023-Q3).Feb 21 2023, 3:19 PM
lmata moved this task from Inbox to Done on the SRE Observability (FY2022/2023-Q3) board.
MoritzMuehlenhoff mentioned this in T322829: Grafana: CVE-2022-39307 CVE-2022-39306.Mar 3 2023, 9:23 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL