Detections
Analytics

CentOS 9 : grafana-9.0.9-1.el9

high Nessus Plugin ID 191236

Language:

Synopsis

The remote CentOS host is missing one or more security updates for grafana.

Description

The remote CentOS Linux 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the grafana-9.0.9-1.el9 build changelog.

 - XSS (CVE-2021-23648)

 - Grafana is an open source data visualization platform. In affected versions unauthenticated and authenticated users are able to view the snapshot with the lowest database key by accessing the literal paths: /dashboard/snapshot/:key, or /api/snapshots/:key. If the snapshot public_mode configuration setting is set to true (vs default of false), unauthenticated users are able to delete the snapshot with the lowest database key by accessing the literal path: /api/snapshots-delete/:deleteKey. Regardless of the snapshot public_mode setting, authenticated users are able to delete the snapshot with the lowest database key by accessing the literal paths: /api/snapshots/:key, or /api/snapshots-delete/:deleteKey. The combination of deletion and viewing enables a complete walk through all snapshot data while resulting in complete snapshot data loss. This issue has been resolved in versions 8.1.6 and 7.5.11. If for some reason you cannot upgrade you can use a reverse proxy or similar to block access to the literal paths:
 /api/snapshots/:key, /api/snapshots-delete/:deleteKey, /dashboard/snapshot/:key, and /api/snapshots/:key.
 They have no normal function and can be disabled without side effects. (CVE-2021-39226)

 - directory traversal vulnerability for *.md files (CVE-2021-43813)

 - net/http: limit growth of header canonicalization cache (CVE-2021-44716)

 - net/http: improper sanitization of Transfer-Encoding header (CVE-2022-1705)

 - go/parser: stack exhaustion in all Parse* functions (CVE-2022-1962)

 - Forward OAuth Identity Token can allow users to access some data sources (CVE-2022-21673)

 - client_golang is the instrumentation library for Go applications in Prometheus, and the promhttp package in client_golang provides tooling around HTTP servers and clients. In client_golang prior to version 1.11.1, HTTP server is susceptible to a Denial of Service through unbounded cardinality, and potential memory exhaustion, when handling requests with non-standard HTTP methods. In order to be affected, an instrumented software must use any of `promhttp.InstrumentHandler*` middleware except `RequestsInFlight`;
 not filter any specific methods (e.g GET) before middleware; pass metric with `method` label name to our middleware; and not have any firewall/LB/proxy that filters away requests with unknown `method`.
 client_golang version 1.11.1 contains a patch for this issue. Several workarounds are available, including removing the `method` label name from counter/gauge used in the InstrumentHandler; turning off affected promhttp handlers; adding custom middleware before promhttp handler that will sanitize the request method given by Go http.Request; and using a reverse proxy or web application firewall, configured to only allow a limited set of methods. (CVE-2022-21698)

 - XSS vulnerability in data source handling (CVE-2022-21702)

 - CSRF vulnerability can lead to privilege escalation (CVE-2022-21703)

 - IDOR vulnerability can lead to information disclosure (CVE-2022-21713)

 - encoding/xml: stack exhaustion in Decoder.Skip (CVE-2022-28131)

 - io/fs: stack exhaustion in Glob (CVE-2022-30630)

 - compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)

 - path/filepath: stack exhaustion in Glob (CVE-2022-30632)

 - encoding/xml: stack exhaustion in Unmarshal (CVE-2022-30633)

 - encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635)

 - OAuth account takeover (CVE-2022-31107)

 - net/http/httputil: NewSingleHostReverseProxy (CVE-2022-32148)

 - Escalation from admin to server admin when auth proxy is used (rhbz#2125530) (CVE-2022-35957)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the CentOS 9 Stream grafana package.

See Also

https://kojihub.stream.centos.org/koji/buildinfo?buildID=25085

Plugin Details

Severity: High

ID: 191236

File Name: centos9_grafana-9_0_9-1.nasl

Version: 1.1

Type: local

Agent: unix

Published: 2/29/2024

Updated: 4/26/2024

Supported Sensors: Agentless Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.6

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2022-21703

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 8.2

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:centos:centos:9, p-cpe:/a:centos:centos:grafana

Required KB Items: Host/local_checks_enabled, Host/CentOS/release, Host/CentOS/rpm-list, Host/cpu

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 9/22/2022

Vulnerability Publication Date: 10/5/2021

CISA Known Exploited Vulnerability Due Dates: 9/15/2022

Reference Information

CVE: CVE-2021-23648, CVE-2021-39226, CVE-2021-43813, CVE-2021-44716, CVE-2022-1705, CVE-2022-1962, CVE-2022-21673, CVE-2022-21698, CVE-2022-21702, CVE-2022-21703, CVE-2022-21713, CVE-2022-28131, CVE-2022-30630, CVE-2022-30631, CVE-2022-30632, CVE-2022-30633, CVE-2022-30635, CVE-2022-31107, CVE-2022-32148, CVE-2022-35957