Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-3cgw-hfw7-wc7j #1673

Closed
GoVulnBot opened this issue Mar 23, 2023 · 1 comment
Assignees
Labels
excluded: NOT_A_VULNERABILITY This is not a vulnerability.

Comments

@GoVulnBot
Copy link

In GitHub Security Advisory GHSA-3cgw-hfw7-wc7j, there is a vulnerability in the following Go packages or modules:

Unit Fixed Vulnerable Ranges
github.com/grafana/grafana 9.3.11 >= 9.3.0, < 9.3.11

Cross references:

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: github.com/grafana/grafana
    versions:
      - introduced: 9.3.0
        fixed: 9.3.11
    packages:
      - package: github.com/grafana/grafana
  - module: github.com/grafana/grafana
    versions:
      - introduced: 9.0.0
        fixed: 9.2.15
    packages:
      - package: github.com/grafana/grafana
  - module: github.com/grafana/grafana
    versions:
      - fixed: 8.5.22
    packages:
      - package: github.com/grafana/grafana
summary: 'Duplicate Advisory: Grafana Stored Cross-site Scripting vulnerability'
description: |-
    ## Duplicate Advisory
    This advisory has been withdrawn because it is a duplicate of [GHSA-qrrg-gw7w-vp76](https://github.com/advisories/GHSA-qrrg-gw7w-vp76). This link is maintained to preserve external references.

    ## Original Description
    Grafana is an open-source platform for monitoring and observability. Grafana had a stored XSS vulnerability in the Graphite FunctionDescription tooltip. The stored XSS vulnerability was possible due the value of the Function Description was not properly sanitized. An attacker needs to have control over the Graphite data source in order to manipulate a function description and a Grafana admin needs to configure the data source, later a Grafana user needs to select a tampered function and hover over the description. Users may upgrade to version 8.5.22, 9.2.15 and 9.3.11 to receive a fix.
ghsas:
  - GHSA-3cgw-hfw7-wc7j
references:
  - advisory: https://github.com/grafana/bugbounty/security/advisories/GHSA-qrrg-gw7w-vp76
  - web: https://nvd.nist.gov/vuln/detail/CVE-2023-1410
  - web: https://grafana.com/security/security-advisories/cve-2023-1410/
  - advisory: https://github.com/advisories/GHSA-3cgw-hfw7-wc7j

@jba jba self-assigned this Mar 23, 2023
@jba jba added the excluded: NOT_A_VULNERABILITY This is not a vulnerability. label Mar 23, 2023
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/479297 mentions this issue: data/excluded: batch add GO-2023-1674, GO-2023-1671, GO-2023-1670, GO-2023-1669, GO-2023-1668, GO-2023-1667, GO-2023-1662, GO-2023-1661, GO-2023-1660, GO-2023-1659, GO-2023-1658, GO-2023-1657, GO-2023-1656, GO-2023-1655, GO-2023-1654, GO-2023-1653, GO-2023-1673, GO-2023-1666, GO-2023-1665

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
excluded: NOT_A_VULNERABILITY This is not a vulnerability.
Projects
None yet
Development

No branches or pull requests

3 participants