Grafana security release: New versions with security fixes for CVE-2023-0594, CVE-2023-0507, and CVE-2023-22462

Today we are releasing Grafana 9.4, which includes updates such as enhanced navigation and custom visualization panels. In addition, this release contains security fixes for CVE-2023-0594, CVE-2023-0507, and CVE-2023-22462.

We have also released a security patch for Grafana 9.3.8, 9.2.13, and 8.5.21 to address these issues.

Release 9.4.1, latest release with security patch:

• Download Grafana 9.4.1

Release 9.3.8, latest 9.3 patch with security fix:

• Download Grafana 9.3.8

Release 9.2.13, latest 9.2 patch with security fix:

• Download Grafana 9.2.13

Release 8.5.21 with security fix:

• Download Grafana 8.5.21

Stored XSS in TraceView panel (CVE-2023-0594)

Summary

During an internal audit of Grafana on January 30, a member of the engineering team found a stored XSS vulnerability affecting the TraceView panel.

The stored XSS vulnerability was possible because the value of a span’s attributes/resources were not properly sanitized, and this will be rendered when the span’s attributes/resources are expanded.

The CVSS score for this vulnerability is 7.3 High (CVSS:7.3/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N).

Appropriate patches have been applied to Grafana Cloud.

Impact

An attacker needs to have the Editor role in order to change the value of a trace view visualization to contain JavaScript. This means that vertical privilege escalation is possible, where a user with an Editor role can change to a known password for a user with an Admin role and, with the Admin role permissions, can execute malicious JavaScript viewing a dashboard.

Impacted versions

All installations for Grafana versions <8.5.21, <9.2.13, and <9.3.8.

Solutions and mitigations

To fully address CVE-2023-0594, please upgrade your Grafana instances. As an alternative, you can enable the Content-Security-Policy option.

Stored XSS in geomap panel plugin via attribution (CVE-2023-0507)

Summary

During an internal audit of Grafana on January 25, a member of the security team found a stored XSS vulnerability affecting the core geomap plugin.

The stored XSS vulnerability was possible because map attributions weren’t properly sanitized, allowing arbitrary JavaScript to be executed in the context of the currently authorized user of the Grafana instance.

The CVSS score for this vulnerability is 7.3 High (CVSS:7.3/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N).

Appropriate patches have been applied to Grafana Cloud.

Impact

An attacker needs to have the Editor role in order to change a panel to include a map attribution containing JavaScript. This means that vertical privilege escalation is possible, where a user with an Editor role can change to a known password for a user with an Admin role and, with the Admin role permissions, can execute malicious JavaScript viewing a dashboard.

Impacted versions

All installations for Grafana versions <8.5.21, <9.2.13, and <9.3.8.

Solutions and mitigations

To fully address CVE-2023-0507, please upgrade your Grafana instances. As an alternative, you can enable the Content-Security-Policy option.

Stored XSS in text panel plugin (CVE-2023-22462)

Summary

During an internal audit of Grafana on January 1, a member of the security team found a stored XSS vulnerability affecting the core text plugin.

The stored XSS vulnerability requires several user interactions in order to be fully exploited. The vulnerability was possible due to React’s render cycle that will pass through the unsanitized HTML code, but in the next cycle, the HTML is cleaned up and saved in Grafana’s database.

The CVSS score for this vulnerability is 6.4 Medium (CVSS:6.4/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N).

Appropriate patches have been applied to Grafana Cloud.

Impact

An attacker needs to have the Editor role in order to change a text panel to include JavaScript. Later, another user needs to edit the same text panel, and click on Markdown or HTML for the code to be executed. This means that vertical privilege escalation is possible, where a user with an Editor role can change to a known password for a user with an Admin role and, with the Admin role permissions, can execute malicious JavaScript viewing a dashboard.

Impacted versions

All installations for Grafana versions <9.2.10 and <9.3.4

Solutions and mitigations

To fully address CVE-2023-22462, please upgrade your Grafana instances. As an alternative, you can enable the Content-Security-Policy option.

Reporting security issues

If you think you have found a security vulnerability, please send a report to security@grafana.com. This address can be used for all of Grafana Labs’ open source and commercial products (including, but not limited to Grafana, Grafana Cloud, Grafana Enterprise, and grafana.com). We can accept only vulnerability reports at this address. We would prefer that you encrypt your message to us by using our PGP key.

The key fingerprint is 225E 6A9B BB15 A37E 95EB 6312 C66A 51CC B44C 27E0

The key is available from keyserver.ubuntu.com.

Security announcements

We maintain a security category on our blog, where we will always post a summary, remediation, and mitigation details for any patch containing security fixes. You can also subscribe to our RSS feed.