Help build the future of open source observability software Open positions

Check out the open source projects we support Downloads

We cannot remember your choice unless you click the consent notice at the bottom.

Grafana security release: New versions with security fixes for CVE-2023-1410

Grafana security release: New versions with security fixes for CVE-2023-1410

2023-03-22 3 min

Today we are releasing Grafana 9.4.7, which includes updates such as enhanced navigation and custom visualization panels. In addition, this release contains security fixes for CVE-2023-1410.

We have also released a security patch for Grafana 8.5.22, 9.3.11, and 9.2.15 to address these issues.

Release 9.4.7, latest release with security patch:

Release 9.3.11, latest 9.3 patch with security patch:

Release 9.2.15, latest 9.2 patch with security patch:

Release 8.5.22 with security patch:

Stored XSS in Graphite FunctionDescription tooltip (CVE-2023-1410)

(CVE-2023-1410)

Summary

On March 14, an external security researcher responsibly disclosed an XSS vulnerability via Grafana Labs’ Bug Bounty program. Continue reading for vulnerability details, impact, and mitigation.

When a user adds a Graphite data source, they can then use the data source in a dashboard. This capability contains a feature to use Functions. Once a function is selected, a small tooltip appears when hovering over the name of the function. This tooltip allows you to delete the selected Function from your query or show the Function Description. However, no sanitization is done when adding this description to the DOM.

Since it is not uncommon to connect to public data sources, an attacker could host a Graphite instance with modified Function Descriptions containing XSS payloads. When the victim uses it in a query and accidentally hovers over the Function Description, an attacker-controlled XSS payload will be executed.

The severity of this vulnerability is of CVSSv3.1 5.7 Medium (CVSS: AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N (5.7)).

Appropriate patches have been applied to Grafana Cloud.

Impact

An attacker needs to have control over an already configured Graphite data source, or a Grafana admin needs to add a deliberately modified Graphite data source.

This means that vertical privilege escalation is possible, where malicious JavaScript could change to a known password for a user, when viewing the Explore view and hovering over a Function tooltip.

Impacted versions

All installations for Grafana versions <8.5.22, <9.2.15, <9.3.11, and <9.4.7

Solutions and mitigations

To fully address CVE-2023-1410, please upgrade your Grafana instances.

Reporting security issues

If you think you have found a security vulnerability, please send a report to security@grafana.com. This address can be used for all of Grafana Labs’ open source and commercial products (including, but not limited to Grafana, Grafana Cloud, Grafana Enterprise, and grafana.com).

We can only accept vulnerability reports at this address. We would prefer that you encrypt your message to us by using our PGP key. The key fingerprint is:

225E 6A9B BB15 A37E 95EB 6312 C66A 51CC B44C 27E0

The key is available from keyserver.ubuntu.com.

Security announcements

We maintain a security category on our blog, where we will always post a summary, remediation, and mitigation details for any patch containing security fixes. You can also subscribe to our RSS feed.