Today we are releasing Grafana 9.4.7, which includes updates such as enhanced navigation and custom visualization panels. In addition, this release contains security fixes for CVE-2023-1410.
We have also released a security patch for Grafana 8.5.22, 9.3.11, and 9.2.15 to address these issues.
Release 9.4.7, latest release with security patch:
Release 9.3.11, latest 9.3 patch with security patch:
Release 9.2.15, latest 9.2 patch with security patch:
Release 8.5.22 with security patch:
Stored XSS in Graphite FunctionDescription tooltip (CVE-2023-1410)
On March 14, an external security researcher responsibly disclosed an XSS vulnerability via Grafana Labs’ Bug Bounty program. Continue reading for vulnerability details, impact, and mitigation.
When a user adds a Graphite data source, they can then use the data source in a dashboard. This capability contains a feature to use Functions. Once a function is selected, a small tooltip appears when hovering over the name of the function. This tooltip allows you to delete the selected Function from your query or show the Function Description. However, no sanitization is done when adding this description to the DOM.
Since it is not uncommon to connect to public data sources, an attacker could host a Graphite instance with modified Function Descriptions containing XSS payloads. When the victim uses it in a query and accidentally hovers over the Function Description, an attacker-controlled XSS payload will be executed.
The severity of this vulnerability is of CVSSv3.1 5.7 Medium (CVSS: AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N (5.7)).
Appropriate patches have been applied to Grafana Cloud.
An attacker needs to have control over an already configured Graphite data source, or a Grafana admin needs to add a deliberately modified Graphite data source.
All installations for Grafana versions <8.5.22, <9.2.15, <9.3.11, and <9.4.7
Solutions and mitigations
To fully address CVE-2023-1410, please upgrade your Grafana instances.
Reporting security issues
If you think you have found a security vulnerability, please send a report to firstname.lastname@example.org. This address can be used for all of Grafana Labs’ open source and commercial products (including, but not limited to Grafana, Grafana Cloud, Grafana Enterprise, and grafana.com).
We can only accept vulnerability reports at this address. We would prefer that you encrypt your message to us by using our PGP key. The key fingerprint is:
225E 6A9B BB15 A37E 95EB 6312 C66A 51CC B44C 27E0
The key is available from keyserver.ubuntu.com.