Security update for grafana

Announcement ID:	SUSE-SU-2022:3676-1
Rating:	important
References:	bsc#1188571 bsc#1189520 bsc#1192383 bsc#1192763 bsc#1193492 bsc#1193686 bsc#1194873 bsc#1195726 bsc#1195727 bsc#1195728 bsc#1201535 bsc#1201539 bsc#1203596 bsc#1203597 jsc#PED-2145 jsc#SLE-23422 jsc#SLE-23439 jsc#SLE-24565
Cross-References:	CVE-2021-36222 CVE-2021-3711 CVE-2021-41174 CVE-2021-41244 CVE-2021-43798 CVE-2021-43815 CVE-2022-21673 CVE-2022-21702 CVE-2022-21703 CVE-2022-21713 CVE-2022-31097 CVE-2022-31107 CVE-2022-35957 CVE-2022-36062
CVSS scores:	CVE-2021-36222 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-36222 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-3711 ( SUSE ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-3711 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-41174 ( SUSE ): 6.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:N CVE-2021-41174 ( NVD ): 6.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:N CVE-2021-41244 ( SUSE ): 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H CVE-2021-41244 ( NVD ): 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2021-43798 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2021-43798 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2021-43815 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2021-43815 ( NVD ): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2022-21673 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2022-21673 ( NVD ): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2022-21702 ( SUSE ): 6.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N CVE-2022-21702 ( NVD ): 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVE-2022-21703 ( SUSE ): 6.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N CVE-2022-21703 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2022-21713 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2022-21713 ( NVD ): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2022-31097 ( SUSE ): 7.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N CVE-2022-31097 ( NVD ): 8.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N CVE-2022-31107 ( SUSE ): 7.1 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L CVE-2022-31107 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2022-35957 ( SUSE ): 6.6 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2022-35957 ( NVD ): 6.6 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2022-36062 ( SUSE ): 6.4 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L CVE-2022-36062 ( NVD ): 7.6 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
Affected Products:	SUSE Enterprise Storage 6 SUSE Linux Enterprise Server 15 SP1

An update that solves 14 vulnerabilities and contains four features can now be installed.

Description:

This update for grafana fixes the following issues:

Updated to version 8.5.13 (jsc#PED-2145, jsc#SLE-23439, jsc#SLE-23422, jsc#SLE-24565):

• CVE-2022-36062: Fixed RBAC folders/dashboards privilege escalation (bsc#1203596).
• CVE-2022-35957: Fixed escalation from admin to server admin when auth proxy is used (bsc#1203597).
• CVE-2022-31107: Fixed OAuth account takeover (bsc#1201539).
• CVE-2022-31097: Fixed XSS vulnerability in the Unified Alerting (bsc#1201535).
• CVE-2022-21702: Fixed XSS vulnerability in handling data sources (bsc#1195726).
• CVE-2022-21703: Fixed cross-origin request forgery vulnerability (bsc#1195727).
• CVE-2022-21713: Fixed Insecure Direct Object Reference vulnerability in Teams API (bsc#1195728).
• CVE-2022-21673: Fixed missing error return in GetUserInfo if no user was found (bsc#1194873).
• CVE-2021-43815: Fixed directory traversal for .csv files (bsc#1193686).
• CVE-2021-41244: Fixed incorrect access control vulnerability(bsc#1192763).
• CVE-2021-41174: Fixed XSS vulnerability on unauthenticated pages through interpolation binding expressions for AngularJS in URL (bsc#1192383).
• CVE-2021-3711: Fixed SM2 Decryption Buffer Overflow (bsc#1189520).
• CVE-2021-36222: Fixed a null pointer dereference in the KDC (bsc#1188571).
• CVE-2021-43798: Fixed arbitrary file read in the graph native plugin (bsc#1193492).

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Enterprise Storage 6
  zypper in -t patch SUSE-Storage-6-2022-3676=1

Package List:

• SUSE Enterprise Storage 6 (aarch64 x86_64)
  • grafana-8.5.13-150100.3.12.1
  • grafana-debuginfo-8.5.13-150100.3.12.1

References:

• https://www.suse.com/security/cve/CVE-2021-36222.html
• https://www.suse.com/security/cve/CVE-2021-3711.html
• https://www.suse.com/security/cve/CVE-2021-41174.html
• https://www.suse.com/security/cve/CVE-2021-41244.html
• https://www.suse.com/security/cve/CVE-2021-43798.html
• https://www.suse.com/security/cve/CVE-2021-43815.html
• https://www.suse.com/security/cve/CVE-2022-21673.html
• https://www.suse.com/security/cve/CVE-2022-21702.html
• https://www.suse.com/security/cve/CVE-2022-21703.html
• https://www.suse.com/security/cve/CVE-2022-21713.html
• https://www.suse.com/security/cve/CVE-2022-31097.html
• https://www.suse.com/security/cve/CVE-2022-31107.html
• https://www.suse.com/security/cve/CVE-2022-35957.html
• https://www.suse.com/security/cve/CVE-2022-36062.html
• https://bugzilla.suse.com/show_bug.cgi?id=1188571
• https://bugzilla.suse.com/show_bug.cgi?id=1189520
• https://bugzilla.suse.com/show_bug.cgi?id=1192383
• https://bugzilla.suse.com/show_bug.cgi?id=1192763
• https://bugzilla.suse.com/show_bug.cgi?id=1193492
• https://bugzilla.suse.com/show_bug.cgi?id=1193686
• https://bugzilla.suse.com/show_bug.cgi?id=1194873
• https://bugzilla.suse.com/show_bug.cgi?id=1195726
• https://bugzilla.suse.com/show_bug.cgi?id=1195727
• https://bugzilla.suse.com/show_bug.cgi?id=1195728
• https://bugzilla.suse.com/show_bug.cgi?id=1201535
• https://bugzilla.suse.com/show_bug.cgi?id=1201539
• https://bugzilla.suse.com/show_bug.cgi?id=1203596
• https://bugzilla.suse.com/show_bug.cgi?id=1203597
• https://jira.suse.com/browse/PED-2145
• https://jira.suse.com/browse/SLE-23422
• https://jira.suse.com/browse/SLE-23439
• https://jira.suse.com/browse/SLE-24565