CVE-2020-13430 - Vulnerability Details - OpenCVE

Grafana before 7.0.0 allows tag value XSS via the OpenTSDB datasource.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Grafana	Grafana
Redhat	Enterprise Linux Service Mesh

Configuration 1 [-]

cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*

Package	CPE	Advisory	Released Date
OpenShift Service Mesh 1.0
servicemesh-grafana-0:6.2.2-38.el8	cpe:/a:redhat:service_mesh:1.0::el8	RHSA-2020:2861	2020-07-07T00:00:00Z
OpenShift Service Mesh 1.1
servicemesh-grafana-0:6.4.3-11.el8	cpe:/a:redhat:service_mesh:1.1::el8	RHSA-2020:2796	2020-07-01T00:00:00Z
Red Hat Enterprise Linux 8
grafana-0:6.7.4-3.el8	cpe:/a:redhat:enterprise_linux:8	RHSA-2020:4682	2020-11-04T00:00:00Z

References

Link	Providers
https://github.com/grafana/grafana/pull/24539
https://github.com/grafana/grafana/releases/tag/v7.0.0
https://nvd.nist.gov/vuln/detail/CVE-2020-13430
https://security.netapp.com/advisory/ntap-20200528-0003/
https://www.cve.org/CVERecord?id=CVE-2020-13430

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2020-05-24T17:24:18

Updated: 2024-08-04T12:18:18.364Z

Reserved: 2020-05-24T00:00:00

Link: CVE-2020-13430

Vulnrichment

No data.

NVD

Status : Modified

Published: 2020-05-24T18:15:10.097

Modified: 2024-11-21T05:01:14.780

Link: CVE-2020-13430

Redhat

Severity : Moderate

Publid Date: 2020-05-24T00:00:00Z

Links: CVE-2020-13430 - Bugzilla

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "Grafana before 7.0.0 allows tag value XSS via the OpenTSDB datasource."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-05-28T12:06:14", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/grafana/grafana/releases/tag/v7.0.0"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/grafana/grafana/pull/24539"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://security.netapp.com/advisory/ntap-20200528-0003/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-13430", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Grafana before 7.0.0 allows tag value XSS via the OpenTSDB datasource."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/grafana/grafana/releases/tag/v7.0.0", "refsource": "MISC", "url": "https://github.com/grafana/grafana/releases/tag/v7.0.0"}, {"name": "https://github.com/grafana/grafana/pull/24539", "refsource": "MISC", "url": "https://github.com/grafana/grafana/pull/24539"}, {"name": "https://security.netapp.com/advisory/ntap-20200528-0003/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20200528-0003/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T12:18:18.364Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/grafana/grafana/releases/tag/v7.0.0"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/grafana/grafana/pull/24539"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://security.netapp.com/advisory/ntap-20200528-0003/"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-13430", "datePublished": "2020-05-24T17:24:18", "dateReserved": "2020-05-24T00:00:00", "dateUpdated": "2024-08-04T12:18:18.364Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*", "matchCriteriaId": "095C0593-F773-43EF-9A75-78D2DC2895BB", "versionEndExcluding": "7.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Grafana before 7.0.0 allows tag value XSS via the OpenTSDB datasource."}, {"lang": "es", "value": "Grafana versiones anteriores a 7.0.0, permite un ataque de tipo XSS del valor de etiqueta por medio de la fuente de datos OpenTSDB."}], "id": "CVE-2020-13430", "lastModified": "2024-11-21T05:01:14.780", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-05-24T18:15:10.097", "references": [{"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/grafana/grafana/pull/24539"}, {"source": "cve@mitre.org", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/grafana/grafana/releases/tag/v7.0.0"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20200528-0003/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/grafana/grafana/pull/24539"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/grafana/grafana/releases/tag/v7.0.0"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20200528-0003/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2020:2861", "cpe": "cpe:/a:redhat:service_mesh:1.0::el8", "package": "servicemesh-grafana-0:6.2.2-38.el8", "product_name": "OpenShift Service Mesh 1.0", "release_date": "2020-07-07T00:00:00Z"}, {"advisory": "RHSA-2020:2796", "cpe": "cpe:/a:redhat:service_mesh:1.1::el8", "package": "servicemesh-grafana-0:6.4.3-11.el8", "product_name": "OpenShift Service Mesh 1.1", "release_date": "2020-07-01T00:00:00Z"}, {"advisory": "RHSA-2020:4682", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "grafana-0:6.7.4-3.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-11-04T00:00:00Z"}], "bugzilla": {"description": "grafana: XSS via the OpenTSDB datasource", "id": "1848108", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1848108"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "status": "verified"}, "cwe": "CWE-79", "details": ["Grafana before 7.0.0 allows tag value XSS via the OpenTSDB datasource.", "A flaw was found in grafana Tag value XSS via the OpenTSDB datasource are possible. The highest threat from this vulnerability is to data confidentiality and integrity."], "name": "CVE-2020-13430", "package_state": [{"cpe": "cpe:/a:redhat:ceph_storage:2", "fix_state": "Out of support scope", "package_name": "grafana", "product_name": "Red Hat Ceph Storage 2"}, {"cpe": "cpe:/a:redhat:ceph_storage:3", "fix_state": "Affected", "impact": "low", "package_name": "grafana", "product_name": "Red Hat Ceph Storage 3"}, {"cpe": "cpe:/a:redhat:ceph_storage:3", "fix_state": "Affected", "impact": "low", "package_name": "grafana-container", "product_name": "Red Hat Ceph Storage 3"}, {"cpe": "cpe:/a:redhat:ceph_storage:4", "fix_state": "Affected", "impact": "low", "package_name": "rhceph/rhceph-4-dashboard-rhel8", "product_name": "Red Hat Ceph Storage 4"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Will not fix", "package_name": "openshift3/grafana", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "package_name": "openshift4/ose-grafana", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Affected", "impact": "low", "package_name": "grafana", "product_name": "Red Hat Storage 3"}], "public_date": "2020-05-24T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-13430\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-13430"], "statement": "Red Hat Ceph Storage (RHCS) delivers the affected code of the grafana OpenTSDB plugin. However Red Hat Ceph Storage uses the Prometheus time-series database as a default data source not the OpenTSDB, hence the impact by this vulnerability is set to low.\nRed Hat Gluster Storage (RHGS) delivers the affected code of the grafana OpenTSDB plugin. However Red Hat Gluster Storage uses the Graphite as a data source not the OpenTSDB, hence the impact by this vulnerability is set to low.", "threat_severity": "Moderate"}