QID 730253
Date Published: 2021-11-16
QID 730253: Grafana Enterprise Cross-Site Scripting (XSS) Vulnerability
Grafana is an open-source, general purpose dashboard and graph composer, which runs as a web application.
Affected By Below Vulnerabilies:
CVE-2021-41174: In affected versions if an attacker is able to convince a victim to visit a URL referencing a vulnerable page, arbitrary JavaScript content may be executed within the context of the victim's browser.
Affected Versions:
Grafana Version 8.0.0-beta1 to 8.2.2
QID Detection Logic (Unauthenticated):
This QID checks for vulnerable version of Grafana Enterprise from the server response
Successful exploitation could allows an unauthenticated remote attacker to trigger a Cross-Site Scripting attack.
Solution
Customers are advised to download Grafana Enterprise 8.2.3 to fix this vulnerability.
Workaround:
If for some reason you cannot upgrade, you can use a reverse proxy or similar to block access to block the literal string {{ in the path.
Example of an Nginx rule to block the literal string {{:
location ~ \{\{ {
deny all;
}
Workaround:
If for some reason you cannot upgrade, you can use a reverse proxy or similar to block access to block the literal string {{ in the path.
Example of an Nginx rule to block the literal string {{:
location ~ \{\{ {
deny all;
}
Vendor References
- Grafana Release Note 8.2.3 -
github.com/grafana/grafana/security/advisories/GHSA-3j9m-hcv9-rpj8
CVEs related to QID 730253
Software Advisories
| Advisory ID | Software | Component | Link |
|---|---|---|---|
| Grafana Release Note 8.2.3 |
github.com/grafana/grafana/security/advisories/GHSA-3j9m-hcv9-rpj8 |