ASA-202111-5 log generated external raw

[ASA-202111-5] grafana: cross-site scripting
Arch Linux Security Advisory ASA-202111-5 ========================================= Severity: Medium Date : 2021-11-05 CVE-ID : CVE-2021-41174 Package : grafana Type : cross-site scripting Remote : Yes Link : Summary ======= The package grafana before version 8.2.3-1 is vulnerable to cross-site scripting. Resolution ========== Upgrade to 8.2.3-1. # pacman -Syu "grafana>=8.2.3-1" The problem has been fixed upstream in version 8.2.3. Workaround ========== To mitigate the issue, a reverse proxy or similar can be used to block access to block the literal string "{{" in the path. Description =========== A security issue has been found in Grafana before version 8.2.3. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, arbitrary JavaScript content may be executed within the context of the victim's browser. The user visiting the malicious link must be unauthenticated and the link must be for a page that contains the login button in the menu bar. There are two ways an unauthenticated user can open a page in Grafana that contains the login button: - Anonymous authentication is enabled. This means all pages in Grafana would be open for the attack. - The link is to an unauthenticated page. The following pages are vulnerable: - /dashboard-solo/snapshot/* - /dashboard/snapshot/* - /invite/:code The url has to be crafted to exploit AngularJS rendering and contain the interpolation binding for AngularJS expressions. AngularJS uses double curly braces for interpolation binding: {{ }} An example of an expression would be: "{{constructor.constructor(‘alert(1)’)()}}". This can be included in the link URL like this: or('alert(1)')()%7D%7D?orgId=1 When the user follows the link and the page renders, the login button will contain the original link with a query parameter to force a redirect to the login page. The URL is not validated and the AngularJS rendering engine will execute the JavaScript expression contained in the URL. Impact ====== A remote attacker could execute arbitrary JavaScript code by tricking an unauthenticated victim into opening a crafted URL. References ==========