Vulnerability CVE-2018-12099

Vulnerability Name:

CVE-2018-12099 (CCN-144621)

Assigned:

2018-05-03

Published:

2018-05-03

Updated:

2019-04-29

Summary:

Grafana before 5.2.0-beta1 has XSS vulnerabilities in dashboard links.

CVSS v3 Severity:

6.1 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
5.8 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Changed
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): None

6.1 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
5.8 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Changed
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

5.5 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): None

Vulnerability Type:

CWE-79

Vulnerability Consequences:

Cross-Site Scripting

References:

Source: MITRE
Type: CNA
CVE-2018-12099

Source: XF
Type: UNKNOWN
grafana-cve201812099-xss(144621)

Source: CCN
Type: grafana GIT Repository
fix XSS vulnerabilities in dashboard links #11813

Source: CONFIRM
Type: Exploit, Issue Tracking, Patch, Third Party Advisory
https://github.com/grafana/grafana/pull/11813

Source: CONFIRM
Type: Third Party Advisory
https://github.com/grafana/grafana/releases/tag/v5.2.0-beta1

Source: CONFIRM
Type: Third Party Advisory
https://security.netapp.com/advisory/ntap-20190416-0004/

Vulnerable Configuration:

Configuration 1:

cpe:/a:grafana:grafana:*:*:*:*:*:*:*:* (Version <= 5.1.3)

Configuration 2:

cpe:/a:netapp:active_iq_performance_analytics_services:-:*:*:*:*:*:*:*

OR cpe:/a:netapp:storagegrid_webscale_nas_bridge:-:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:grafana:grafana:5.1.3:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:201812099	V	CVE-2018-12099	2022-05-22
oval:org.opensuse.security:def:59840	P	Security update for chrony (Moderate)	2021-12-22
oval:org.opensuse.security:def:60433	P	Security update for MozillaFirefox (Important)	2021-12-12
oval:org.opensuse.security:def:60390	P	Security update for util-linux (Moderate)	2021-10-20
oval:org.opensuse.security:def:58014	P	Security update for the Linux Kernel (Live Patch 37 for SLE 12 SP3) (Important)	2021-09-23
oval:org.opensuse.security:def:59540	P	Security update for transfig (Moderate)	2021-09-16
oval:org.opensuse.security:def:60351	P	Security update for xen (Important)	2021-09-02
oval:org.opensuse.security:def:57990	P	Security update for openssl (Important)	2021-08-24
oval:org.opensuse.security:def:59783	P	Security update for cpio (Important)	2021-08-23
oval:org.opensuse.security:def:57040	P	Security update for arpwatch (Important)	2021-06-28
oval:org.opensuse.security:def:57940	P	Security update for caribou (Important)	2021-06-10
oval:org.opensuse.security:def:60255	P	Security update for python3 (Important)	2021-05-17
oval:org.opensuse.security:def:57909	P	Security update for java-1_7_0-openjdk (Moderate)	2021-04-29
oval:org.opensuse.security:def:58929	P	Security update for opensc (Moderate)	2021-03-31
oval:org.opensuse.security:def:58928	P	Security update for zabbix (Moderate)	2021-03-30
oval:org.opensuse.security:def:60471	P	Security update for openssl-1_0_0 (Moderate)	2021-03-08
oval:org.opensuse.security:def:59600	P	Security update for openldap2 (Important)	2021-03-03
oval:org.opensuse.security:def:57146	P	Security update for the Linux Kernel (Live Patch 35 for SLE 12 SP3) (Important)	2021-02-10
oval:org.opensuse.security:def:59347	P	Security update for ucode-intel (Moderate)	2020-12-01
oval:org.opensuse.security:def:60510	P	perl-YAML-LibYAML on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:60508	P	perl-Tk on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:60847	P	Security update for grafana, kafka, logstash, openstack-monasca-installer (Moderate)	2020-12-01
oval:org.opensuse.security:def:59189	P	Security update for the Linux Kernel (Live Patch 27 for SLE 12 SP2) (Important)	2020-12-01
oval:org.opensuse.security:def:60560	P	unzip on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:57871	P	libxcb-dri2-0 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:59655	P	Security update for MozillaFirefox (Moderate)	2020-12-01
oval:org.opensuse.security:def:56867	P	Security update for qemu (Important)	2020-12-01
oval:org.opensuse.security:def:60768	P	Security update for samba (Important)	2020-12-01
oval:org.opensuse.security:def:59167	P	Security update for kernel-firmware (Important)	2020-12-01
oval:org.opensuse.security:def:57797	P	libgnomesu on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:60090	P	Security update for java-1_8_0-openjdk (Important)	2020-12-01
oval:org.opensuse.security:def:56629	P	Security update for rpm (Moderate)	2020-12-01
oval:org.opensuse.security:def:60818	P	Security update for mariadb (Moderate)	2020-12-01
oval:org.opensuse.security:def:59166	P	Security update for texlive (Important)	2020-12-01
oval:org.opensuse.security:def:57705	P	dstat on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:59901	P	Security update for the Linux Kernel (Live Patch 23 for SLE 12 SP2) (Important)	2020-12-01
oval:org.opensuse.security:def:59359	P	Security update for python3 (Moderate)	2020-12-01
oval:org.opensuse.security:def:56489	P	Security update for xorg-x11-server (Moderate)	2020-12-01
oval:org.opensuse.security:def:60727	P	Security update for bind (Important)	2020-12-01
oval:org.opensuse.security:def:57597	P	Security update for kvm (Important)	2020-12-01
oval:org.opensuse.security:def:59107	P	Security update for the Linux Kernel (Live Patch 30 for SLE 12 SP2) (Important)	2020-12-01
oval:org.opensuse.security:def:56467	P	Security update for MozillaFirefox, mozilla-nss (Important)	2020-12-01
oval:org.opensuse.security:def:60689	P	Security update for apache2 (Important)	2020-12-01
oval:org.opensuse.security:def:57312	P	Security update for CUPS	2020-12-01
oval:org.opensuse.security:def:60588	P	Security update for grafana, kafka, logstash, openstack-monasca-installer (Moderate)	2020-12-01
oval:org.opensuse.security:def:58951	P	Security update for ImageMagick (Moderate)	2020-12-01
oval:org.opensuse.security:def:56466	P	Security update for krb5 (Moderate)	2020-12-01
oval:org.opensuse.security:def:60605	P	Security update for ucode-intel (Important)	2020-12-01
oval:org.opensuse.security:def:60139	P	Security update for java-1_7_1-ibm (Moderate)	2020-12-01
oval:org.opensuse.security:def:80649	P	Security update for grafana, kafka, logstash and monasca-installer (Moderate)	2018-08-28
oval:org.opensuse.security:def:84300	P	Security update for grafana, kafka, logstash, openstack-monasca-installer (Moderate)	2018-08-14
oval:org.opensuse.security:def:83854	P	Security update for grafana, kafka, logstash, openstack-monasca-installer (Moderate)	2018-08-14
oval:com.ubuntu.xenial:def:201812099000	V	CVE-2018-12099 on Ubuntu 16.04 LTS (xenial) - low.	2018-06-11
oval:com.ubuntu.xenial:def:2018120990000000	V	CVE-2018-12099 on Ubuntu 16.04 LTS (xenial) - low.	2018-06-11

BACK