Update dependency @grafana/data to v8.2.3 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
@grafana/data (source)	8.1.3 -> 8.2.3

GitHub Vulnerability Alerts

CVE-2021-41174

Today we are releasing Grafana 8.2.3. This patch release includes an important security fix for an issue that affects all Grafana versions from 8.0.0-beta1.

Grafana Cloud instances have already been patched and an audit did not find any usage of this attack vector. Grafana Enterprise customers were provided with updated binaries under embargo.

CVE-2021-41174 XSS vulnerability on unauthenticated pages

Summary

CVSS Score: 6.9 Medium
CVSS:CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:N/E:U/RL:O/RC:R/CR:L/MAV:N/MAC:H/MPR:N/MUI:R/MS:C/MC:N/MI:H/MA:L

We received a security report to security@grafana.com on 2021-10-21 about a vulnerability in Grafana regarding the XSS vulnerability.

It was later identified as affecting Grafana versions from 8.0.0-beta1 to 8.2.2. CVE-2021-41174 has been assigned to this vulnerability.

Impact

If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, arbitrary JavaScript content may be executed within the context of the victim's browser.

The user visiting the malicious link must be unauthenticated and the link must be for a page that contains the login button in the menu bar.

There are two ways an unauthenticated user can open a page in Grafana that contains the login button:

• Anonymous authentication is enabled. This means all pages in Grafana would be open for the attack.
• The link is to an unauthenticated page. The following pages are vulnerable:
  • /dashboard-solo/snapshot/*
  • /dashboard/snapshot/*
  • /invite/:code

The url has to be crafted to exploit AngularJS rendering and contain the interpolation binding for AngularJS expressions. AngularJS uses double curly braces for interpolation binding: {{ }}

An example of an expression would be: {{constructor.constructor(‘alert(1)’)()}}. This can be included in the link URL like this:

https://play.grafana.org/dashboard/snapshot/%7B%7Bconstructor.constructor('alert(1)')()%7D%7D?orgId=1

When the user follows the link and the page renders, the login button will contain the original link with a query parameter to force a redirect to the login page. The URL is not validated and the AngularJS rendering engine will execute the JavaScript expression contained in the URL.

Attack audit

We can not guarantee that the below will identify all attacks, so if you find something using the audit process described below, you should consider doing a full assessment.

Through reverse proxy/load balancer logs

To determine if your Grafana installation has been exploited for this vulnerability, search through your reverse proxy/load balancer access logs for instances where the path contains {{ followed by something that would invoke JavaScript code. For example, this could be code that attempts to show a fake login page or to steal browser or session data. The OWASP cheat sheet has several examples of XSS attacks.

Through the Grafana Enterprise audit feature

If you enabled “Log web requests” in your configuration with router_logging = true, look for requests where path contains {{ followed by something that would invoke JavaScript code.

Patched versions

Release 8.2.3:

• Download Grafana 8.2.3
• Release notes

Solutions and mitigations

Download and install the appropriate patch for your version of Grafana.

Grafana Cloud instances have already been patched, and Grafana Enterprise customers were provided with updated binaries under embargo.

Workaround

If for some reason you cannot upgrade, you can use a reverse proxy or similar to block access to block the literal string {{ in the path.

Example of an Nginx rule to block the literal string {{:

location ~ \{\{ {
    deny all;
}

Timeline and postmortem

Here is a detailed timeline starting from when we originally learned of the issue. All times in UTC.

• 2021-10-21 23:13: Security researcher sends the initial report about an XSS vulnerability.
• 2021-10-21 23:13: Confirmed to be reproducible in at least versions 8.0.5 and 8.2.2.
• 2021-10-22 02:02 MEDIUM severity declared.
• 2021-10-22 09:22: it is discovered that Grafana instances with anonymous auth turned on are vulnerable. This includes https://play.grafana.org/ .
• 2021-10-22 09:50: Anonymous access disabled for all instances on Grafana Cloud as a mitigation measure.
• 2021-10-22 11:15: Workaround deployed on Grafana Cloud that blocks malicious requests.
• 2021-10-22 12:35: Enabled anonymous access for instances on Grafana Cloud.
• 2021-10-22 12:51: All instances protected by the workaround. From this point forward, Grafana Cloud is no longer affected.
• 2021-10-22 14:05 Grafana Cloud instances updated with a fix.
• 2021-10-22 19:23 :Determination that no weekend work is needed as the issue is of MEDIUM severity and the root cause has been identified.
• 2021-10-25 14:13: Audit of Grafana Cloud concluded, no evidence of exploitation.
• 2021-10-27 12:00: Grafana Enterprise images released to customers under embargo.
• 2021-11-03 12:00: Public release.

Reporting security issues

If you think you have found a security vulnerability, please send a report to security@grafana.com. This address can be used for all of
Grafana Labs' open source and commercial products (including but not limited to Grafana, Tempo, Loki, k6, Tanka, and Grafana Cloud, Grafana Enterprise, and grafana.com). We only accept vulnerability reports at this address. We would prefer that you encrypt your message to us using our PGP key. The key fingerprint is:

F988 7BEA 027A 049F AE8E 5CAA D125 8932 BE24 C5CA

The key is available from keyserver.ubuntu.com by searching for security@grafana.

Security announcements

There is a Security category on the Grafana blog where we will post a summary, remediation, and mitigation details for any patch containing security fixes and you can subscribe to updates from our Security Announcements RSS feed.

---

Release Notes

grafana/grafana (@​grafana/data)

v8.2.3: 8.2.3 (2021-11-03)

Compare Source

Download page
What's new highlights

v8.2.2: 8.2.2 (2021-10-21)

Compare Source

Download page
What's new highlights

Features and enhancements

• Annotations: We have improved tag search performance. #​40567, @​ashharrison90
• Application: You can now configure an error-template title. #​40310, @​benrubson
• AzureMonitor: We removed a restriction from the resource filter query. #​40690, @​andresmgot
• Caching: Make cache size metric collection optional. (Enterprise)
• Packaging: We removed the ProcSubset option in systemd. This option prevented Grafana from starting in LXC environments. #​40339, @​kminehart
• Prometheus: We removed the autocomplete limit for metrics. #​39363, @​ivanahuckova
• Request interceptor: Allow MSSQL's named instances. (Enterprise)
• Table: We improved the styling of the type icons to make them more distinct from column / field name. #​40596, @​torkelo
• ValueMappings: You can now use value mapping in stat, gauge, bar gauge, and pie chart visualizations. #​40612, @​torkelo

Bug fixes

• Alerting: Fix panic when Slack's API sends unexpected response. #​40721, @​santihernandezc
• Alerting: The Create Alert button now appears on the dashboard panel when you are working with a default datasource. #​40334, @​domasx2
• Explore: We fixed the problem where the Explore log panel disappears when an Elasticsearch logs query returns no results. #​40217, @​Elfo404
• Graph: You can now see annotation descriptions on hover. #​40581, @​axelavargas
• Logs: The system now uses the JSON parser only if the line is parsed to an object. #​40507, @​ivanahuckova
• Prometheus: We fixed the issue where the system did not reuse TCP connections when querying from Grafana alerting. #​40349, @​kminehart
• Prometheus: We fixed the problem that resulted in an error when a user created a query with a $__interval min step. #​40525, @​ivanahuckova
• RowsToFields: We fixed the issue where the system was not properly interpreting number values. #​40580, @​torkelo
• Scale: We fixed how the system handles NaN percent when data min = data max. #​40622, @​torkelo
• Table panel: You can now create a filter that includes special characters. #​40458, @​dprokop

v8.2.1: 8.2.1 (2021-10-11)

Compare Source

Download page
What's new highlights

Bug fixes

• Dashboard: Fix rendering of repeating panels. #​39991, @​hugohaggmark
• Datasources: Fix deletion of data source if plugin is not found. #​40095, @​jackw
• Packaging: Remove systemcallfilters sections from systemd unit files. #​40176, @​kminehart
• Prometheus: Add Headers to HTTP client options. #​40214, @​dsotirakis

v8.2.0: 8.2.0 (2021-10-07)

Compare Source

Download page
What's new highlights

Features and enhancements

• AWS: Updated AWS authentication documentation. #​39236, @​sunker
• Alerting: Added support Alertmanager data source for upstream Prometheus AM implementation. #​39775, @​domasx2
• Alerting: Allows more characters in label names so notifications are sent. #​38629, @​gotjosh
• Alerting: Get alert rules for a dashboard or a panel using /api/v1/rules endpoints. #​39476, @​gerobinson
• Annotations: Improved rendering performance of event markers. #​39984, @​torkelo
• CloudWatch Logs: Skip caching for log queries. #​39860, @​aocenas
• Explore: Added an opt-in configuration for Node Graph in Jaeger, Zipkin, and Tempo. #​39958, @​connorlindsey
• Prometheus: Metrics browser can now handle label values with special characters. #​39713, @​gabor

Bug fixes

• CodeEditor: Ensure that we trigger the latest onSave callback provided to the component. #​39835, @​mckn
• DashboardList/AlertList: Fix for missing All folder value. #​39772, @​hugohaggmark

Plugin development fixes & changes

• Plugins: Create a mock icon component to prevent console errors. #​39901, @​jackw

v8.1.8: 8.1.8 (2021-12-07)

Compare Source

Download page
What's new highlights

Security: Fixes CVE-2021-43798. For more information, see our blog

v8.1.7: 8.1.7 (2021-10-06)

Compare Source

Download page
What's new highlights

Bug fixes

• Alerting: Fix alerts with evaluation interval more than 30 seconds resolving before notification. #​39513, @​gerobinson
• Elasticsearch/Prometheus: Fix usage of proper SigV4 service namespace. #​39439, @​marefr

v8.1.6: 8.1.6 (2021-10-05)

Compare Source

Download page
What's new highlights

Bug fixes

• Security: Fixes CVE-2021-39226. For more information, see our blog

v8.1.5: 8.1.5 (2021-09-21)

Compare Source

Download page
What's new highlights

Bug fixes

• BarChart: Fixes panel error that happens on second refresh. #​39304, @​DanCech

v8.1.4: 8.1.4 (2021-09-16)

Compare Source

Download page
What's new highlights

Features and enhancements

• Explore: Ensure logs volume bar colors match legend colors. #​39072, @​ifrost
• LDAP: Search all DNs for users. #​38891, @​sakjur

Bug fixes

• Alerting: Fix notification channel migration. #​38983, @​papagian
• Annotations: Fix blank panels for queries with unknown data sources. #​39017, @​hugohaggmark
• BarChart: Fix stale values and x axis labels. #​39188, @​leeoniya
• Graph: Make old graph panel thresholds work even if ngalert is enabled. #​38918, @​domasx2
• InfluxDB: Fix regex to identify / as separator. #​39185, @​dsotirakis
• LibraryPanels: Fix update issues related to library panels in rows. #​38963, @​hugohaggmark
• Variables: Fix variables not updating inside a Panel when the preceding Row uses "Repeat For". #​38935, @​axelavargas

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.