Red Hat Security Advisory: Red Hat OpenShift Service Mesh servicemesh-grafana security update
🔗 CVE IDs covered (8)
📋 Description
CVE-2019-11253 — kubernetes: YAML parsing vulnerable to "Billion Laughs" attack, allowing for remote denial of service CVE-2019-16769 — npm-serialize-javascript: XSS via unsafe characters in serialized regular expressions CVE-2020-7660 — npm-serialize-javascript: allows remote attackers to inject arbitrary code via the function deleteFunctions within index.js CVE-2020-7662 — npmjs-websocket-extensions: ReDoS vulnerability in Sec-WebSocket-Extensions parser CVE-2020-12052 — grafana: XSS annotation popup vulnerability CVE-2020-12245 — grafana: XSS via column.title or cellLinkTooltip CVE-2020-13379 — grafana: SSRF incorrect access control vulnerability allows unauthenticated users to make grafana send HTTP requests to any URL CVE-2020-13430 — grafana: XSS via the OpenTSDB datasource
🔗 References (11)
- selfhttps://access.redhat.com/errata/RHSA-2020:2796
- externalhttps://access.redhat.com/security/updates/classification/#important
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1757701
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1843640
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1844228
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1845982
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1848089
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1848092
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1848108
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1848643
- selfhttps://security.access.redhat.com/data/csaf/v2/advisories/2020/rhsa-2020_2796.json