On this week’s digest, we’ll focus on the next:

• Hashicorp Vault Cross-site Scripting Vulnerability
• Grafana Entry Management and Race Situation Vulnerabilities
• PMM Authentication Bypass Vulnerability

CVE-2023-2121: Hashicorp Vault Cross-site Scripting Vulnerability

Background

Hashicorp Vault is an open supply device designed to retailer and handle delicate information in fashionable IT environments securely. It acts as a centralized secret administration answer, offering a safe strategy to retailer and entry passwords, API keys, certificates, and different forms of secrets and techniques. Vault makes use of a mixture of encryption, entry management insurance policies, and auditing capabilities to guard delicate data. Vault Enterprise is the industrial model of HashiCorp Vault. It supplies further options and assist tailor-made for enterprise-scale deployments.

Vulnerability

The vulnerability, tracked as CVE-2023-2121, is an injection vulnerability that permits HTML injection into the Vault Net UI by key values. The affected merchandise embody Vault and Vault Enterprise since 1.10.0.

Vault 1.10.0 launched the flexibility to simply evaluate the distinction between two revisions of kv-v2 (KV Secrets and techniques Engine) key-value secrets and techniques in Vault’s internet UI.

A consumer with write privileges to a kv-v2 secrets and techniques engine mount might present a string that might be incorrectly sanitized and rendered as uncooked HTML by Vault’s internet UI, resulting in an HTML injection.

By default, Vault’s Content material Safety Coverage prevents the execution of inline JavaScript, due to this fact stopping publicity to cross-site-scripting through this vector. Vault makes use of three fundamental mechanisms for stopping cross-site scripting; sturdy typing and enter validation on the backend, framework-provided output encoding on the frontend, and a restrictive, customizable content material safety coverage that features script-src ‘self’ by default.

It must be famous that the affect of this vulnerability is low since an attacker wants write privileges to a kv-v2 secrets and techniques engine with a view to inject payloads.

Mitigation

• Upgrading to the patched model of Vault i.e. 1.14.0, 1.13.3, 1.12.7, and 1.11.11, is extremely advisable.

Grafana Entry Management and Race Situation Vulnerabilities

Background

Grafana is an open-source analytics and interactive visualization internet utility. It supplies charts, graphs, and alerts for the net when linked to supported information sources. Grafana is a well-liked device for monitoring and visualizing metrics from varied sources, together with Prometheus, InfluxDB, Graphite, and Elasticsearch. It may also be used to create dashboards that show information from a number of sources in a single view.

Vulnerabilities

Grafana variations  9.5 > 9.5.3, 9.4 > 9.4.12, 9.3 > 9.3.15, 9.0 > 9.2.19 and eight.0 > 8.5.26 have a number of vulnerabilities, which we’ll cowl.

CVE-2023-2183: Damaged Entry Management

Grafana affords the performance to ship alerts through the API or the Net UI consumer panel.

This vulnerability, tracked as CVE-2023-2183, permits an attacker within the Viewer position to ship alerts by the API Alert-Take a look at Perform.This problem happens as a result of the API doesn’t verify entry of the consumer to the API alert operate. The vulnerability might be seen being abused on this POC.

One level to be famous right here is that this selection is just not out there within the consumer panel UI for the Viewer position, solely through the API.

This vulnerability permits malicious customers to abuse the performance by sending a number of alert messages through electronic mail, Slack, and different platforms; spamming customers; getting ready phishing assaults or blocking SMTP server / IP; or routinely shifting all messages to a spam folder or including them to a black listing IP.

Mitigation

• Upgrading to the patched variations of Grafana i.e., 9.5.3, 9.4.12, 9.3.15, 9.2.19, and eight.5.26, is extremely advisable.
• To stop spamming through electronic mail, contemplate making modifications to the SMTP server configuration settings by limiting the flexibility to ship a number of emails to the identical electronic mail handle per unit time/threshold.

CVE-2023-2801: DS Proxy Race Situation

Grafana affords the performance to create blended queries through the use of information from a number of information sources. ​​For instance, you might create a blended question that makes use of information from each Prometheus and InfluxDB. Public Dashboards is one other function in Grafana that permits customers to share dashboards with anybody exterior your group.

The vulnerability, tracked as CVE-2023-2801, exists in the best way Grafana handles blended queries. When Grafana receives a blended question, it tries to execute the question towards every information supply in flip. Nonetheless, if the question is malformed, this will trigger Grafana to crash. Extra particularly, when you ship an API name to the /ds/question or a public dashboard question endpoint that has blended queries, you may crash your Grafana occasion. The one function that makes use of blended queries inside Grafana proper now could be Public Dashboards, however it’s also attainable to trigger this problem by calling the API immediately.

NOTE: When you’ve got Public Dashboards(PD) enabled, this vulnerability is rated as Excessive by Grafana. Even when you’ve got disabled PD, this vulnerability nonetheless poses threat. Nonetheless, triggering the difficulty requires information supply learn privileges and entry to the Grafana API by a developer script.

Mitigation

• Upgrading to the patched variations of Grafana i.e., 9.5.3, 9.4.12, 9.3.15, 9.2.19, and eight.5.26, is extremely advisable.
• Attempt to keep away from utilizing blended queries with Public Dashboards.

CVE-2023-34409: PMM Authentication Bypass Vulnerability

Background

Percona Monitoring and Administration (PMM) is a monitoring and administration device for open supply databases, together with MySQL, PostgreSQL, and MongoDB. It collects metrics out of your databases and hosts and shows them in a web-based dashboard. PMM additionally consists of options for troubleshooting, alerting, and efficiency optimization.

Vulnerability

This vulnerability, tracked as CVE-2023-34409, is an authentication bypass vulnerability that exists in the best way PMM handles authentication. All variations of PMM beginning with 2.0.0 are assumed to be weak.

Within the weak variations of PMM, the authentication operate would strip segments of the URL till it discovered an identical sample in its ruleset. The operate doesn’t correctly sanitize URL paths to reject path traversal makes an attempt. This flaw might be exploited by an unauthenticated distant attacker by feeding a malformed URL to PMM, which may bypass authentication and entry PMM logs ensuing within the disclosure of delicate data and potential escalation of privileges. 

Mitigation

• Upgrading to the patched variations of PMM i.e.2.37.1 is extremely advisable, notably if the PMM occasion is accessible immediately from the web.