Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security: Fixes for CVE-2022-31107 and CVE-2022-31097 #52279

Merged
merged 5 commits into from
Jul 14, 2022
Merged

Security: Fixes for CVE-2022-31107 and CVE-2022-31097 #52279

merged 5 commits into from
Jul 14, 2022

Conversation

kminehart
Copy link
Contributor

@kminehart kminehart commented Jul 14, 2022
edited
Loading

What this PR does / why we need it:

Security fixes:

Grafana OAuth account takeover (CVE-2022-31107)
Grafana stored XSS vulnerability (CVE-2022-31097)

For more information, see our blog

grobinson-grafana and others added 4 commits July 14, 2022 14:31
@grobinson-grafana @kminehart
WIP: Fix XSS in runbook URL (#378)
3584b68 
(cherry picked from commit f4a8d96a4e1259ea25d9cc702a652f1b819db236)
(cherry picked from commit 337c08507b2b1c78ea470192d34cf611fae4b5da)
(cherry picked from commit 54b36a07406ed4e26ff8e161e50eda5401f504da)
@dsotirakis @kminehart
Update grabpl version
577832e 
(cherry picked from commit b253e87d730f7b8aabdd0b328c5e7a82547c43b3)
(cherry picked from commit 080d3e46f3fcd61555795b9fe8fd6ee2492b422a)
@Jguer @kminehart
Fix: Choose Lookup params per auth module
8799818 
Co-authored-by: Karl Persson <kalle.persson@grafana.com>

Fix: Prefer pointer to struct in lookup

Co-authored-by: Karl Persson <kalle.persson@grafana.com>

Fix: user email for ldap

Co-authored-by: Karl Persson <kalle.persson@grafana.com>

Fix: Use only login for lookup in LDAP

Co-authored-by: Karl Persson <kalle.persson@grafana.com>

Fix: use user email for ldap

Co-authored-by: Karl Persson <kalle.persson@grafana.com>

fix remaining test

fix nit picks

(cherry picked from commit 1eca4aeed878853743cebcf9790b05dd350c4f83)
(cherry picked from commit 0777d100e9263d08f51dbac71aee0766c8a85a92)
@kminehart
remove better (broke the pipeline)
0735115
@kminehart kminehart requested a review from a team as a code owner July 14, 2022 19:39
@kminehart kminehart requested review from a team July 14, 2022 19:39
@kminehart kminehart requested a review from a team as a code owner July 14, 2022 19:39
@kminehart kminehart requested review from Jguer, kalleep, gillesdemey, peterholmberg, sakjur, mildwonkey and sh0rez and removed request for a team July 14, 2022 19:39
@grafanabot grafanabot added area/backend area/frontend type/ci Tasks related to Continuous Integration workflow labels Jul 14, 2022
@kminehart kminehart added the no-backport Skip backport of PR label Jul 14, 2022
@kminehart kminehart added this to the 9.0.3 milestone Jul 14, 2022
@kminehart kminehart changed the title 9.0.x backport auth fixes Security: Fixes for CVE-2022-31107 and CVE-2022-31097 Jul 14, 2022
@kminehart kminehart requested a review from a team as a code owner July 14, 2022 19:42
@kminehart kminehart requested review from zoltanbedi and removed request for a team July 14, 2022 19:42
@kminehart kminehart merged commit 4665dc2 into v9.0.x Jul 14, 2022
@kminehart kminehart deleted the km/9.0.x-backport-auth-fixes branch July 14, 2022 19:56
@aval13 aval13 mentioned this pull request Mar 9, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vtorosyan vtorosyan vtorosyan approved these changes

@Jguer Jguer Awaiting requested review from Jguer Jguer is a code owner automatically assigned from grafana/grafana-authnz-team

@kalleep kalleep Awaiting requested review from kalleep kalleep is a code owner automatically assigned from grafana/grafana-authnz-team

@gillesdemey gillesdemey Awaiting requested review from gillesdemey

@peterholmberg peterholmberg Awaiting requested review from peterholmberg

@sakjur sakjur Awaiting requested review from sakjur sakjur is a code owner automatically assigned from grafana/backend-platform

@mildwonkey mildwonkey Awaiting requested review from mildwonkey mildwonkey is a code owner automatically assigned from grafana/backend-platform

@sh0rez sh0rez Awaiting requested review from sh0rez sh0rez is a code owner automatically assigned from grafana/backend-platform

@zoltanbedi zoltanbedi Awaiting requested review from zoltanbedi zoltanbedi is a code owner automatically assigned from grafana/frontend-ops

Assignees
No one assigned
Labels
add to changelog area/backend area/frontend enterprise-ok no-backport Skip backport of PR type/ci Tasks related to Continuous Integration workflow
Projects
None yet
Milestone
9.0.3
Development

Successfully merging this pull request may close these issues.
6 participants
@kminehart @vtorosyan @grafanabot @grobinson-grafana @dsotirakis @Jguer