CVE-2022-23552: 
Grafana vulnerability analysis and mitigation

Grafana, an open-source platform for monitoring and observability, disclosed a stored XSS vulnerability (CVE-2022-23552) affecting the core plugin GeoMap. The vulnerability was discovered during an internal audit on December 16, 2022, and affects versions starting from 8.1 branch and prior to versions 8.5.16, 9.2.10, and 9.3.4. The vulnerability exists because SVG files weren't properly sanitized, allowing arbitrary JavaScript execution in the context of the currently authorized user of the Grafana instance (GitHub Advisory).

The vulnerability stems from improper sanitization of SVG files in the GeoMap core plugin. An attacker with Editor role privileges can exploit this by either including an external URL to an SVG file containing malicious JavaScript or using the data: scheme to load an inline SVG file with embedded JavaScript. The vulnerability has been assigned a CVSS v3.1 base score of 7.3 HIGH (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N) by GitHub, while NVD rates it as 5.4 MEDIUM (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) (NVD, GitHub Advisory).

The vulnerability enables vertical privilege escalation, where a user with Editor role can potentially change the password of a user with Admin role if the admin user views a dashboard containing the malicious JavaScript. This could lead to unauthorized access to sensitive information and the ability to modify data within the Grafana instance (GitHub Advisory, NetApp Advisory).

Users are advised to upgrade to patched versions: 8.5.16, 9.2.10, or 9.3.4. These versions include fixes that properly sanitize SVG files and prevent the execution of arbitrary JavaScript (NVD, Red Hat Advisory).