Bug 1216313 (CVE-2023-4457)

Summary: VUL-0: CVE-2023-4457: grafana: information disclosure vulnerability in Google Sheets plugin
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: monitoring-devel <monitoring-devel>
Status: RESOLVED UPSTREAM QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P5 - None CC: gabriele.sonnu, monitoring-devel, witold.bedyk
Version: unspecifiedFlags: gabriele.sonnu: needinfo?
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/381981/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-4457:5.5:(AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2023-10-17 08:28:37 UTC 
The Google Sheets data source plugin for Grafana, versions 0.9.0 to 1.2.2 are vulnerable to an information disclosure vulnerability. The plugin did not properly sanitize error messages, making it potentially expose the Google Sheet API-key that is configured for the data source. This vulnerability was fixed in version 1.2.2.

References:
https://grafana.com/security/security-advisories/cve-2023-4457/
Comment 1 Gabriele Sonnu 2023-10-17 08:29:41 UTC 
I believe we don't ship this plugin in any of our codestream, but better ask.
@Team, can you confirm?
Comment 2 Witek Bedyk 2023-10-17 08:36:16 UTC 
Yes, I can confirm we do not ship this plugin in our codestreams.
Comment 3 Gabriele Sonnu 2023-10-17 08:37:31 UTC 
None of our codestreams are affected. Closing.