Bug 1216313 (CVE-2023-4457) - VUL-0: CVE-2023-4457: grafana: information disclosure vulnerability in Google Sheets plugin
Summary: VUL-0: CVE-2023-4457: grafana: information disclosure vulnerability in Google...
Status: RESOLVED UPSTREAM
Alias: CVE-2023-4457
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P5 - None : Normal
Target Milestone: ---
Assignee: monitoring-devel
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/381981/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-4457:5.5:(AV:N...
Keywords:
Depends on:
Blocks:
 
Reported: 2023-10-17 08:28 UTC by SMASH SMASH
Modified: 2023-10-17 08:37 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---
gabriele.sonnu: needinfo?

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description SMASH SMASH 2023-10-17 08:28:37 UTC 
The Google Sheets data source plugin for Grafana, versions 0.9.0 to 1.2.2 are vulnerable to an information disclosure vulnerability. The plugin did not properly sanitize error messages, making it potentially expose the Google Sheet API-key that is configured for the data source. This vulnerability was fixed in version 1.2.2.

References:
https://grafana.com/security/security-advisories/cve-2023-4457/
Comment 1 Gabriele Sonnu 2023-10-17 08:29:41 UTC 
I believe we don't ship this plugin in any of our codestream, but better ask.
@Team, can you confirm?
Comment 2 Witek Bedyk 2023-10-17 08:36:16 UTC 
Yes, I can confirm we do not ship this plugin in our codestreams.
Comment 3 Gabriele Sonnu 2023-10-17 08:37:31 UTC 
None of our codestreams are affected. Closing.