Debian Security Advisory
DLA-3309-1 graphite-web -- LTS security update
- Date Reported:
- 06 Feb 2023
- Affected Packages:
- Security database references:
- In Mitre's CVE dictionary: CVE-2022-4728, CVE-2022-4729, CVE-2022-4730.
- More information:
It was discovered that there were a number of issues in graphite-web, a tool provide realtime graphing of system statistics etc.
A series of cross-site scripting (XSS) vulnerabilties existed that could have been exploited remotely. Issues existed in the Cookie Handler, Template Name Handler and Absolute Time Range Handler components:
A vulnerability has been found in Graphite Web and classified as problematic. This vulnerability affects unknown code of the component Cookie Handler. The manipulation leads to cross site scripting. VDB-216742 is the identifier assigned to this vulnerability.
A vulnerability was found in Graphite Web and classified as problematic. This issue affects some unknown processing of the component Template Name Handler. The manipulation leads to cross site scripting. The associated identifier of this vulnerability is VDB-216743.
A vulnerability was found in Graphite Web. It has been classified as problematic. Affected is an unknown function of the component Absolute Time Range Handler. The manipulation leads to cross site scripting. The identifier of this vulnerability is VDB-216744.
For Debian 10
Buster, these problems have been fixed in version 1.1.4-3+deb10u2.
We recommend that you upgrade your graphite-web packages.
Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS