CVSS: 6.8EPSS: 0%CPEs: 8EXPL: 1CVE-2022-21702 – Cross site scripting in Grafana proxy
https://notcve.org/view.php?id=CVE-2022-21702
Grafana is an open-source platform for monitoring and observability. In affected versions an attacker could serve HTML content thru the Grafana datasource or plugin proxy and trick a user to visit this HTML page using a specially crafted link and execute a Cross-site Scripting (XSS) attack. The attacker could either compromise an existing datasource for a specific Grafana instance or either set up its own public service and instruct anyone to set it up in their Grafana instance. To be impacted, all of the following must be applicable. For the data source proxy: A Grafana HTTP-based datasource configured with Server as Access Mode and a URL set, the attacker has to be in control of the HTTP server serving the URL of above datasource, and a specially crafted link pointing at the attacker controlled data source must be clicked on by an authenticated user. • https://github.com/grafana/grafana/commit/27726868b3d7c613844b55cd209ca93645c99b85 https://github.com/grafana/grafana/security/advisories/GHSA-xc3p-28hw-q24g https://grafana.com/blog/2022/02/08/grafana-7.5.15-and-8.3.5-released-with-moderate-severity-security-fixes https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2PFW6Q2LXXWTFRTMTRN4ZGADFRQPKJ3D https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/36GUEPA5TPSC57DZTPYPBL6T7UPQ2FRH https://lists.fedorapr • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 5EXPL: 0CVE-2022-21673 – OAuth Identity Token exposure in Grafana
https://notcve.org/view.php?id=CVE-2022-21673
Grafana is an open-source platform for monitoring and observability. In affected versions when a data source has the Forward OAuth Identity feature enabled, sending a query to that datasource with an API token (and no other user credentials) will forward the OAuth Identity of the most recently logged-in user. This can allow API token holders to retrieve data for which they may not have intended access. This attack relies on the Grafana instance having data sources that support the Forward OAuth Identity feature, the Grafana instance having a data source with the Forward OAuth Identity feature toggled on, the Grafana instance having OAuth enabled, and the Grafana instance having usable API keys. This issue has been patched in versions 7.5.13 and 8.3.4. • https://github.com/grafana/grafana/releases/tag/v7.5.13 https://github.com/grafana/grafana/releases/tag/v8.3.4 https://github.com/grafana/grafana/security/advisories/GHSA-8wjh-59cw-9xh4 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2PFW6Q2LXXWTFRTMTRN4ZGADFRQPKJ3D https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/36GUEPA5TPSC57DZTPYPBL6T7UPQ2FRH https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/mess • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-201: Insertion of Sensitive Information Into Sent Data •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2021-43815 – Grafana directory traversal for `.cvs` files
https://notcve.org/view.php?id=CVE-2021-43815
Grafana is an open-source platform for monitoring and observability. Grafana prior to versions 8.3.2 and 7.5.12 has a directory traversal for arbitrary .csv files. It only affects instances that have the developer testing tool called TestData DB data source enabled and configured. The vulnerability is limited in scope, and only allows access to files with the extension .csv to authenticated users only. Grafana Cloud instances have not been affected by the vulnerability. • http://www.openwall.com/lists/oss-security/2021/12/10/4 https://github.com/grafana/grafana/commit/d6ec6f8ad28f0212e584406730f939105ff6c6d3 https://github.com/grafana/grafana/commit/fd48aee61e4328aae8d5303a9efd045fa0ca308d https://github.com/grafana/grafana/releases/tag/v8.3.2 https://github.com/grafana/grafana/security/advisories/GHSA-7533-c8qv-jm9m https://grafana.com/blog/2021/12/10/grafana-8.3.2-and-7.5.12-released-with-moderate-severity-security-fix https://security.netapp.com/advisory/ntap-2022010 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 4.3EPSS: 1%CPEs: 2EXPL: 0CVE-2021-43813 – Directory Traversal in Grafana
https://notcve.org/view.php?id=CVE-2021-43813
Grafana is an open-source platform for monitoring and observability. Grafana prior to versions 8.3.2 and 7.5.12 contains a directory traversal vulnerability for fully lowercase or fully uppercase .md files. The vulnerability is limited in scope, and only allows access to files with the extension .md to authenticated users only. Grafana Cloud instances have not been affected by the vulnerability. Users should upgrade to patched versions 8.3.2 or 7.5.12. • http://www.openwall.com/lists/oss-security/2021/12/10/4 https://github.com/github/securitylab-vulnerabilities/commit/689fc5d9fd665be4d5bba200a6a433b532172d0f https://github.com/grafana/grafana/commit/fd48aee61e4328aae8d5303a9efd045fa0ca308d https://github.com/grafana/grafana/security/advisories/GHSA-c3q8-26ph-9g2q https://grafana.com/blog/2021/12/10/grafana-8.3.2-and-7.5.12-released-with-moderate-severity-security-fix https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-5-12 https://grafana& • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2021-41090 – Instance config inline secret exposure
https://notcve.org/view.php?id=CVE-2021-41090
Grafana Agent is a telemetry collector for sending metrics, logs, and trace data to the opinionated Grafana observability stack. Prior to versions 0.20.1 and 0.21.2, inline secrets defined within a metrics instance config are exposed in plaintext over two endpoints: metrics instance configs defined in the base YAML file are exposed at `/-/config` and metrics instance configs defined for the scraping service are exposed at `/agent/api/v1/configs/:key`. Inline secrets will be exposed to anyone being able to reach these endpoints. If HTTPS with client authentication is not configured, these endpoints are accessible to unauthenticated users. Secrets found in these sections are used for delivering metrics to a Prometheus Remote Write system, authenticating against a system for discovering Prometheus targets, and authenticating against a system for collecting metrics. • https://github.com/grafana/agent/commit/af7fb01e31fe2d389e5f1c36b399ddc46b412b21 https://github.com/grafana/agent/pull/1152 https://github.com/grafana/agent/releases/tag/v0.20.1 https://github.com/grafana/agent/releases/tag/v0.21.2 https://github.com/grafana/agent/security/advisories/GHSA-9c4x-5hgq-q3wh https://security.netapp.com/advisory/ntap-20211229-0004 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-312: Cleartext Storage of Sensitive Information •