CVE-2022-39229 – Grafana users with email as a username can block other users from signing in
https://notcve.org/view.php?id=CVE-2022-39229
Grafana is an open source data visualization platform for metrics, logs, and traces. Versions prior to 9.1.8 and 8.5.14 allow one user to block another user's login attempt by registering someone else'e email address as a username. A Grafana user’s username and email address are unique fields, that means no other user can have the same username or email address as another user. A user can have an email address as a username. However, the login system allows users to log in with either username or email address. • https://github.com/grafana/grafana/commit/5644758f0c5ae9955a4e5480d71f9bef57fdce35 https://github.com/grafana/grafana/releases/tag/v9.1.8 https://github.com/grafana/grafana/security/advisories/GHSA-gj7m-853r-289r https://access.redhat.com/security/cve/CVE-2022-39229 https://bugzilla.redhat.com/show_bug.cgi?id=2131149 • CWE-287: Improper Authentication •
CVE-2022-39201 – Data source and plugin proxy endpoints could leak the authentication cookie to some destination plugins
https://notcve.org/view.php?id=CVE-2022-39201
Grafana is an open source observability and data visualization platform. Starting with version 5.0.0-beta1 and prior to versions 8.5.14 and 9.1.8, Grafana could leak the authentication cookie of users to plugins. The vulnerability impacts data source and plugin proxy endpoints under certain conditions. The destination plugin could receive a user's Grafana authentication cookie. Versions 9.1.8 and 8.5.14 contain a patch for this issue. • https://github.com/grafana/grafana/commit/b571acc1dc130a33f24742c1f93b93216da6cf57 https://github.com/grafana/grafana/commit/c658816f5229d17f877579250c07799d3bbaebc9 https://github.com/grafana/grafana/releases/tag/v9.1.8 https://github.com/grafana/grafana/security/advisories/GHSA-x744-mm8v-vpgr https://access.redhat.com/security/cve/CVE-2022-39201 https://bugzilla.redhat.com/show_bug.cgi?id=2131148 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2022-36062 – Grafana folders admin only permission privilege escalation
https://notcve.org/view.php?id=CVE-2022-36062
Grafana is an open-source platform for monitoring and observability. In versions prior to 8.5.13, 9.0.9, and 9.1.6, Grafana is subject to Improper Preservation of Permissions resulting in privilege escalation on some folders where Admin is the only used permission. The vulnerability impacts Grafana instances where RBAC was disabled and enabled afterwards, as the migrations which are translating legacy folder permissions to RBAC permissions do not account for the scenario where the only user permission in the folder is Admin, as a result RBAC adds permissions for Editors and Viewers which allow them to edit and view folders accordingly. This issue has been patched in versions 8.5.13, 9.0.9, and 9.1.6. A workaround when the impacted folder/dashboard is known is to remove the additional permissions manually. • https://github.com/grafana/grafana/security/advisories/GHSA-p978-56hq-r492 https://security.netapp.com/advisory/ntap-20221215-0001 • CWE-281: Improper Preservation of Permissions •
CVE-2022-35957 – Authentication Bypass in Grafana via auth proxy allowing escalation from admin to server admin
https://notcve.org/view.php?id=CVE-2022-35957
Grafana is an open-source platform for monitoring and observability. Versions prior to 9.1.6 and 8.5.13 are vulnerable to an escalation from admin to server admin when auth proxy is used, allowing an admin to take over the server admin account and gain full control of the grafana instance. All installations should be upgraded as soon as possible. As a workaround deactivate auth proxy following the instructions at: https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/auth-proxy/ Grafana es una plataforma de código abierto para la monitorización y la observabilidad. Las versiones anteriores a 9.1.6 y 8.5.13, son vulnerables a una escalada de admin a server admin cuando es usado auth proxy, lo que permite a un admin tomar la cuenta de server admin y obtener el control total de la instancia de grafana. • https://github.com/grafana/grafana/security/advisories/GHSA-ff5c-938w-8c9q https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WYU5C2RITLHVZSTCWNGQWA6KSPYNXM2H https://security.netapp.com/advisory/ntap-20221215-0001 https://access.redhat.com/security/cve/CVE-2022-35957 https://bugzilla.redhat.com/show_bug.cgi?id=2125514 • CWE-288: Authentication Bypass Using an Alternate Path or Channel CWE-290: Authentication Bypass by Spoofing •
CVE-2022-26148 – grafana: An information leak issue was discovered in Grafana through 7.3.4, when integrated with Zabbix
https://notcve.org/view.php?id=CVE-2022-26148
An issue was discovered in Grafana through 7.3.4, when integrated with Zabbix. The Zabbix password can be found in the api_jsonrpc.php HTML source code. When the user logs in and allows the user to register, one can right click to view the source code and use Ctrl-F to search for password in api_jsonrpc.php to discover the Zabbix account password and URL address. Se ha detectado un problema en Grafana versiones hasta 7.3.4, cuando es integrado con Zabbix. La contraseña de Zabbix puede encontrarse en el código fuente HTML api_jsonrpc.php. • https://2k8.org/post-319.html https://security.netapp.com/advisory/ntap-20220425-0005 https://access.redhat.com/security/cve/CVE-2022-26148 https://bugzilla.redhat.com/show_bug.cgi?id=2066563 • CWE-312: Cleartext Storage of Sensitive Information •