CVSS: 7.6EPSS: 0%CPEs: 3EXPL: 0CVE-2022-36062 – Grafana folders admin only permission privilege escalation
https://notcve.org/view.php?id=CVE-2022-36062
Grafana is an open-source platform for monitoring and observability. In versions prior to 8.5.13, 9.0.9, and 9.1.6, Grafana is subject to Improper Preservation of Permissions resulting in privilege escalation on some folders where Admin is the only used permission. The vulnerability impacts Grafana instances where RBAC was disabled and enabled afterwards, as the migrations which are translating legacy folder permissions to RBAC permissions do not account for the scenario where the only user permission in the folder is Admin, as a result RBAC adds permissions for Editors and Viewers which allow them to edit and view folders accordingly. This issue has been patched in versions 8.5.13, 9.0.9, and 9.1.6. A workaround when the impacted folder/dashboard is known is to remove the additional permissions manually. • https://github.com/grafana/grafana/security/advisories/GHSA-p978-56hq-r492 https://security.netapp.com/advisory/ntap-20221215-0001 • CWE-281: Improper Preservation of Permissions •
CVSS: 6.6EPSS: 0%CPEs: 4EXPL: 0CVE-2022-35957 – Authentication Bypass in Grafana via auth proxy allowing escalation from admin to server admin
https://notcve.org/view.php?id=CVE-2022-35957
Grafana is an open-source platform for monitoring and observability. Versions prior to 9.1.6 and 8.5.13 are vulnerable to an escalation from admin to server admin when auth proxy is used, allowing an admin to take over the server admin account and gain full control of the grafana instance. All installations should be upgraded as soon as possible. As a workaround deactivate auth proxy following the instructions at: https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/auth-proxy/ Grafana es una plataforma de código abierto para la monitorización y la observabilidad. Las versiones anteriores a 9.1.6 y 8.5.13, son vulnerables a una escalada de admin a server admin cuando es usado auth proxy, lo que permite a un admin tomar la cuenta de server admin y obtener el control total de la instancia de grafana. • https://github.com/grafana/grafana/security/advisories/GHSA-ff5c-938w-8c9q https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WYU5C2RITLHVZSTCWNGQWA6KSPYNXM2H https://security.netapp.com/advisory/ntap-20221215-0001 https://access.redhat.com/security/cve/CVE-2022-35957 https://bugzilla.redhat.com/show_bug.cgi?id=2125514 • CWE-288: Authentication Bypass Using an Alternate Path or Channel CWE-290: Authentication Bypass by Spoofing •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0CVE-2022-31107 – Grafana account takeover via OAuth vulnerability
https://notcve.org/view.php?id=CVE-2022-31107
Grafana is an open-source platform for monitoring and observability. In versions 5.3 until 9.0.3, 8.5.9, 8.4.10, and 8.3.10, it is possible for a malicious user who has authorization to log into a Grafana instance via a configured OAuth IdP which provides a login name to take over the account of another user in that Grafana instance. This can occur when the malicious user is authorized to log in to Grafana via OAuth, the malicious user's external user id is not already associated with an account in Grafana, the malicious user's email address is not already associated with an account in Grafana, and the malicious user knows the Grafana username of the target user. If these conditions are met, the malicious user can set their username in the OAuth provider to that of the target user, then go through the OAuth flow to log in to Grafana. Due to the way that external and internal user accounts are linked together during login, if the conditions above are all met then the malicious user will be able to log in to the target user's Grafana account. • https://github.com/grafana/grafana/security/advisories/GHSA-mx47-6497-3fv2 https://grafana.com/docs/grafana/next/release-notes/release-notes-8-4-10 https://grafana.com/docs/grafana/next/release-notes/release-notes-8-5-9 https://grafana.com/docs/grafana/next/release-notes/release-notes-9-0-3 https://security.netapp.com/advisory/ntap-20220901-0010 https://access.redhat.com/security/cve/CVE-2022-31107 https://bugzilla.redhat.com/show_bug.cgi?id=2104367 • CWE-287: Improper Authentication CWE-863: Incorrect Authorization •
CVSS: 9.8EPSS: 15%CPEs: 5EXPL: 1CVE-2022-26148 – grafana: An information leak issue was discovered in Grafana through 7.3.4, when integrated with Zabbix
https://notcve.org/view.php?id=CVE-2022-26148
An issue was discovered in Grafana through 7.3.4, when integrated with Zabbix. The Zabbix password can be found in the api_jsonrpc.php HTML source code. When the user logs in and allows the user to register, one can right click to view the source code and use Ctrl-F to search for password in api_jsonrpc.php to discover the Zabbix account password and URL address. Se ha detectado un problema en Grafana versiones hasta 7.3.4, cuando es integrado con Zabbix. La contraseña de Zabbix puede encontrarse en el código fuente HTML api_jsonrpc.php. • https://2k8.org/post-319.html https://security.netapp.com/advisory/ntap-20220425-0005 https://access.redhat.com/security/cve/CVE-2022-26148 https://bugzilla.redhat.com/show_bug.cgi?id=2066563 • CWE-312: Cleartext Storage of Sensitive Information •
CVSS: 4.3EPSS: 0%CPEs: 11EXPL: 0CVE-2022-21713 – Exposure of Sensitive Information in Grafana
https://notcve.org/view.php?id=CVE-2022-21713
Grafana is an open-source platform for monitoring and observability. Affected versions of Grafana expose multiple API endpoints which do not properly handle user authorization. `/teams/:teamId` will allow an authenticated attacker to view unintended data by querying for the specific team ID, `/teams/:search` will allow an authenticated attacker to search for teams and see the total number of available teams, including for those teams that the user does not have access to, and `/teams/:teamId/members` when editors_can_admin flag is enabled, an authenticated attacker can see unintended data by querying for the specific team ID. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue. • https://github.com/grafana/grafana/pull/45083 https://github.com/grafana/grafana/security/advisories/GHSA-63g3-9jq3-mccv https://grafana.com/blog/2022/02/08/grafana-7.5.15-and-8.3.5-released-with-moderate-severity-security-fixes https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2PFW6Q2LXXWTFRTMTRN4ZGADFRQPKJ3D https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/36GUEPA5TPSC57DZTPYPBL6T7UPQ2FRH https://lists.fedoraproject.org/archives/list • CWE-425: Direct Request ('Forced Browsing') CWE-639: Authorization Bypass Through User-Controlled Key CWE-863: Incorrect Authorization •