CVE-2022-21703 – Cross Site Request Forgery in Grafana
https://notcve.org/view.php?id=CVE-2022-21703
Grafana is an open-source platform for monitoring and observability. Affected versions are subject to a cross site request forgery vulnerability which allows attackers to elevate their privileges by mounting cross-origin attacks against authenticated high-privilege Grafana users (for example, Editors or Admins). An attacker can exploit this vulnerability for privilege escalation by tricking an authenticated user into inviting the attacker as a new user with high privileges. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue. • https://github.com/grafana/grafana/pull/45083 https://github.com/grafana/grafana/security/advisories/GHSA-cmf4-h3xc-jw8w https://grafana.com/blog/2022/02/08/grafana-7.5.15-and-8.3.5-released-with-moderate-severity-security-fixes https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2PFW6Q2LXXWTFRTMTRN4ZGADFRQPKJ3D https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/36GUEPA5TPSC57DZTPYPBL6T7UPQ2FRH https://lists.fedoraproject.org/archives/list • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2022-21702 – Cross site scripting in Grafana proxy
https://notcve.org/view.php?id=CVE-2022-21702
Grafana is an open-source platform for monitoring and observability. In affected versions an attacker could serve HTML content thru the Grafana datasource or plugin proxy and trick a user to visit this HTML page using a specially crafted link and execute a Cross-site Scripting (XSS) attack. The attacker could either compromise an existing datasource for a specific Grafana instance or either set up its own public service and instruct anyone to set it up in their Grafana instance. To be impacted, all of the following must be applicable. For the data source proxy: A Grafana HTTP-based datasource configured with Server as Access Mode and a URL set, the attacker has to be in control of the HTTP server serving the URL of above datasource, and a specially crafted link pointing at the attacker controlled data source must be clicked on by an authenticated user. • https://github.com/grafana/grafana/commit/27726868b3d7c613844b55cd209ca93645c99b85 https://github.com/grafana/grafana/security/advisories/GHSA-xc3p-28hw-q24g https://grafana.com/blog/2022/02/08/grafana-7.5.15-and-8.3.5-released-with-moderate-severity-security-fixes https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2PFW6Q2LXXWTFRTMTRN4ZGADFRQPKJ3D https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/36GUEPA5TPSC57DZTPYPBL6T7UPQ2FRH https://lists.fedorapr • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-43815 – Grafana directory traversal for `.cvs` files
https://notcve.org/view.php?id=CVE-2021-43815
Grafana is an open-source platform for monitoring and observability. Grafana prior to versions 8.3.2 and 7.5.12 has a directory traversal for arbitrary .csv files. It only affects instances that have the developer testing tool called TestData DB data source enabled and configured. The vulnerability is limited in scope, and only allows access to files with the extension .csv to authenticated users only. Grafana Cloud instances have not been affected by the vulnerability. • http://www.openwall.com/lists/oss-security/2021/12/10/4 https://github.com/grafana/grafana/commit/d6ec6f8ad28f0212e584406730f939105ff6c6d3 https://github.com/grafana/grafana/commit/fd48aee61e4328aae8d5303a9efd045fa0ca308d https://github.com/grafana/grafana/releases/tag/v8.3.2 https://github.com/grafana/grafana/security/advisories/GHSA-7533-c8qv-jm9m https://grafana.com/blog/2021/12/10/grafana-8.3.2-and-7.5.12-released-with-moderate-severity-security-fix https://security.netapp.com/advisory/ntap-2022010 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2021-43813 – Directory Traversal in Grafana
https://notcve.org/view.php?id=CVE-2021-43813
Grafana is an open-source platform for monitoring and observability. Grafana prior to versions 8.3.2 and 7.5.12 contains a directory traversal vulnerability for fully lowercase or fully uppercase .md files. The vulnerability is limited in scope, and only allows access to files with the extension .md to authenticated users only. Grafana Cloud instances have not been affected by the vulnerability. Users should upgrade to patched versions 8.3.2 or 7.5.12. • http://www.openwall.com/lists/oss-security/2021/12/10/4 https://github.com/github/securitylab-vulnerabilities/commit/689fc5d9fd665be4d5bba200a6a433b532172d0f https://github.com/grafana/grafana/commit/fd48aee61e4328aae8d5303a9efd045fa0ca308d https://github.com/grafana/grafana/security/advisories/GHSA-c3q8-26ph-9g2q https://grafana.com/blog/2021/12/10/grafana-8.3.2-and-7.5.12-released-with-moderate-severity-security-fix https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-5-12 https://grafana& • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2021-39226 – Grafana Authentication Bypass Vulnerability
https://notcve.org/view.php?id=CVE-2021-39226
Grafana is an open source data visualization platform. In affected versions unauthenticated and authenticated users are able to view the snapshot with the lowest database key by accessing the literal paths: /dashboard/snapshot/:key, or /api/snapshots/:key. If the snapshot "public_mode" configuration setting is set to true (vs default of false), unauthenticated users are able to delete the snapshot with the lowest database key by accessing the literal path: /api/snapshots-delete/:deleteKey. Regardless of the snapshot "public_mode" setting, authenticated users are able to delete the snapshot with the lowest database key by accessing the literal paths: /api/snapshots/:key, or /api/snapshots-delete/:deleteKey. The combination of deletion and viewing enables a complete walk through all snapshot data while resulting in complete snapshot data loss. • http://www.openwall.com/lists/oss-security/2021/10/05/4 https://github.com/grafana/grafana/commit/2d456a6375855364d098ede379438bf7f0667269 https://github.com/grafana/grafana/security/advisories/GHSA-69j6-29vr-p3j9 https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-5-11 https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-1-6 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DCKBFUSY6V4VU5AQUYWKISREZX5NLQJT https://lists.fedoraproject • CWE-287: Improper Authentication CWE-639: Authorization Bypass Through User-Controlled Key •