CVSS: 6.7EPSS: 0%CPEs: 2EXPL: 0CVE-2022-39307 – Grafana subject to Exposure of Sensitive Information resulting in User enumeration via forget password
https://notcve.org/view.php?id=CVE-2022-39307
Grafana is an open-source platform for monitoring and observability. When using the forget password on the login page, a POST request is made to the `/api/user/password/sent-reset-email` URL. When the username or email does not exist, a JSON response contains a “user not found” message. This leaks information to unauthenticated users and introduces a security risk. This issue has been patched in 9.2.4 and backported to 8.5.15. • https://github.com/grafana/grafana/security/advisories/GHSA-3p62-42x7-gxg5 https://security.netapp.com/advisory/ntap-20221215-0004 https://access.redhat.com/security/cve/CVE-2022-39307 https://bugzilla.redhat.com/show_bug.cgi?id=2138015 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-209: Generation of Error Message Containing Sensitive Information •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-39328 – Grafana vulnerable to race condition allowing privilege escalation
https://notcve.org/view.php?id=CVE-2022-39328
Grafana is an open-source platform for monitoring and observability. Versions starting with 9.2.0 and less than 9.2.4 contain a race condition in the authentication middlewares logic which may allow an unauthenticated user to query an administration endpoint under heavy load. This issue is patched in 9.2.4. There are no known workarounds. Grafana es una plataforma de código abierto para monitorización y observabilidad. • https://github.com/grafana/grafana/security/advisories/GHSA-vqc4-mpj8-jxch https://security.netapp.com/advisory/ntap-20221215-0003 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2022-31123 – Grafana plugin signature bypass vulnerability
https://notcve.org/view.php?id=CVE-2022-31123
Grafana is an open source observability and data visualization platform. Versions prior to 9.1.8 and 8.5.14 are vulnerable to a bypass in the plugin signature verification. An attacker can convince a server admin to download and successfully run a malicious plugin even though unsigned plugins are not allowed. Versions 9.1.8 and 8.5.14 contain a patch for this issue. As a workaround, do not install plugins downloaded from untrusted sources. • https://github.com/grafana/grafana/releases/tag/v9.1.8 https://github.com/grafana/grafana/security/advisories/GHSA-rhxj-gh46-jvw8 https://security.netapp.com/advisory/ntap-20221124-0002 https://access.redhat.com/security/cve/CVE-2022-31123 https://bugzilla.redhat.com/show_bug.cgi?id=2131147 • CWE-347: Improper Verification of Cryptographic Signature •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2022-31130 – Grafana data source and plugin proxy endpoints leaking authentication tokens to some destination plugins
https://notcve.org/view.php?id=CVE-2022-31130
Grafana is an open source observability and data visualization platform. Versions of Grafana for endpoints prior to 9.1.8 and 8.5.14 could leak authentication tokens to some destination plugins under some conditions. The vulnerability impacts data source and plugin proxy endpoints with authentication tokens. The destination plugin could receive a user's Grafana authentication token. Versions 9.1.8 and 8.5.14 contain a patch for this issue. • https://github.com/grafana/grafana/commit/4dd56e4dabce10007bf4ba1059bf54178c35b177 https://github.com/grafana/grafana/commit/9da278c044ba605eb5a1886c48df9a2cb0d3885f https://github.com/grafana/grafana/releases/tag/v9.1.8 https://github.com/grafana/grafana/security/advisories/GHSA-jv32-5578-pxjc https://access.redhat.com/security/cve/CVE-2022-31130 https://bugzilla.redhat.com/show_bug.cgi?id=2131146 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-522: Insufficiently Protected Credentials •
CVSS: 7.5EPSS: 0%CPEs: 8EXPL: 0CVE-2022-39201 – Data source and plugin proxy endpoints could leak the authentication cookie to some destination plugins
https://notcve.org/view.php?id=CVE-2022-39201
Grafana is an open source observability and data visualization platform. Starting with version 5.0.0-beta1 and prior to versions 8.5.14 and 9.1.8, Grafana could leak the authentication cookie of users to plugins. The vulnerability impacts data source and plugin proxy endpoints under certain conditions. The destination plugin could receive a user's Grafana authentication cookie. Versions 9.1.8 and 8.5.14 contain a patch for this issue. • https://github.com/grafana/grafana/commit/b571acc1dc130a33f24742c1f93b93216da6cf57 https://github.com/grafana/grafana/commit/c658816f5229d17f877579250c07799d3bbaebc9 https://github.com/grafana/grafana/releases/tag/v9.1.8 https://github.com/grafana/grafana/security/advisories/GHSA-x744-mm8v-vpgr https://access.redhat.com/security/cve/CVE-2022-39201 https://bugzilla.redhat.com/show_bug.cgi?id=2131148 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •