CVE-2022-39306 – Grafana contains Improper Input Validation
https://notcve.org/view.php?id=CVE-2022-39306
Grafana is an open-source platform for monitoring and observability. Versions prior to 9.2.4, or 8.5.15 on the 8.X branch, are subject to Improper Input Validation. Grafana admins can invite other members to the organization they are an admin for. When admins add members to the organization, non existing users get an email invite, existing members are added directly to the organization. When an invite link is sent, it allows users to sign up with whatever username/email address the user chooses and become a member of the organization. • https://github.com/grafana/grafana/security/advisories/GHSA-2x6g-h2hg-rq84 https://security.netapp.com/advisory/ntap-20221215-0004 https://access.redhat.com/security/cve/CVE-2022-39306 https://bugzilla.redhat.com/show_bug.cgi?id=2138014 • CWE-20: Improper Input Validation CWE-303: Incorrect Implementation of Authentication Algorithm •
CVE-2022-39307 – Grafana subject to Exposure of Sensitive Information resulting in User enumeration via forget password
https://notcve.org/view.php?id=CVE-2022-39307
Grafana is an open-source platform for monitoring and observability. When using the forget password on the login page, a POST request is made to the `/api/user/password/sent-reset-email` URL. When the username or email does not exist, a JSON response contains a “user not found” message. This leaks information to unauthenticated users and introduces a security risk. This issue has been patched in 9.2.4 and backported to 8.5.15. • https://github.com/grafana/grafana/security/advisories/GHSA-3p62-42x7-gxg5 https://security.netapp.com/advisory/ntap-20221215-0004 https://access.redhat.com/security/cve/CVE-2022-39307 https://bugzilla.redhat.com/show_bug.cgi?id=2138015 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-209: Generation of Error Message Containing Sensitive Information •
CVE-2022-39328 – Grafana vulnerable to race condition allowing privilege escalation
https://notcve.org/view.php?id=CVE-2022-39328
Grafana is an open-source platform for monitoring and observability. Versions starting with 9.2.0 and less than 9.2.4 contain a race condition in the authentication middlewares logic which may allow an unauthenticated user to query an administration endpoint under heavy load. This issue is patched in 9.2.4. There are no known workarounds. Grafana es una plataforma de código abierto para monitorización y observabilidad. • https://github.com/grafana/grafana/security/advisories/GHSA-vqc4-mpj8-jxch https://security.netapp.com/advisory/ntap-20221215-0003 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •