CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2022-46156 – Grafana's default installation of `synthetic-monitoring-agent` exposes sensitive information
https://notcve.org/view.php?id=CVE-2022-46156
The Synthetic Monitoring Agent for Grafana's Synthetic Monitoring application provides probe functionality and executes network checks for monitoring remote targets. Users running the Synthetic Monitoring agent prior to version 0.12.0 in their local network are impacted. The authentication token used to communicate with the Synthetic Monitoring API is exposed through a debugging endpoint. This token can be used to retrieve the Synthetic Monitoring checks created by the user and assigned to the agent identified with that token. The Synthetic Monitoring API will reject connections from already-connected agents, so access to the token does not guarantee access to the checks. • https://github.com/grafana/synthetic-monitoring-agent/commit/d8dc7f9c1c641881cbcf0a09e178b90ebf0f0228 https://github.com/grafana/synthetic-monitoring-agent/pull/373 https://github.com/grafana/synthetic-monitoring-agent/pull/374 https://github.com/grafana/synthetic-monitoring-agent/pull/375 https://github.com/grafana/synthetic-monitoring-agent/releases/tag/v0.12.0 https://github.com/grafana/synthetic-monitoring-agent/security/advisories/GHSA-9j4f-f249-q5w8 • CWE-489: Active Debug Code CWE-749: Exposed Dangerous Method or Function •
CVSS: 8.1EPSS: 0%CPEs: 2EXPL: 0CVE-2022-39306 – Grafana contains Improper Input Validation
https://notcve.org/view.php?id=CVE-2022-39306
Grafana is an open-source platform for monitoring and observability. Versions prior to 9.2.4, or 8.5.15 on the 8.X branch, are subject to Improper Input Validation. Grafana admins can invite other members to the organization they are an admin for. When admins add members to the organization, non existing users get an email invite, existing members are added directly to the organization. When an invite link is sent, it allows users to sign up with whatever username/email address the user chooses and become a member of the organization. • https://github.com/grafana/grafana/security/advisories/GHSA-2x6g-h2hg-rq84 https://security.netapp.com/advisory/ntap-20221215-0004 https://access.redhat.com/security/cve/CVE-2022-39306 https://bugzilla.redhat.com/show_bug.cgi?id=2138014 • CWE-20: Improper Input Validation CWE-303: Incorrect Implementation of Authentication Algorithm •
CVSS: 6.7EPSS: 0%CPEs: 2EXPL: 0CVE-2022-39307 – Grafana subject to Exposure of Sensitive Information resulting in User enumeration via forget password
https://notcve.org/view.php?id=CVE-2022-39307
Grafana is an open-source platform for monitoring and observability. When using the forget password on the login page, a POST request is made to the `/api/user/password/sent-reset-email` URL. When the username or email does not exist, a JSON response contains a “user not found” message. This leaks information to unauthenticated users and introduces a security risk. This issue has been patched in 9.2.4 and backported to 8.5.15. • https://github.com/grafana/grafana/security/advisories/GHSA-3p62-42x7-gxg5 https://security.netapp.com/advisory/ntap-20221215-0004 https://access.redhat.com/security/cve/CVE-2022-39307 https://bugzilla.redhat.com/show_bug.cgi?id=2138015 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-209: Generation of Error Message Containing Sensitive Information •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-39328 – Grafana vulnerable to race condition allowing privilege escalation
https://notcve.org/view.php?id=CVE-2022-39328
Grafana is an open-source platform for monitoring and observability. Versions starting with 9.2.0 and less than 9.2.4 contain a race condition in the authentication middlewares logic which may allow an unauthenticated user to query an administration endpoint under heavy load. This issue is patched in 9.2.4. There are no known workarounds. Grafana es una plataforma de código abierto para monitorización y observabilidad. • https://github.com/grafana/grafana/security/advisories/GHSA-vqc4-mpj8-jxch https://security.netapp.com/advisory/ntap-20221215-0003 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2022-31130 – Grafana data source and plugin proxy endpoints leaking authentication tokens to some destination plugins
https://notcve.org/view.php?id=CVE-2022-31130
Grafana is an open source observability and data visualization platform. Versions of Grafana for endpoints prior to 9.1.8 and 8.5.14 could leak authentication tokens to some destination plugins under some conditions. The vulnerability impacts data source and plugin proxy endpoints with authentication tokens. The destination plugin could receive a user's Grafana authentication token. Versions 9.1.8 and 8.5.14 contain a patch for this issue. • https://github.com/grafana/grafana/commit/4dd56e4dabce10007bf4ba1059bf54178c35b177 https://github.com/grafana/grafana/commit/9da278c044ba605eb5a1886c48df9a2cb0d3885f https://github.com/grafana/grafana/releases/tag/v9.1.8 https://github.com/grafana/grafana/security/advisories/GHSA-jv32-5578-pxjc https://access.redhat.com/security/cve/CVE-2022-31130 https://bugzilla.redhat.com/show_bug.cgi?id=2131146 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-522: Insufficiently Protected Credentials •