CVE-2022-46156 – Grafana's default installation of `synthetic-monitoring-agent` exposes sensitive information
https://notcve.org/view.php?id=CVE-2022-46156
The Synthetic Monitoring Agent for Grafana's Synthetic Monitoring application provides probe functionality and executes network checks for monitoring remote targets. Users running the Synthetic Monitoring agent prior to version 0.12.0 in their local network are impacted. The authentication token used to communicate with the Synthetic Monitoring API is exposed through a debugging endpoint. This token can be used to retrieve the Synthetic Monitoring checks created by the user and assigned to the agent identified with that token. The Synthetic Monitoring API will reject connections from already-connected agents, so access to the token does not guarantee access to the checks. • https://github.com/grafana/synthetic-monitoring-agent/commit/d8dc7f9c1c641881cbcf0a09e178b90ebf0f0228 https://github.com/grafana/synthetic-monitoring-agent/pull/373 https://github.com/grafana/synthetic-monitoring-agent/pull/374 https://github.com/grafana/synthetic-monitoring-agent/pull/375 https://github.com/grafana/synthetic-monitoring-agent/releases/tag/v0.12.0 https://github.com/grafana/synthetic-monitoring-agent/security/advisories/GHSA-9j4f-f249-q5w8 • CWE-489: Active Debug Code CWE-749: Exposed Dangerous Method or Function •