CVE-2022-31176
Grafana Image Renderer leaking files
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Grafana Image Renderer is a Grafana backend plugin that handles rendering of panels & dashboards to PNGs using a headless browser (Chromium/Chrome). An internal security review identified an unauthorized file disclosure vulnerability. It is possible for a malicious user to retrieve unauthorized files under some network conditions or via a fake datasource (if user has admin permissions in Grafana). All Grafana installations should be upgraded to version 3.6.1 as soon as possible. As a workaround it is possible to [disable HTTP remote rendering](https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#plugingrafana-image-renderer).
Grafana Image Renderer es un plugin del backend de Grafana que es encargado de renderizar los paneles y cuadros de mando en PNGs utilizando un navegador headless (Chromium/Chrome). Una revisión de seguridad interna identificó una vulnerabilidad de divulgación de archivos no autorizada. Es posible que un usuario malicioso recupere archivos no autorizados bajo algunas condiciones de red o por medio de una fuente de datos falsa (si el usuario presenta permisos de administrador en Grafana). Todas las instalaciones de Grafana deberían actualizarse a versión 3.6.1 lo antes posible. Como mitigación es posible [deshabilitar el renderizado remoto HTTP](https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#plugingrafana-image-renderer)
CVSS Scores
SSVC
- Decision:-
Timeline
- 2022-05-18 CVE Reserved
- 2022-09-02 CVE Published
- 2024-04-23 EPSS Updated
- 2024-08-03 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
- CWE-306: Missing Authentication for Critical Function
CAPEC
References (3)
URL | Tag | Source |
---|---|---|
https://github.com/grafana/grafana-image-renderer/security/advisories/GHSA-2cfh-233g-m4c5 | Mitigation | |
https://security.netapp.com/advisory/ntap-20221209-0004 | Third Party Advisory |
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://github.com/grafana/grafana-image-renderer/pull/364 | 2023-07-24 |
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Grafana Search vendor "Grafana" | Grafana-image-renderer Search vendor "Grafana" for product "Grafana-image-renderer" | < 3.6.1 Search vendor "Grafana" for product "Grafana-image-renderer" and version " < 3.6.1" | grafana |
Affected
|