CVE-2022-44643

Access policy with access to all tenants and using label selectors has more access

Severity Score

8.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

A vulnerability in the label-based access control of Grafana Labs Grafana Enterprise Metrics allows an attacker more access than intended. If an access policy which has label selector restrictions also has been granted access to all tenants in the system, the label selector restrictions will not be applied when using this policy with the affected versions of the software. This issue affects: Grafana Labs Grafana Enterprise Metrics GEM 1.X versions prior to 1.7.1 on AMD64; GEM 2.X versions prior to 2.3.1 on AMD64.

Una vulnerabilidad en el control de acceso basado en etiquetas de Grafana Labs Grafana Enterprise Metrics permite a un atacante tener más acceso del previsto. Si a una política de acceso que tiene restricciones del selector de etiquetas también se le ha otorgado acceso a todos los inquilinos del sistema, las restricciones del selector de etiquetas no se aplicarán cuando se use esta política con las versiones afectadas del software. Este problema afecta a: Grafana Labs Grafana Enterprise Metrics GEM 1.X versiones anteriores a 1.7.1 en AMD64; Versiones GEM 2.X anteriores a 2.3.1 en AMD64.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-11-03 CVE Reserved
2022-12-20 CVE Published
2024-07-12 EPSS Updated
2024-09-16 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (2)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC
https://grafana.com/docs/enterprise-metrics/v2.4.x/downloads/#v171----november-14th-2022	2022-12-29
https://grafana.com/docs/enterprise-metrics/v2.4.x/downloads/#v231----november-14th-2022	2022-12-29

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Grafana Search vendor "Grafana"	Enterprise Metrics Search vendor "Grafana" for product "Enterprise Metrics"	>= 1.0.0 < 1.7.1 Search vendor "Grafana" for product "Enterprise Metrics" and version " >= 1.0.0 < 1.7.1"	-	Affected	in	Amd Search vendor "Amd"	Amd64 Search vendor "Amd" for product "Amd64"	-	-	Safe
Grafana Search vendor "Grafana"	Enterprise Metrics Search vendor "Grafana" for product "Enterprise Metrics"	>= 2.0.0 < 2.3.1 Search vendor "Grafana" for product "Enterprise Metrics" and version " >= 2.0.0 < 2.3.1"	-	Affected	in	Amd Search vendor "Amd"	Amd64 Search vendor "Amd" for product "Amd64"	-	-	Safe