Lucene search

GitHub_MCVE-2022-39201

HistoryOct 13, 2022 - 11:15 p.m.

CVE-2022-39201

2022-10-1323:15:10

CWE-200

GitHub_M

web.nvd.nist.gov

174

grafana

cve-2022-39201

observability

data visualization

authentication cookie

plugin security

data source

vulnerability

patch

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

7.4

Confidence

High

EPSS

0.001

Percentile

41.2%

JSON

Grafana is an open source observability and data visualization platform. Starting with version 5.0.0-beta1 and prior to versions 8.5.14 and 9.1.8, Grafana could leak the authentication cookie of users to plugins. The vulnerability impacts data source and plugin proxy endpoints under certain conditions. The destination plugin could receive a user’s Grafana authentication cookie. Versions 9.1.8 and 8.5.14 contain a patch for this issue. There are no known workarounds.

Affected configurations

Nvd

Vulners

Node

grafanagrafanaRange5.0.1–8.5.14

grafanagrafanaRange9.0.0–9.1.8

grafanagrafanaMatch5.0.0-

grafanagrafanaMatch5.0.0beta1

grafanagrafanaMatch5.0.0beta2

grafanagrafanaMatch5.0.0beta3

grafanagrafanaMatch5.0.0beta4

grafanagrafanaMatch5.0.0beta5

VendorProductVersionCPE
grafanagrafana*cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*
grafanagrafana5.0.0cpe:2.3:a:grafana:grafana:5.0.0:-:*:*:*:*:*:*
grafanagrafana5.0.0cpe:2.3:a:grafana:grafana:5.0.0:beta1:*:*:*:*:*:*
grafanagrafana5.0.0cpe:2.3:a:grafana:grafana:5.0.0:beta2:*:*:*:*:*:*
grafanagrafana5.0.0cpe:2.3:a:grafana:grafana:5.0.0:beta3:*:*:*:*:*:*
grafanagrafana5.0.0cpe:2.3:a:grafana:grafana:5.0.0:beta4:*:*:*:*:*:*
grafanagrafana5.0.0cpe:2.3:a:grafana:grafana:5.0.0:beta5:*:*:*:*:*:*

Vendor	Product	Version	CPE
grafana	grafana	*	cpe:2.3:a:grafana:grafana::::::::
grafana	grafana	5.0.0	cpe:2.3:a:grafana:grafana:5.0.0:-::::::
grafana	grafana	5.0.0	cpe:2.3:a:grafana:grafana:5.0.0:beta1::::::
grafana	grafana	5.0.0	cpe:2.3:a:grafana:grafana:5.0.0:beta2::::::
grafana	grafana	5.0.0	cpe:2.3:a:grafana:grafana:5.0.0:beta3::::::
grafana	grafana	5.0.0	cpe:2.3:a:grafana:grafana:5.0.0:beta4::::::
grafana	grafana	5.0.0	cpe:2.3:a:grafana:grafana:5.0.0:beta5::::::

CNA Affected

[
  {
    "vendor": "grafana",
    "product": "grafana",
    "versions": [
      {
        "version": ">= v5.0.0-beta1, < 8.5.14",
        "status": "affected"
      },
      {
        "version": ">= 9.0.0, < 9.1.8",
        "status": "affected"
      }
    ]
  }
]