Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
freebsdFreeBSD6877E164-6296-11ED-9CA2-6C3BE5272ACD
HistorySep 07, 2022 - 12:00 a.m.

Grafana -- Data source and plugin proxy endpoints leaking authentication tokens to some destination plugins

2022-09-0700:00:00
vuxml.freebsd.org
22
grafana
authentication tokens
data source
plugin proxy
security audit
vulnerability
cvss 6.8
unix

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

48.4%

JSON

Grafana Labs reports:

On September 7th as a result of an internal security audit we have discovered
that Grafana could leak the authentication cookie of users to plugins. After
further analysis the vulnerability impacts data source and plugin proxy
endpoints under certain conditions.
We believe that this vulnerability is rated at CVSS 6.8
(CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H)

Related

osv 24
freebsd 3
nessus 17
openvas 6
altlinux 1
veracode 4
alpinelinux 4
ibm 5
github 4
cvelist 4
redhatcve 4
nvd 4
ubuntucve 4
cve 4
cgr 4
prion 4
oraclelinux 3
redhat 6
cnvd 1
almalinux 3
redos 1
wallarmlab 1
oracle 1
osv
osv
grafana-8.5.14-1.1 on GA media
2024-06-15 00:00:00
Grafana Plugin signature bypass
2024-05-14 22:22:57
BIT-grafana-2022-31123
2024-03-06 10:56:23
freebsd
freebsd
Grafana -- Plugin signature bypass
2022-07-04 00:00:00
Grafana -- Improper authentication
2022-09-07 00:00:00
Grafana -- Data source and plugin proxy endpoints leaking authentication tokens to some destination plugins
2022-06-26 00:00:00
nessus
nessus
openSUSE 15 Security Update : SUSE Manager Client Tools (SUSE-SU-2023:0353-1)
2023-02-14 00:00:00
SUSE SLED15 / SLES15 / openSUSE 15 Security Update : grafana (SUSE-SU-2023:0362-1)
2023-02-14 00:00:00
FreeBSD : Grafana -- Plugin signature bypass (4e60d660-6298-11ed-9ca2-6c3be5272acd)
2022-11-13 00:00:00
openvas
openvas
openSUSE: Security Advisory for grafana (SUSE-SU-2023:0362-1)
2024-03-04 00:00:00
SUSE: Security Advisory (SUSE-SU-2023:0362-1)
2023-02-13 00:00:00
Grafana Privilege Escalation Vulnerability (GHSA-x744-mm8v-vpgr)
2022-10-18 00:00:00
altlinux
altlinux
Security fix for the ALT Linux 10 package grafana version 8.5.20-alt1
2023-01-31 00:00:00
veracode
veracode
Information Disclosure
2022-10-17 05:28:39
Authentication Bypass
2022-10-17 08:35:54
Signature Verification Bypass
2022-10-28 00:28:22
alpinelinux
alpinelinux
CVE-2022-31123
2022-10-13 22:15:00
CVE-2022-39229
2022-10-13 23:15:00
CVE-2022-39201
2022-10-13 23:15:00
ibm
ibm
Security Bulletin: IBM Storage Ceph is vulnerable to improper authentication in Grafana (CVE-2022-39229)
2023-11-01 19:38:48
Security Bulletin: IBM Storage Ceph is vulnerable to exposure of sensitive information to an unauthorized actor in Grafana [CVE-2022-39201]
2023-11-01 19:49:00
Security Bulletin: IBM Storage Ceph is vulnerable to improper verification of cryptographic signature in Grafana (CVE-2022-31123)
2023-11-01 20:00:15
github
github
Grafana when using email as a username can block other users from signing in
2024-05-14 22:29:38
Grafana Data source and plugin proxy endpoints could leak the authentication cookie to some destination plugins
2024-05-14 22:29:41
Grafana Plugin signature bypass
2024-05-14 22:22:57
cvelist
cvelist
CVE-2022-31123 Grafana plugin signature bypass vulnerability
2022-10-13 00:00:00
CVE-2022-39201 Data source and plugin proxy endpoints could leak the authentication cookie to some destination plugins
2022-10-13 00:00:00
CVE-2022-39229 Grafana users with email as a username can block other users from signing in
2022-10-13 00:00:00
redhatcve
redhatcve
CVE-2022-39201
2022-10-14 05:59:22
CVE-2022-31123
2022-10-14 05:59:20
CVE-2022-39229
2022-10-14 05:59:29
nvd
nvd
CVE-2022-39201
2022-10-13 23:15:10
CVE-2022-31123
2022-10-13 22:15:10
CVE-2022-39229
2022-10-13 23:15:10
ubuntucve
ubuntucve
CVE-2022-39201
2022-10-13 00:00:00
CVE-2022-31123
2022-10-13 00:00:00
CVE-2022-39229
2022-10-13 00:00:00
cve
cve
CVE-2022-39201
2022-10-13 23:15:10
CVE-2022-31123
2022-10-13 22:15:10
CVE-2022-39229
2022-10-13 23:15:10
cgr
cgr
CVE-2022-31123 vulnerabilities
2024-05-19 03:07:16
CVE-2022-39201 vulnerabilities
2024-05-19 03:07:16
CVE-2022-39229 vulnerabilities
2024-05-19 03:07:16
prion
prion
Design/Logic Flaw
2022-10-13 22:15:00
Design/Logic Flaw
2022-10-13 23:15:00
Authentication flaw
2022-10-13 23:15:00
oraclelinux
oraclelinux
grafana security and enhancement update
2023-11-11 00:00:00
grafana security update
2023-05-24 00:00:00
grafana security and enhancement update
2023-05-15 00:00:00
redhat
redhat
(RHSA-2023:6420) Moderate: grafana security and enhancement update
2023-11-07 06:05:17
(RHSA-2023:2784) Moderate: grafana security update
2023-05-16 05:54:36
(RHSA-2023:2167) Moderate: grafana security and enhancement update
2023-05-09 05:02:10
cnvd
cnvd
Grafana Denial of Service Vulnerability
2022-10-14 00:00:00
almalinux
almalinux
Moderate: grafana security and enhancement update
2023-11-07 00:00:00
Moderate: grafana security update
2023-05-16 00:00:00
Moderate: grafana security and enhancement update
2023-05-09 00:00:00
redos
redos
ROS-20240404-01
2024-04-04 00:00:00
wallarmlab
wallarmlab
Q4-2022 API ThreatStatsβ„’ Report
2023-02-22 16:02:55
oracle
oracle
Oracle Critical Patch Update Advisory - April 2023
2023-04-18 00:00:00

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

48.4%

JSON
Related for 6877E164-6296-11ED-9CA2-6C3BE5272ACD
osv24freebsd3nessus17openvas6altlinux1veracode4alpinelinux4ibm5github4cvelist4redhatcve4nvd4ubuntucve4cve4cgr4prion4oraclelinux3redhat6cnvd1almalinux3redos1wallarmlab1oracle1