Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
freebsdFreeBSD909A80BA-6294-11ED-9CA2-6C3BE5272ACD
HistorySep 07, 2022 - 12:00 a.m.

Grafana -- Improper authentication

2022-09-0700:00:00
vuxml.freebsd.org
12
grafana
authentication
security vulnerability

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

0.001 Low

EPSS

Percentile

48.5%

JSON

Grafana Labs reports:

On September 7, as a result of an internal security audit, we discovered
a security vulnerability in Grafana’s basic authentication related to the usage
of username and email address.
n Grafana, a user’s username and email address are unique fields, which
means no other user can have the same username or email address as another user.

In addition, a user can have an email address as a username, and the Grafana
login allows users to sign in with either username or email address. This
creates an unusual behavior, where user_1 can register with one email
address and user_2 can register their username as user_1’s
email address. As a result, user_1 would be prevented from signing
in to Grafana, since user_1 password won’t match with user_2
email address.
The CVSS score for this vulnerability is 4.3 moderate
(CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L).

Related

freebsd 3
nessus 17
openvas 6
altlinux 1
veracode 4
osv 19
alpinelinux 4
cvelist 4
ibm 5
github 4
ubuntucve 4
redhatcve 4
prion 4
cgr 4
cve 4
nvd 4
cnvd 1
almalinux 3
oraclelinux 3
redhat 6
redos 1
wallarmlab 1
oracle 1
freebsd
freebsd
Grafana -- Data source and plugin proxy endpoints leaking authentication tokens to some destination plugins
2022-06-26 00:00:00
Grafana -- Data source and plugin proxy endpoints leaking authentication tokens to some destination plugins
2022-09-07 00:00:00
Grafana -- Plugin signature bypass
2022-07-04 00:00:00
nessus
nessus
openSUSE 15 Security Update : SUSE Manager Client Tools (SUSE-SU-2023:0353-1)
2023-02-14 00:00:00
SUSE SLED15 / SLES15 / openSUSE 15 Security Update : grafana (SUSE-SU-2023:0362-1)
2023-02-14 00:00:00
FreeBSD : Grafana -- Plugin signature bypass (4e60d660-6298-11ed-9ca2-6c3be5272acd)
2022-11-13 00:00:00
openvas
openvas
openSUSE: Security Advisory for grafana (SUSE-SU-2023:0362-1)
2024-03-04 00:00:00
SUSE: Security Advisory (SUSE-SU-2023:0362-1)
2023-02-13 00:00:00
Grafana Privilege Escalation Vulnerability (GHSA-rhxj-gh46-jvw8)
2022-10-18 00:00:00
altlinux
altlinux
Security fix for the ALT Linux 10 package grafana version 8.5.20-alt1
2023-01-31 00:00:00
veracode
veracode
Information Disclosure
2022-10-17 05:28:39
Authentication Bypass
2022-10-17 08:35:54
Signature Verification Bypass
2022-10-28 00:28:22
osv
osv
Grafana Plugin signature bypass
2024-05-14 22:22:57
CVE-2022-39229
2022-10-13 23:15:10
Grafana when using email as a username can block other users from signing in
2024-05-14 22:29:38
alpinelinux
alpinelinux
CVE-2022-31123
2022-10-13 22:15:00
CVE-2022-39229
2022-10-13 23:15:00
CVE-2022-39201
2022-10-13 23:15:00
cvelist
cvelist
CVE-2022-31123 Grafana plugin signature bypass vulnerability
2022-10-13 00:00:00
CVE-2022-39201 Data source and plugin proxy endpoints could leak the authentication cookie to some destination plugins
2022-10-13 00:00:00
CVE-2022-39229 Grafana users with email as a username can block other users from signing in
2022-10-13 00:00:00
ibm
ibm
Security Bulletin: IBM Storage Ceph is vulnerable to improper authentication in Grafana (CVE-2022-39229)
2023-11-01 19:38:48
Security Bulletin: IBM Storage Ceph is vulnerable to improper verification of cryptographic signature in Grafana (CVE-2022-31123)
2023-11-01 20:00:15
Security Bulletin: IBM Storage Ceph is vulnerable to exposure of sensitive information to an unauthorized actor in Grafana [CVE-2022-39201]
2023-11-01 19:49:00
github
github
Grafana when using email as a username can block other users from signing in
2024-05-14 22:29:38
Grafana Plugin signature bypass
2024-05-14 22:22:57
Grafana Data source and plugin proxy endpoints could leak the authentication cookie to some destination plugins
2024-05-14 22:29:41
ubuntucve
ubuntucve
CVE-2022-31123
2022-10-13 00:00:00
CVE-2022-39201
2022-10-13 00:00:00
CVE-2022-39229
2022-10-13 00:00:00
redhatcve
redhatcve
CVE-2022-31123
2022-10-14 05:59:20
CVE-2022-39201
2022-10-14 05:59:22
CVE-2022-39229
2022-10-14 05:59:29
prion
prion
Design/Logic Flaw
2022-10-13 22:15:00
Authentication flaw
2022-10-13 23:15:00
Design/Logic Flaw
2022-10-13 23:15:00
cgr
cgr
CVE-2022-31123 vulnerabilities
2024-05-19 03:07:16
CVE-2022-39201 vulnerabilities
2024-05-19 03:07:16
CVE-2022-39229 vulnerabilities
2024-05-19 03:07:16
cve
cve
CVE-2022-31123
2022-10-13 22:15:10
CVE-2022-39201
2022-10-13 23:15:10
CVE-2022-39229
2022-10-13 23:15:10
nvd
nvd
CVE-2022-31123
2022-10-13 22:15:10
CVE-2022-39201
2022-10-13 23:15:10
CVE-2022-39229
2022-10-13 23:15:10
cnvd
cnvd
Grafana Denial of Service Vulnerability
2022-10-14 00:00:00
almalinux
almalinux
Moderate: grafana security and enhancement update
2023-11-07 00:00:00
Moderate: grafana security update
2023-05-16 00:00:00
Moderate: grafana security and enhancement update
2023-05-09 00:00:00
oraclelinux
oraclelinux
grafana security and enhancement update
2023-11-11 00:00:00
grafana security update
2023-05-24 00:00:00
grafana security and enhancement update
2023-05-15 00:00:00
redhat
redhat
(RHSA-2023:6420) Moderate: grafana security and enhancement update
2023-11-07 06:05:17
(RHSA-2023:2784) Moderate: grafana security update
2023-05-16 05:54:36
(RHSA-2023:2167) Moderate: grafana security and enhancement update
2023-05-09 05:02:10
redos
redos
ROS-20240404-01
2024-04-04 00:00:00
wallarmlab
wallarmlab
Q4-2022 API ThreatStats™ Report
2023-02-22 16:02:55
oracle
oracle
Oracle Critical Patch Update Advisory - April 2023
2023-04-18 00:00:00

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

0.001 Low

EPSS

Percentile

48.5%

JSON
Related for 909A80BA-6294-11ED-9CA2-6C3BE5272ACD
freebsd3nessus17openvas6altlinux1veracode4osv19alpinelinux4cvelist4ibm5github4ubuntucve4redhatcve4prion4cgr4cve4nvd4cnvd1almalinux3oraclelinux3redhat6redos1wallarmlab1oracle1