Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2022-35957 (GCVE-0-2022-35957)
Vulnerability from cvelistv5 – Published: 2022-09-20 00:00 – Updated: 2026-01-28 04:55
VLAI?
EPSS
Title
Authentication Bypass in Grafana via auth proxy allowing escalation from admin to server admin
Summary
Grafana is an open-source platform for monitoring and observability. Versions prior to 9.1.6 and 8.5.13 are vulnerable to an escalation from admin to server admin when auth proxy is used, allowing an admin to take over the server admin account and gain full control of the grafana instance. All installations should be upgraded as soon as possible. As a workaround deactivate auth proxy following the instructions at: https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/auth-proxy/
Severity ?
6.6 (Medium)
CWE
- CWE-290 - Authentication Bypass by Spoofing
Assigner
References
3 references
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T09:51:59.288Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-ff5c-938w-8c9q"
},
{
"name": "FEDORA-2022-2eb4418018",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WYU5C2RITLHVZSTCWNGQWA6KSPYNXM2H/"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20221215-0001/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-35957",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-27T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T04:55:29.297Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "grafana",
"vendor": "grafana",
"versions": [
{
"status": "affected",
"version": "\u003e 9.0.0, \u003c 9.1.6"
},
{
"status": "affected",
"version": "\u003c 8.5.13"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Grafana is an open-source platform for monitoring and observability. Versions prior to 9.1.6 and 8.5.13 are vulnerable to an escalation from admin to server admin when auth proxy is used, allowing an admin to take over the server admin account and gain full control of the grafana instance. All installations should be upgraded as soon as possible. As a workaround deactivate auth proxy following the instructions at: https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/auth-proxy/"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-290",
"description": "CWE-290: Authentication Bypass by Spoofing",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-15T00:00:00.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-ff5c-938w-8c9q"
},
{
"name": "FEDORA-2022-2eb4418018",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WYU5C2RITLHVZSTCWNGQWA6KSPYNXM2H/"
},
{
"url": "https://security.netapp.com/advisory/ntap-20221215-0001/"
}
],
"source": {
"advisory": "GHSA-ff5c-938w-8c9q",
"discovery": "UNKNOWN"
},
"title": "Authentication Bypass in Grafana via auth proxy allowing escalation from admin to server admin"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-35957",
"datePublished": "2022-09-20T00:00:00.000Z",
"dateReserved": "2022-07-15T00:00:00.000Z",
"dateUpdated": "2026-01-28T04:55:29.297Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2022-35957",
"date": "2026-05-21",
"epss": "0.00881",
"percentile": "0.75601"
},
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"8.5.13\", \"matchCriteriaId\": \"60D90629-8174-4FC3-8D43-17655EF93F5E\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"9.0.0\", \"versionEndExcluding\": \"9.0.9\", \"matchCriteriaId\": \"FD0963EA-4EDA-417B-9CF2-609E4157AD8C\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"9.1.0\", \"versionEndExcluding\": \"9.1.6\", \"matchCriteriaId\": \"E40D636D-3D90-46E1-84F2-13F186F55DB7\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"E30D0E6F-4AE8-4284-8716-991DFA48CC5D\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"Grafana is an open-source platform for monitoring and observability. Versions prior to 9.1.6 and 8.5.13 are vulnerable to an escalation from admin to server admin when auth proxy is used, allowing an admin to take over the server admin account and gain full control of the grafana instance. All installations should be upgraded as soon as possible. As a workaround deactivate auth proxy following the instructions at: https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/auth-proxy/\"}, {\"lang\": \"es\", \"value\": \"Grafana es una plataforma de c\\u00f3digo abierto para la monitorizaci\\u00f3n y la observabilidad. Las versiones anteriores a 9.1.6 y 8.5.13, son vulnerables a una escalada de admin a server admin cuando es usado auth proxy, lo que permite a un admin tomar la cuenta de server admin y obtener el control total de la instancia de grafana. Todas las instalaciones deben ser actualizadas tan pronto como sea posible. Como mitigaci\\u00f3n, desactive el proxy de autenticaci\\u00f3n siguiendo las instrucciones en: https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/auth-proxy/\"}]",
"id": "CVE-2022-35957",
"lastModified": "2024-11-21T07:12:03.050",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 6.6, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"HIGH\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 0.7, \"impactScore\": 5.9}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 6.6, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"HIGH\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 0.7, \"impactScore\": 5.9}]}",
"published": "2022-09-20T23:15:09.457",
"references": "[{\"url\": \"https://github.com/grafana/grafana/security/advisories/GHSA-ff5c-938w-8c9q\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WYU5C2RITLHVZSTCWNGQWA6KSPYNXM2H/\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://security.netapp.com/advisory/ntap-20221215-0001/\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://github.com/grafana/grafana/security/advisories/GHSA-ff5c-938w-8c9q\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WYU5C2RITLHVZSTCWNGQWA6KSPYNXM2H/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://security.netapp.com/advisory/ntap-20221215-0001/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}]",
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-290\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-290\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2022-35957\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2022-09-20T23:15:09.457\",\"lastModified\":\"2024-11-21T07:12:03.050\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Grafana is an open-source platform for monitoring and observability. Versions prior to 9.1.6 and 8.5.13 are vulnerable to an escalation from admin to server admin when auth proxy is used, allowing an admin to take over the server admin account and gain full control of the grafana instance. All installations should be upgraded as soon as possible. As a workaround deactivate auth proxy following the instructions at: https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/auth-proxy/\"},{\"lang\":\"es\",\"value\":\"Grafana es una plataforma de c\u00f3digo abierto para la monitorizaci\u00f3n y la observabilidad. Las versiones anteriores a 9.1.6 y 8.5.13, son vulnerables a una escalada de admin a server admin cuando es usado auth proxy, lo que permite a un admin tomar la cuenta de server admin y obtener el control total de la instancia de grafana. Todas las instalaciones deben ser actualizadas tan pronto como sea posible. Como mitigaci\u00f3n, desactive el proxy de autenticaci\u00f3n siguiendo las instrucciones en: https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/auth-proxy/\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":6.6,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":0.7,\"impactScore\":5.9},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":6.6,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":0.7,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-290\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-290\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"8.5.13\",\"matchCriteriaId\":\"60D90629-8174-4FC3-8D43-17655EF93F5E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"9.0.0\",\"versionEndExcluding\":\"9.0.9\",\"matchCriteriaId\":\"FD0963EA-4EDA-417B-9CF2-609E4157AD8C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"9.1.0\",\"versionEndExcluding\":\"9.1.6\",\"matchCriteriaId\":\"E40D636D-3D90-46E1-84F2-13F186F55DB7\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E30D0E6F-4AE8-4284-8716-991DFA48CC5D\"}]}]}],\"references\":[{\"url\":\"https://github.com/grafana/grafana/security/advisories/GHSA-ff5c-938w-8c9q\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WYU5C2RITLHVZSTCWNGQWA6KSPYNXM2H/\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://security.netapp.com/advisory/ntap-20221215-0001/\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/grafana/grafana/security/advisories/GHSA-ff5c-938w-8c9q\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WYU5C2RITLHVZSTCWNGQWA6KSPYNXM2H/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://security.netapp.com/advisory/ntap-20221215-0001/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/grafana/grafana/security/advisories/GHSA-ff5c-938w-8c9q\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WYU5C2RITLHVZSTCWNGQWA6KSPYNXM2H/\", \"name\": \"FEDORA-2022-2eb4418018\", \"tags\": [\"vendor-advisory\", \"x_transferred\"]}, {\"url\": \"https://security.netapp.com/advisory/ntap-20221215-0001/\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T09:51:59.288Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-35957\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-04-23T15:48:59.770400Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-04-23T15:49:01.986Z\"}}], \"cna\": {\"title\": \"Authentication Bypass in Grafana via auth proxy allowing escalation from admin to server admin\", \"source\": {\"advisory\": \"GHSA-ff5c-938w-8c9q\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.6, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"grafana\", \"product\": \"grafana\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e 9.0.0, \u003c 9.1.6\"}, {\"status\": \"affected\", \"version\": \"\u003c 8.5.13\"}]}], \"references\": [{\"url\": \"https://github.com/grafana/grafana/security/advisories/GHSA-ff5c-938w-8c9q\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WYU5C2RITLHVZSTCWNGQWA6KSPYNXM2H/\", \"name\": \"FEDORA-2022-2eb4418018\", \"tags\": [\"vendor-advisory\"]}, {\"url\": \"https://security.netapp.com/advisory/ntap-20221215-0001/\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Grafana is an open-source platform for monitoring and observability. Versions prior to 9.1.6 and 8.5.13 are vulnerable to an escalation from admin to server admin when auth proxy is used, allowing an admin to take over the server admin account and gain full control of the grafana instance. All installations should be upgraded as soon as possible. As a workaround deactivate auth proxy following the instructions at: https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/auth-proxy/\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-290\", \"description\": \"CWE-290: Authentication Bypass by Spoofing\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2022-12-15T00:00:00.000Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2022-35957\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-01-28T04:55:29.297Z\", \"dateReserved\": \"2022-07-15T00:00:00.000Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2022-09-20T00:00:00.000Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
CERTFR-2022-AVI-845
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans Grafana. Elles permettent à un attaquant de provoquer une élévation de privilèges.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Grafana Labs | Grafana | Grafana versions antérieures à 8.5.13 | ||
| Grafana Labs | Grafana | Grafana versions 9.1.x antérieures à 9.1.6 | ||
| Grafana Labs | Grafana | Grafana versions 9.0.x antérieures à 9.0.9 |
References
| Title | Publication Time | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Grafana versions ant\u00e9rieures \u00e0 8.5.13",
"product": {
"name": "Grafana",
"vendor": {
"name": "Grafana Labs",
"scada": false
}
}
},
{
"description": "Grafana versions 9.1.x ant\u00e9rieures \u00e0 9.1.6",
"product": {
"name": "Grafana",
"vendor": {
"name": "Grafana Labs",
"scada": false
}
}
},
{
"description": "Grafana versions 9.0.x ant\u00e9rieures \u00e0 9.0.9",
"product": {
"name": "Grafana",
"vendor": {
"name": "Grafana Labs",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2022-35957",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-35957"
},
{
"name": "CVE-2022-36062",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-36062"
}
],
"links": [],
"reference": "CERTFR-2022-AVI-845",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2022-09-21T00:00:00.000000"
}
],
"risks": [
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Grafana. Elles\npermettent \u00e0 un attaquant de provoquer une \u00e9l\u00e9vation de privil\u00e8ges.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Grafana",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Grafana GHSA-ff5c-938w-8c9q du 20 septembre 2022",
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-ff5c-938w-8c9q"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Grafana GHSA-p978-56hq-r492 du 20 septembre 2022",
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-p978-56hq-r492"
}
]
}
CERTFR-2022-AVI-845
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans Grafana. Elles permettent à un attaquant de provoquer une élévation de privilèges.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Grafana Labs | Grafana | Grafana versions antérieures à 8.5.13 | ||
| Grafana Labs | Grafana | Grafana versions 9.1.x antérieures à 9.1.6 | ||
| Grafana Labs | Grafana | Grafana versions 9.0.x antérieures à 9.0.9 |
References
| Title | Publication Time | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Grafana versions ant\u00e9rieures \u00e0 8.5.13",
"product": {
"name": "Grafana",
"vendor": {
"name": "Grafana Labs",
"scada": false
}
}
},
{
"description": "Grafana versions 9.1.x ant\u00e9rieures \u00e0 9.1.6",
"product": {
"name": "Grafana",
"vendor": {
"name": "Grafana Labs",
"scada": false
}
}
},
{
"description": "Grafana versions 9.0.x ant\u00e9rieures \u00e0 9.0.9",
"product": {
"name": "Grafana",
"vendor": {
"name": "Grafana Labs",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2022-35957",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-35957"
},
{
"name": "CVE-2022-36062",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-36062"
}
],
"links": [],
"reference": "CERTFR-2022-AVI-845",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2022-09-21T00:00:00.000000"
}
],
"risks": [
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Grafana. Elles\npermettent \u00e0 un attaquant de provoquer une \u00e9l\u00e9vation de privil\u00e8ges.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Grafana",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Grafana GHSA-ff5c-938w-8c9q du 20 septembre 2022",
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-ff5c-938w-8c9q"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Grafana GHSA-p978-56hq-r492 du 20 septembre 2022",
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-p978-56hq-r492"
}
]
}
alsa-2023:2167
Vulnerability from osv_almalinux
Published
2023-05-09 00:00
Modified
2023-05-11 17:41
Summary
Moderate: grafana security and enhancement update
Details
Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB.
Security Fix(es):
- golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters (CVE-2022-2880)
- golang: net/http: handle server errors after sending GOAWAY (CVE-2022-27664)
- grafana: Escalation from admin to server admin when auth proxy is used (CVE-2022-35957)
- grafana: using email as a username can block other users from signing in (CVE-2022-39229)
- golang: regexp/syntax: limit memory used by parsing regexps (CVE-2022-41715)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.
References
{
"affected": [
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "grafana"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.0.9-2.el9"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"details": "Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB \u0026 OpenTSDB. \n\nSecurity Fix(es):\n\n* golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters (CVE-2022-2880)\n* golang: net/http: handle server errors after sending GOAWAY (CVE-2022-27664)\n* grafana: Escalation from admin to server admin when auth proxy is used (CVE-2022-35957)\n* grafana: using email as a username can block other users from signing in (CVE-2022-39229)\n* golang: regexp/syntax: limit memory used by parsing regexps (CVE-2022-41715)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.",
"id": "ALSA-2023:2167",
"modified": "2023-05-11T17:41:17Z",
"published": "2023-05-09T00:00:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://access.redhat.com/errata/RHSA-2023:2167"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-27664"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-2880"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-35957"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-39229"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2022-41715"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2124669"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2125514"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2131149"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2132868"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2132872"
},
{
"type": "ADVISORY",
"url": "https://errata.almalinux.org/9/ALSA-2023-2167.html"
}
],
"related": [
"CVE-2022-2880",
"CVE-2022-27664",
"CVE-2022-35957",
"CVE-2022-39229",
"CVE-2022-41715"
],
"summary": "Moderate: grafana security and enhancement update"
}
BDU:2024-02622
Vulnerability from fstec - Published: 20.09.2022
VLAI Severity ?
Title
Уязвимость платформы для мониторинга и наблюдения Grafana, связанная с обходом аутентификации путем спуфинга, позволяющая нарушителю получить несанкционированный доступ к информации и нарушить ее целостность и доступность
Description
Уязвимость платформы для мониторинга и наблюдения Grafana связана с эскалацией от администратора к администратору сервера при использовании прокси-сервера аутентификации. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно,получить несанкционированный доступ к информации и нарушить ее целостность и доступность
Severity ?
Vendor
ООО «Ред Софт», Grafana Labs
Software Name
РЕД ОС (запись в едином реестре российских программ №3751), Grafana
Software Version
7.3 (РЕД ОС), до 8.5.13 (Grafana), от 9.0.0 до 9.0.9 (Grafana), от 9.1.0 до 9.1.6 (Grafana)
Possible Mitigations
Для Grafana:
https://github.com/grafana/grafana/security/advisories/GHSA-ff5c-938w-8c9q
Для РедОС: http://repo.red-soft.ru/redos/7.3c/x86_64/updates/
Reference
https://github.com/grafana/grafana/security/advisories/GHSA-ff5c-938w-8c9q
https://redos.red-soft.ru/support/secure/
CWE
CWE-290
{
"CVSS 2.0": "AV:N/AC:H/Au:M/C:C/I:C/A:C",
"CVSS 3.0": "AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"CVSS 4.0": null,
"remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
"remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
"\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "\u041e\u041e\u041e \u00ab\u0420\u0435\u0434 \u0421\u043e\u0444\u0442\u00bb, Grafana Labs",
"\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "7.3 (\u0420\u0415\u0414 \u041e\u0421), \u0434\u043e 8.5.13 (Grafana), \u043e\u0442 9.0.0 \u0434\u043e 9.0.9 (Grafana), \u043e\u0442 9.1.0 \u0434\u043e 9.1.6 (Grafana)",
"\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0414\u043b\u044f Grafana:\nhttps://github.com/grafana/grafana/security/advisories/GHSA-ff5c-938w-8c9q\n\n\u0414\u043b\u044f \u0420\u0435\u0434\u041e\u0421: http://repo.red-soft.ru/redos/7.3c/x86_64/updates/",
"\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "20.09.2022",
"\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "05.04.2024",
"\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "05.04.2024",
"\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2024-02622",
"\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2022-35957",
"\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
"\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u0434\u0430",
"\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "\u0420\u0415\u0414 \u041e\u0421 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21163751), Grafana",
"\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": "\u041e\u041e\u041e \u00ab\u0420\u0435\u0434 \u0421\u043e\u0444\u0442\u00bb \u0420\u0415\u0414 \u041e\u0421 7.3 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21163751)",
"\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b \u0434\u043b\u044f \u043c\u043e\u043d\u0438\u0442\u043e\u0440\u0438\u043d\u0433\u0430 \u0438 \u043d\u0430\u0431\u043b\u044e\u0434\u0435\u043d\u0438\u044f Grafana, \u0441\u0432\u044f\u0437\u0430\u043d\u043d\u0430\u044f \u0441 \u043e\u0431\u0445\u043e\u0434\u043e\u043c \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438 \u043f\u0443\u0442\u0435\u043c \u0441\u043f\u0443\u0444\u0438\u043d\u0433\u0430, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u043f\u043e\u043b\u0443\u0447\u0438\u0442\u044c \u043d\u0435\u0441\u0430\u043d\u043a\u0446\u0438\u043e\u043d\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u0439 \u0434\u043e\u0441\u0442\u0443\u043f \u043a \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438 \u0438 \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u044c \u0435\u0435 \u0446\u0435\u043b\u043e\u0441\u0442\u043d\u043e\u0441\u0442\u044c \u0438 \u0434\u043e\u0441\u0442\u0443\u043f\u043d\u043e\u0441\u0442\u044c",
"\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
"\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u041e\u0431\u0445\u043e\u0434 \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438 \u043f\u043e\u0441\u0440\u0435\u0434\u0441\u0442\u0432\u043e\u043c \u0441\u043f\u0443\u0444\u0438\u043d\u0433\u0430 (CWE-290)",
"\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b \u0434\u043b\u044f \u043c\u043e\u043d\u0438\u0442\u043e\u0440\u0438\u043d\u0433\u0430 \u0438 \u043d\u0430\u0431\u043b\u044e\u0434\u0435\u043d\u0438\u044f Grafana \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u044d\u0441\u043a\u0430\u043b\u0430\u0446\u0438\u0435\u0439 \u043e\u0442 \u0430\u0434\u043c\u0438\u043d\u0438\u0441\u0442\u0440\u0430\u0442\u043e\u0440\u0430 \u043a \u0430\u0434\u043c\u0438\u043d\u0438\u0441\u0442\u0440\u0430\u0442\u043e\u0440\u0443 \u0441\u0435\u0440\u0432\u0435\u0440\u0430 \u043f\u0440\u0438 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0438 \u043f\u0440\u043e\u043a\u0441\u0438-\u0441\u0435\u0440\u0432\u0435\u0440\u0430 \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e,\u043f\u043e\u043b\u0443\u0447\u0438\u0442\u044c \u043d\u0435\u0441\u0430\u043d\u043a\u0446\u0438\u043e\u043d\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u0439 \u0434\u043e\u0441\u0442\u0443\u043f \u043a \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438 \u0438 \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u044c \u0435\u0435 \u0446\u0435\u043b\u043e\u0441\u0442\u043d\u043e\u0441\u0442\u044c \u0438 \u0434\u043e\u0441\u0442\u0443\u043f\u043d\u043e\u0441\u0442\u044c",
"\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
"\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
"\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
"\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
"\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
"\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u041d\u0430\u0440\u0443\u0448\u0435\u043d\u0438\u0435 \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438",
"\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://github.com/grafana/grafana/security/advisories/GHSA-ff5c-938w-8c9q\nhttps://redos.red-soft.ru/support/secure/",
"\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
"\u0422\u0438\u043f \u041f\u041e": "\u041e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u0430\u044f \u0441\u0438\u0441\u0442\u0435\u043c\u0430, \u041f\u0440\u0438\u043a\u043b\u0430\u0434\u043d\u043e\u0435 \u041f\u041e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c",
"\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-290",
"\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0421\u0440\u0435\u0434\u043d\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 6,8)\n\u0421\u0440\u0435\u0434\u043d\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 6,6)"
}
bit-grafana-2022-35957
Vulnerability from bitnami_vulndb
Published
2024-03-06 10:55
Modified
2025-05-20 10:02
Summary
Authentication Bypass in Grafana via auth proxy allowing escalation from admin to server admin
Details
Grafana is an open-source platform for monitoring and observability. Versions prior to 9.1.6 and 8.5.13 are vulnerable to an escalation from admin to server admin when auth proxy is used, allowing an admin to take over the server admin account and gain full control of the grafana instance. All installations should be upgraded as soon as possible. As a workaround deactivate auth proxy following the instructions at: https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/auth-proxy/
{
"affected": [
{
"package": {
"ecosystem": "Bitnami",
"name": "grafana",
"purl": "pkg:bitnami/grafana"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.5.13"
},
{
"introduced": "9.0.0"
},
{
"fixed": "9.0.9"
},
{
"introduced": "9.1.0"
},
{
"fixed": "9.1.6"
}
],
"type": "SEMVER"
}
],
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
],
"aliases": [
"CVE-2022-35957"
],
"database_specific": {
"cpes": [
"cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*"
],
"severity": "Medium"
},
"details": "Grafana is an open-source platform for monitoring and observability. Versions prior to 9.1.6 and 8.5.13 are vulnerable to an escalation from admin to server admin when auth proxy is used, allowing an admin to take over the server admin account and gain full control of the grafana instance. All installations should be upgraded as soon as possible. As a workaround deactivate auth proxy following the instructions at: https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/auth-proxy/",
"id": "BIT-grafana-2022-35957",
"modified": "2025-05-20T10:02:07.006Z",
"published": "2024-03-06T10:55:38.882Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-ff5c-938w-8c9q"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WYU5C2RITLHVZSTCWNGQWA6KSPYNXM2H/"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20221215-0001/"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35957"
}
],
"schema_version": "1.5.0",
"summary": "Authentication Bypass in Grafana via auth proxy allowing escalation from admin to server admin"
}
FKIE_CVE-2022-35957
Vulnerability from fkie_nvd - Published: 2022-09-20 23:15 - Updated: 2024-11-21 07:12
Severity ?
6.6 (Medium) - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
6.6 (Medium) - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
6.6 (Medium) - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Summary
Grafana is an open-source platform for monitoring and observability. Versions prior to 9.1.6 and 8.5.13 are vulnerable to an escalation from admin to server admin when auth proxy is used, allowing an admin to take over the server admin account and gain full control of the grafana instance. All installations should be upgraded as soon as possible. As a workaround deactivate auth proxy following the instructions at: https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/auth-proxy/
References
| URL | Tags | ||
|---|---|---|---|
| security-advisories@github.com | https://github.com/grafana/grafana/security/advisories/GHSA-ff5c-938w-8c9q | Vendor Advisory | |
| security-advisories@github.com | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WYU5C2RITLHVZSTCWNGQWA6KSPYNXM2H/ | ||
| security-advisories@github.com | https://security.netapp.com/advisory/ntap-20221215-0001/ | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/grafana/grafana/security/advisories/GHSA-ff5c-938w-8c9q | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WYU5C2RITLHVZSTCWNGQWA6KSPYNXM2H/ | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://security.netapp.com/advisory/ntap-20221215-0001/ | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*",
"matchCriteriaId": "60D90629-8174-4FC3-8D43-17655EF93F5E",
"versionEndExcluding": "8.5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FD0963EA-4EDA-417B-9CF2-609E4157AD8C",
"versionEndExcluding": "9.0.9",
"versionStartIncluding": "9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E40D636D-3D90-46E1-84F2-13F186F55DB7",
"versionEndExcluding": "9.1.6",
"versionStartIncluding": "9.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*",
"matchCriteriaId": "E30D0E6F-4AE8-4284-8716-991DFA48CC5D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Grafana is an open-source platform for monitoring and observability. Versions prior to 9.1.6 and 8.5.13 are vulnerable to an escalation from admin to server admin when auth proxy is used, allowing an admin to take over the server admin account and gain full control of the grafana instance. All installations should be upgraded as soon as possible. As a workaround deactivate auth proxy following the instructions at: https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/auth-proxy/"
},
{
"lang": "es",
"value": "Grafana es una plataforma de c\u00f3digo abierto para la monitorizaci\u00f3n y la observabilidad. Las versiones anteriores a 9.1.6 y 8.5.13, son vulnerables a una escalada de admin a server admin cuando es usado auth proxy, lo que permite a un admin tomar la cuenta de server admin y obtener el control total de la instancia de grafana. Todas las instalaciones deben ser actualizadas tan pronto como sea posible. Como mitigaci\u00f3n, desactive el proxy de autenticaci\u00f3n siguiendo las instrucciones en: https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/auth-proxy/"
}
],
"id": "CVE-2022-35957",
"lastModified": "2024-11-21T07:12:03.050",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 0.7,
"impactScore": 5.9,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 0.7,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-09-20T23:15:09.457",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-ff5c-938w-8c9q"
},
{
"source": "security-advisories@github.com",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WYU5C2RITLHVZSTCWNGQWA6KSPYNXM2H/"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20221215-0001/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-ff5c-938w-8c9q"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WYU5C2RITLHVZSTCWNGQWA6KSPYNXM2H/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20221215-0001/"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-290"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-290"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
GHSA-FF5C-938W-8C9Q
Vulnerability from github – Published: 2024-05-14 22:25 – Updated: 2024-11-18 16:26
VLAI?
Summary
Grafana Escalation from admin to server admin when auth proxy is used
Details
Today we are releasing Grafana 9.1.6, 9.0.9, 8.5.13. This patch release includes a Moderate severity security fix for CVE-2022-35957 that affects Grafana instances which are using Grafana Auth Proxy.
Release 9.1.6, latest patch, also containing security fix:
Release 9.0.9, only containing security fix:
Release 8.5.13, only containing security fix:
Appropriate patches have been applied to Grafana Cloud and as always, we closely coordinated with all cloud providers licensed to offer Grafana Pro. They have received early notification under embargo and confirmed that their offerings are secure at the time of this announcement. This is applicable to Amazon Managed Grafana and Azure's Grafana as a service offering.
Privilege escalation (CVE-2022-35957)
Summary
On August 9 an internal security review identified a vulnerability in the Grafana which allows an escalation from Admin privileges to Server Admin when Auth proxy authentication is used.
Auth proxy allows to authenticate a user by only providing the username (or email) in a X-WEBAUTH-USER HTTP header: the trust assumption is that a front proxy will take care of authentication and that Grafana server is publicly reachable only with this front proxy.
Datasource proxy breaks this assumption:
- it is possible to configure a fake datasource pointing to a localhost Grafana install with a X-WEBAUTH-USER HTTP header containing admin username.
- This fake datasource can be called publicly via this proxying feature.
The CVSS score for this vulnerability is 6.6 Moderate (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
Impacted versions
All Grafana installations where the Auth Proxy is used.
Solutions and mitigations
To fully address CVE-2022-35957 please upgrade your Grafana instances. They are only required if you are using Auth proxy. If you can’t upgrade, as an alternative, you can deactivate the auth proxy.
Appropriate patches have been applied to Grafana Cloud.
Timeline
Here is a timeline starting from when we originally learned of the issue.
- 2022-08-09: Vulnerability is reported as a result of an Internal security audit.
- 2022-08-09: Release timeline determined: 2022-09-06 for private customer release, 2022-09-20 for public release.
- 2022-08-09: Confirmed that Grafana Cloud is not impacted.
- 2022-09-06: Private release.
- 2022-09-20: Public release.
Reporting security issues
If you think you have found a security vulnerability, please send a report to security@grafana.com. This address can be used for all of Grafana Labs' open source and commercial products (including, but not limited to Grafana, Grafana Cloud, Grafana Enterprise, and grafana.com). We can accept only vulnerability reports at this address. We would prefer that you encrypt your message to us by using our PGP key. The key fingerprint is
F988 7BEA 027A 049F AE8E 5CAA D125 8932 BE24 C5CA
The key is available from keyserver.ubuntu.com.
Security announcements
We maintain a security category on our blog, where we will always post a summary, remediation, and mitigation details for any patch containing security fixes.
You can also subscribe to our RSS feed.
Severity ?
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/grafana/grafana"
},
"ranges": [
{
"events": [
{
"introduced": "9.1.0"
},
{
"fixed": "9.1.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/grafana/grafana"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.0"
},
{
"fixed": "9.0.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/grafana/grafana"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.5.13"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-35957"
],
"database_specific": {
"cwe_ids": [
"CWE-290"
],
"github_reviewed": true,
"github_reviewed_at": "2024-05-14T22:25:56Z",
"nvd_published_at": "2022-09-20T23:15:00Z",
"severity": "HIGH"
},
"details": "Today we are releasing Grafana 9.1.6, 9.0.9, 8.5.13. This patch release includes a Moderate severity security fix for CVE-2022-35957 that affects Grafana instances which are using Grafana [Auth Proxy](https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/auth-proxy/#configure-auth-proxy-authentication).\n\nRelease 9.1.6, latest patch, also containing security fix:\n\n- [Download Grafana 9.1.6](https://grafana.com/grafana/download/9.1.6)\n- [Release notes](https://grafana.com/docs/grafana/latest/release-notes/release-notes-9-1-6/)\n\nRelease 9.0.9, only containing security fix:\n\n- [Download Grafana 9.0.9](https://grafana.com/grafana/download/9.0.9)\n- [Release notes](https://grafana.com/docs/grafana/latest/release-notes/release-notes-9-0-9/)\n\nRelease 8.5.13, only containing security fix:\n\n- [Download Grafana 8.5.13](https://grafana.com/grafana/download/8.5.13)\n- [Release notes](https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-5-13/)\n\nAppropriate patches have been applied to [Grafana Cloud](https://grafana.com/cloud) and as always, we closely coordinated with all cloud providers licensed to offer Grafana Pro. They have received early notification under embargo and confirmed that their offerings are secure at the time of this announcement. This is applicable to Amazon Managed Grafana and Azure\u0027s Grafana as a service offering.\n\n## Privilege escalation (CVE-2022-35957)\n\n### Summary \n\nOn August 9 an internal security review identified a vulnerability in the Grafana which allows an escalation from Admin privileges to Server Admin when Auth proxy authentication is used.\n\n[Auth proxy](https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/auth-proxy/#configure-auth-proxy-authentication) allows to authenticate a user by only providing the username (or email) in a `X-WEBAUTH-USER` HTTP header: the trust assumption is that a front proxy will take care of authentication and that Grafana server is publicly reachable only with this front proxy.\n\n[Datasource proxy](https://grafana.com/docs/grafana/latest/developers/http_api/data_source/#data-source-proxy-calls) breaks this assumption:\n- it is possible to configure a fake datasource pointing to a localhost Grafana install with a `X-WEBAUTH-USER` HTTP header containing admin username.\n- This fake datasource can be called publicly via this proxying feature.\n\nThe CVSS score for this vulnerability is 6.6 Moderate (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).\n\n### Impacted versions\n\nAll Grafana installations where the [Auth Proxy](https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/auth-proxy/#configure-auth-proxy-authentication) is used.\n\n### Solutions and mitigations\n\nTo fully address CVE-2022-35957 please upgrade your Grafana instances. They are only required if you are using Auth proxy. If you can\u2019t upgrade, as an alternative, you can deactivate the auth proxy. \n\nAppropriate patches have been applied to [Grafana Cloud](https://grafana.com/cloud).\n\n### Timeline\n\nHere is a timeline starting from when we originally learned of the issue. \n\n* 2022-08-09: Vulnerability is reported as a result of an Internal security audit.\n* 2022-08-09: Release timeline determined: 2022-09-06 for private customer release, 2022-09-20 for public release.\n* 2022-08-09: Confirmed that Grafana Cloud is not impacted.\n* 2022-09-06: Private release.\n* 2022-09-20: Public release.\n\n## Reporting security issues\n\nIf you think you have found a security vulnerability, please send a report to security@grafana.com. This address can be used for all of Grafana Labs\u0027 open source and commercial products (including, but not limited to Grafana, Grafana Cloud, Grafana Enterprise, and grafana.com). We can accept only vulnerability reports at this address. We would prefer that you encrypt your message to us by using our PGP key. The key fingerprint is\n\nF988 7BEA 027A 049F AE8E 5CAA D125 8932 BE24 C5CA\n\nThe key is available from keyserver.ubuntu.com.\n\n## Security announcements\n\nWe maintain a [security category](https://community.grafana.com/c/support/security-announcements) on our blog, where we will always post a summary, remediation, and mitigation details for any patch containing security fixes.\n\nYou can also subscribe to our [RSS feed](https://grafana.com/tags/security/index.xml).",
"id": "GHSA-ff5c-938w-8c9q",
"modified": "2024-11-18T16:26:41Z",
"published": "2024-05-14T22:25:56Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-ff5c-938w-8c9q"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35957"
},
{
"type": "PACKAGE",
"url": "https://github.com/grafana/grafana"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WYU5C2RITLHVZSTCWNGQWA6KSPYNXM2H"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20221215-0001"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Grafana Escalation from admin to server admin when auth proxy is used"
}
GSD-2022-35957
Vulnerability from gsd - Updated: 2023-12-13 01:19Details
Grafana is an open-source platform for monitoring and observability. Versions prior to 9.1.6 and 8.5.13 are vulnerable to an escalation from admin to server admin when auth proxy is used, allowing an admin to take over the server admin account and gain full control of the grafana instance. All installations should be upgraded as soon as possible. As a workaround deactivate auth proxy following the instructions at: https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/auth-proxy/
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2022-35957",
"id": "GSD-2022-35957",
"references": [
"https://www.suse.com/security/cve/CVE-2022-35957.html"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2022-35957"
],
"details": "Grafana is an open-source platform for monitoring and observability. Versions prior to 9.1.6 and 8.5.13 are vulnerable to an escalation from admin to server admin when auth proxy is used, allowing an admin to take over the server admin account and gain full control of the grafana instance. All installations should be upgraded as soon as possible. As a workaround deactivate auth proxy following the instructions at: https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/auth-proxy/",
"id": "GSD-2022-35957",
"modified": "2023-12-13T01:19:33.254557Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-35957",
"STATE": "PUBLIC",
"TITLE": "Authentication Bypass in Grafana via auth proxy allowing escalation from admin to server admin"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "grafana",
"version": {
"version_data": [
{
"version_value": "\u003e 9.0.0, \u003c 9.1.6"
},
{
"version_value": "\u003c 8.5.13"
}
]
}
}
]
},
"vendor_name": "grafana"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Grafana is an open-source platform for monitoring and observability. Versions prior to 9.1.6 and 8.5.13 are vulnerable to an escalation from admin to server admin when auth proxy is used, allowing an admin to take over the server admin account and gain full control of the grafana instance. All installations should be upgraded as soon as possible. As a workaround deactivate auth proxy following the instructions at: https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/auth-proxy/"
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-290: Authentication Bypass by Spoofing"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/grafana/grafana/security/advisories/GHSA-ff5c-938w-8c9q",
"refsource": "CONFIRM",
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-ff5c-938w-8c9q"
},
{
"name": "FEDORA-2022-2eb4418018",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WYU5C2RITLHVZSTCWNGQWA6KSPYNXM2H/"
},
{
"name": "https://security.netapp.com/advisory/ntap-20221215-0001/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20221215-0001/"
}
]
},
"source": {
"advisory": "GHSA-ff5c-938w-8c9q",
"discovery": "UNKNOWN"
}
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "9.1.6",
"versionStartIncluding": "9.1.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "9.0.9",
"versionStartIncluding": "9.0.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "8.5.13",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-35957"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "Grafana is an open-source platform for monitoring and observability. Versions prior to 9.1.6 and 8.5.13 are vulnerable to an escalation from admin to server admin when auth proxy is used, allowing an admin to take over the server admin account and gain full control of the grafana instance. All installations should be upgraded as soon as possible. As a workaround deactivate auth proxy following the instructions at: https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/auth-proxy/"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-290"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/grafana/grafana/security/advisories/GHSA-ff5c-938w-8c9q",
"refsource": "CONFIRM",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-ff5c-938w-8c9q"
},
{
"name": "FEDORA-2022-2eb4418018",
"refsource": "FEDORA",
"tags": [
"Issue Tracking",
"Mailing List"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WYU5C2RITLHVZSTCWNGQWA6KSPYNXM2H/"
},
{
"name": "https://security.netapp.com/advisory/ntap-20221215-0001/",
"refsource": "CONFIRM",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20221215-0001/"
}
]
}
},
"impact": {
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 0.7,
"impactScore": 5.9
}
},
"lastModifiedDate": "2023-02-16T03:17Z",
"publishedDate": "2022-09-20T23:15Z"
}
}
}
OPENSUSE-SU-2024:12366-1
Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00Summary
grafana-8.5.13-1.1 on GA media
Severity
Moderate
Notes
Title of the patch: grafana-8.5.13-1.1 on GA media
Description of the patch: These are all security issues fixed in the grafana-8.5.13-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2024-12366
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
6.6 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:grafana-8.5.13-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-8.5.13-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-8.5.13-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-8.5.13-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
6.4 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:grafana-8.5.13-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-8.5.13-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-8.5.13-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:grafana-8.5.13-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
8 references
| URL | Category |
|---|---|
| https://www.suse.com/support/security/rating/ | external |
| https://ftp.suse.com/pub/projects/security/csaf/o… | self |
| https://www.suse.com/security/cve/CVE-2022-35957/ | self |
| https://www.suse.com/security/cve/CVE-2022-36062/ | self |
| https://www.suse.com/security/cve/CVE-2022-35957 | external |
| https://bugzilla.suse.com/1203597 | external |
| https://www.suse.com/security/cve/CVE-2022-36062 | external |
| https://bugzilla.suse.com/1203596 | external |
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "grafana-8.5.13-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the grafana-8.5.13-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-12366",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_12366-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-35957 page",
"url": "https://www.suse.com/security/cve/CVE-2022-35957/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-36062 page",
"url": "https://www.suse.com/security/cve/CVE-2022-36062/"
}
],
"title": "grafana-8.5.13-1.1 on GA media",
"tracking": {
"current_release_date": "2024-06-15T00:00:00Z",
"generator": {
"date": "2024-06-15T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:12366-1",
"initial_release_date": "2024-06-15T00:00:00Z",
"revision_history": [
{
"date": "2024-06-15T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "grafana-8.5.13-1.1.aarch64",
"product": {
"name": "grafana-8.5.13-1.1.aarch64",
"product_id": "grafana-8.5.13-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-8.5.13-1.1.ppc64le",
"product": {
"name": "grafana-8.5.13-1.1.ppc64le",
"product_id": "grafana-8.5.13-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-8.5.13-1.1.s390x",
"product": {
"name": "grafana-8.5.13-1.1.s390x",
"product_id": "grafana-8.5.13-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-8.5.13-1.1.x86_64",
"product": {
"name": "grafana-8.5.13-1.1.x86_64",
"product_id": "grafana-8.5.13-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-8.5.13-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:grafana-8.5.13-1.1.aarch64"
},
"product_reference": "grafana-8.5.13-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-8.5.13-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:grafana-8.5.13-1.1.ppc64le"
},
"product_reference": "grafana-8.5.13-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-8.5.13-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:grafana-8.5.13-1.1.s390x"
},
"product_reference": "grafana-8.5.13-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-8.5.13-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:grafana-8.5.13-1.1.x86_64"
},
"product_reference": "grafana-8.5.13-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-35957",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-35957"
}
],
"notes": [
{
"category": "general",
"text": "Grafana is an open-source platform for monitoring and observability. Versions prior to 9.1.6 and 8.5.13 are vulnerable to an escalation from admin to server admin when auth proxy is used, allowing an admin to take over the server admin account and gain full control of the grafana instance. All installations should be upgraded as soon as possible. As a workaround deactivate auth proxy following the instructions at: https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/auth-proxy/",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:grafana-8.5.13-1.1.aarch64",
"openSUSE Tumbleweed:grafana-8.5.13-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-8.5.13-1.1.s390x",
"openSUSE Tumbleweed:grafana-8.5.13-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-35957",
"url": "https://www.suse.com/security/cve/CVE-2022-35957"
},
{
"category": "external",
"summary": "SUSE Bug 1203597 for CVE-2022-35957",
"url": "https://bugzilla.suse.com/1203597"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:grafana-8.5.13-1.1.aarch64",
"openSUSE Tumbleweed:grafana-8.5.13-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-8.5.13-1.1.s390x",
"openSUSE Tumbleweed:grafana-8.5.13-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:grafana-8.5.13-1.1.aarch64",
"openSUSE Tumbleweed:grafana-8.5.13-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-8.5.13-1.1.s390x",
"openSUSE Tumbleweed:grafana-8.5.13-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2022-35957"
},
{
"cve": "CVE-2022-36062",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-36062"
}
],
"notes": [
{
"category": "general",
"text": "Grafana is an open-source platform for monitoring and observability. In versions prior to 8.5.13, 9.0.9, and 9.1.6, Grafana is subject to Improper Preservation of Permissions resulting in privilege escalation on some folders where Admin is the only used permission. The vulnerability impacts Grafana instances where RBAC was disabled and enabled afterwards, as the migrations which are translating legacy folder permissions to RBAC permissions do not account for the scenario where the only user permission in the folder is Admin, as a result RBAC adds permissions for Editors and Viewers which allow them to edit and view folders accordingly. This issue has been patched in versions 8.5.13, 9.0.9, and 9.1.6. A workaround when the impacted folder/dashboard is known is to remove the additional permissions manually.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:grafana-8.5.13-1.1.aarch64",
"openSUSE Tumbleweed:grafana-8.5.13-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-8.5.13-1.1.s390x",
"openSUSE Tumbleweed:grafana-8.5.13-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-36062",
"url": "https://www.suse.com/security/cve/CVE-2022-36062"
},
{
"category": "external",
"summary": "SUSE Bug 1203596 for CVE-2022-36062",
"url": "https://bugzilla.suse.com/1203596"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:grafana-8.5.13-1.1.aarch64",
"openSUSE Tumbleweed:grafana-8.5.13-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-8.5.13-1.1.s390x",
"openSUSE Tumbleweed:grafana-8.5.13-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:grafana-8.5.13-1.1.aarch64",
"openSUSE Tumbleweed:grafana-8.5.13-1.1.ppc64le",
"openSUSE Tumbleweed:grafana-8.5.13-1.1.s390x",
"openSUSE Tumbleweed:grafana-8.5.13-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2022-36062"
}
]
}
RHSA-2023:2167
Vulnerability from csaf_redhat - Published: 2023-05-09 09:50 - Updated: 2026-05-21 14:18Summary
Red Hat Security Advisory: grafana security and enhancement update
Severity
Moderate
Notes
Topic: An update for grafana is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB.
Security Fix(es):
* golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters (CVE-2022-2880)
* golang: net/http: handle server errors after sending GOAWAY (CVE-2022-27664)
* grafana: Escalation from admin to server admin when auth proxy is used (CVE-2022-35957)
* grafana: using email as a username can block other users from signing in (CVE-2022-39229)
* golang: regexp/syntax: limit memory used by parsing regexps (CVE-2022-41715)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.2 Release Notes linked from the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in the golang package, where requests forwarded by reverse proxy include the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This issue could permit query parameter smuggling when a Go proxy forwards a parameter with an unparseable value. After the fix, the reverse proxy sanitizes the query parameters in the forwarded query when the outbound request's form field is set after the reverse proxy. The director function returns, indicating that the proxy has parsed the query parameters. Proxies that do not parse query parameters continue to forward the original query parameters unchanged.
7.5 (High)
Affected products
Fixed
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in the golang package. In net/http in Go, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if a fatal error preempts the shutdown.
6.5 (Medium)
Affected products
Fixed
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in the grafana package. Auth proxy allows authentication of a user by only providing the username (or email) in an X-WEBAUTH-USER HTTP header. The trust assumption is that a front proxy will take care of authentication and that the Grafana server is only publicly reachable with this front proxy.
6.6 (Medium)
Affected products
Fixed
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in the Grafana web application. When a user logs into the system, either the username or email address can be used. However, the login system allows both a username and connected email to be registered, which could allow an attacker to prevent a user which has an associated email address access.
4.3 (Medium)
Affected products
Fixed
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
A flaw was found in the golang package, where programs that compile regular expressions from untrusted sources are vulnerable to memory exhaustion or a denial of service. The parsed regexp representation is linear in the input size. Still, in some cases, the constant factor can be as high as 40,000, making a relatively small regexp consume larger amounts of memory. After the fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are rejected. Routine use of regular expressions is unaffected.
6.5 (Medium)
Affected products
Fixed
13 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
References
37 references
| URL | Category |
|---|---|
| https://access.redhat.com/errata/RHSA-2023:2167 | self |
| https://access.redhat.com/security/updates/classi… | external |
| https://access.redhat.com/documentation/en-us/red… | external |
| https://bugzilla.redhat.com/show_bug.cgi?id=2095421 | external |
| https://bugzilla.redhat.com/show_bug.cgi?id=2124669 | external |
| https://bugzilla.redhat.com/show_bug.cgi?id=2125514 | external |
| https://bugzilla.redhat.com/show_bug.cgi?id=2127218 | external |
| https://bugzilla.redhat.com/show_bug.cgi?id=2131149 | external |
| https://bugzilla.redhat.com/show_bug.cgi?id=2132868 | external |
| https://bugzilla.redhat.com/show_bug.cgi?id=2132872 | external |
| https://security.access.redhat.com/data/csaf/v2/a… | self |
| https://access.redhat.com/security/cve/CVE-2022-2880 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2132868 | external |
| https://www.cve.org/CVERecord?id=CVE-2022-2880 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2022-2880 | external |
| https://github.com/golang/go/issues/54663 | external |
| https://groups.google.com/g/golang-announce/c/xtu… | external |
| https://access.redhat.com/security/cve/CVE-2022-27664 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2124669 | external |
| https://www.cve.org/CVERecord?id=CVE-2022-27664 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2022-27664 | external |
| https://go.dev/issue/54658 | external |
| https://groups.google.com/g/golang-announce/c/x49… | external |
| https://access.redhat.com/security/cve/CVE-2022-35957 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2125514 | external |
| https://www.cve.org/CVERecord?id=CVE-2022-35957 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2022-35957 | external |
| https://github.com/grafana/grafana/security/advis… | external |
| https://access.redhat.com/security/cve/CVE-2022-39229 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2131149 | external |
| https://www.cve.org/CVERecord?id=CVE-2022-39229 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2022-39229 | external |
| https://access.redhat.com/security/cve/CVE-2022-41715 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2132872 | external |
| https://www.cve.org/CVERecord?id=CVE-2022-41715 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2022-41715 | external |
| https://github.com/golang/go/issues/55949 | external |
Acknowledgments
Head of Research, Oxeye
Daniel Abeles
Security Researcher, Oxeye
Gal Goldstein
ADA Logics
Adam Korczynski
OSS-Fuzz
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for grafana is now available for Red Hat Enterprise Linux 9.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB \u0026 OpenTSDB. \n\nSecurity Fix(es):\n\n* golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters (CVE-2022-2880)\n\n* golang: net/http: handle server errors after sending GOAWAY (CVE-2022-27664)\n\n* grafana: Escalation from admin to server admin when auth proxy is used (CVE-2022-35957)\n\n* grafana: using email as a username can block other users from signing in (CVE-2022-39229)\n\n* golang: regexp/syntax: limit memory used by parsing regexps (CVE-2022-41715)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 9.2 Release Notes linked from the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2023:2167",
"url": "https://access.redhat.com/errata/RHSA-2023:2167"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.2_release_notes/index",
"url": "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.2_release_notes/index"
},
{
"category": "external",
"summary": "2095421",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2095421"
},
{
"category": "external",
"summary": "2124669",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2124669"
},
{
"category": "external",
"summary": "2125514",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2125514"
},
{
"category": "external",
"summary": "2127218",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2127218"
},
{
"category": "external",
"summary": "2131149",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2131149"
},
{
"category": "external",
"summary": "2132868",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2132868"
},
{
"category": "external",
"summary": "2132872",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2132872"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_2167.json"
}
],
"title": "Red Hat Security Advisory: grafana security and enhancement update",
"tracking": {
"current_release_date": "2026-05-21T14:18:36+00:00",
"generator": {
"date": "2026-05-21T14:18:36+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.0"
}
},
"id": "RHSA-2023:2167",
"initial_release_date": "2023-05-09T09:50:53+00:00",
"revision_history": [
{
"date": "2023-05-09T09:50:53+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2023-05-09T09:50:53+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-21T14:18:36+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AppStream (v. 9)",
"product": {
"name": "Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:enterprise_linux:9::appstream"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-0:9.0.9-2.el9.src",
"product": {
"name": "grafana-0:9.0.9-2.el9.src",
"product_id": "grafana-0:9.0.9-2.el9.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana@9.0.9-2.el9?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-0:9.0.9-2.el9.aarch64",
"product": {
"name": "grafana-0:9.0.9-2.el9.aarch64",
"product_id": "grafana-0:9.0.9-2.el9.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana@9.0.9-2.el9?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "grafana-debugsource-0:9.0.9-2.el9.aarch64",
"product": {
"name": "grafana-debugsource-0:9.0.9-2.el9.aarch64",
"product_id": "grafana-debugsource-0:9.0.9-2.el9.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debugsource@9.0.9-2.el9?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "grafana-debuginfo-0:9.0.9-2.el9.aarch64",
"product": {
"name": "grafana-debuginfo-0:9.0.9-2.el9.aarch64",
"product_id": "grafana-debuginfo-0:9.0.9-2.el9.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debuginfo@9.0.9-2.el9?arch=aarch64"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-0:9.0.9-2.el9.ppc64le",
"product": {
"name": "grafana-0:9.0.9-2.el9.ppc64le",
"product_id": "grafana-0:9.0.9-2.el9.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana@9.0.9-2.el9?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "grafana-debugsource-0:9.0.9-2.el9.ppc64le",
"product": {
"name": "grafana-debugsource-0:9.0.9-2.el9.ppc64le",
"product_id": "grafana-debugsource-0:9.0.9-2.el9.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debugsource@9.0.9-2.el9?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "grafana-debuginfo-0:9.0.9-2.el9.ppc64le",
"product": {
"name": "grafana-debuginfo-0:9.0.9-2.el9.ppc64le",
"product_id": "grafana-debuginfo-0:9.0.9-2.el9.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debuginfo@9.0.9-2.el9?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-0:9.0.9-2.el9.x86_64",
"product": {
"name": "grafana-0:9.0.9-2.el9.x86_64",
"product_id": "grafana-0:9.0.9-2.el9.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana@9.0.9-2.el9?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "grafana-debugsource-0:9.0.9-2.el9.x86_64",
"product": {
"name": "grafana-debugsource-0:9.0.9-2.el9.x86_64",
"product_id": "grafana-debugsource-0:9.0.9-2.el9.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debugsource@9.0.9-2.el9?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "grafana-debuginfo-0:9.0.9-2.el9.x86_64",
"product": {
"name": "grafana-debuginfo-0:9.0.9-2.el9.x86_64",
"product_id": "grafana-debuginfo-0:9.0.9-2.el9.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debuginfo@9.0.9-2.el9?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "grafana-0:9.0.9-2.el9.s390x",
"product": {
"name": "grafana-0:9.0.9-2.el9.s390x",
"product_id": "grafana-0:9.0.9-2.el9.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana@9.0.9-2.el9?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "grafana-debugsource-0:9.0.9-2.el9.s390x",
"product": {
"name": "grafana-debugsource-0:9.0.9-2.el9.s390x",
"product_id": "grafana-debugsource-0:9.0.9-2.el9.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debugsource@9.0.9-2.el9?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "grafana-debuginfo-0:9.0.9-2.el9.s390x",
"product": {
"name": "grafana-debuginfo-0:9.0.9-2.el9.s390x",
"product_id": "grafana-debuginfo-0:9.0.9-2.el9.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/grafana-debuginfo@9.0.9-2.el9?arch=s390x"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-0:9.0.9-2.el9.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.aarch64"
},
"product_reference": "grafana-0:9.0.9-2.el9.aarch64",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-0:9.0.9-2.el9.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.ppc64le"
},
"product_reference": "grafana-0:9.0.9-2.el9.ppc64le",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-0:9.0.9-2.el9.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.s390x"
},
"product_reference": "grafana-0:9.0.9-2.el9.s390x",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-0:9.0.9-2.el9.src as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.src"
},
"product_reference": "grafana-0:9.0.9-2.el9.src",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-0:9.0.9-2.el9.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.x86_64"
},
"product_reference": "grafana-0:9.0.9-2.el9.x86_64",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debuginfo-0:9.0.9-2.el9.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.aarch64"
},
"product_reference": "grafana-debuginfo-0:9.0.9-2.el9.aarch64",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debuginfo-0:9.0.9-2.el9.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.ppc64le"
},
"product_reference": "grafana-debuginfo-0:9.0.9-2.el9.ppc64le",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debuginfo-0:9.0.9-2.el9.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.s390x"
},
"product_reference": "grafana-debuginfo-0:9.0.9-2.el9.s390x",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debuginfo-0:9.0.9-2.el9.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.x86_64"
},
"product_reference": "grafana-debuginfo-0:9.0.9-2.el9.x86_64",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debugsource-0:9.0.9-2.el9.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.aarch64"
},
"product_reference": "grafana-debugsource-0:9.0.9-2.el9.aarch64",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debugsource-0:9.0.9-2.el9.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.ppc64le"
},
"product_reference": "grafana-debugsource-0:9.0.9-2.el9.ppc64le",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debugsource-0:9.0.9-2.el9.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.s390x"
},
"product_reference": "grafana-debugsource-0:9.0.9-2.el9.s390x",
"relates_to_product_reference": "AppStream-9.2.0.GA"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "grafana-debugsource-0:9.0.9-2.el9.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
"product_id": "AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.x86_64"
},
"product_reference": "grafana-debugsource-0:9.0.9-2.el9.x86_64",
"relates_to_product_reference": "AppStream-9.2.0.GA"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Daniel Abeles"
],
"organization": "Head of Research, Oxeye"
},
{
"names": [
"Gal Goldstein"
],
"organization": "Security Researcher, Oxeye"
}
],
"cve": "CVE-2022-2880",
"cwe": {
"id": "CWE-444",
"name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
},
"discovery_date": "2022-10-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2132868"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the golang package, where requests forwarded by reverse proxy include the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This issue could permit query parameter smuggling when a Go proxy forwards a parameter with an unparseable value. After the fix, the reverse proxy sanitizes the query parameters in the forwarded query when the outbound request\u0027s form field is set after the reverse proxy. The director function returns, indicating that the proxy has parsed the query parameters. Proxies that do not parse query parameters continue to forward the original query parameters unchanged.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The opportunity to exploit this vulnerability is limited to the Golang runtime. In the case of the OpenShift Container Platform, this would be restricted within each individual container. There are multiple layers of guide rails (Golang\u2019s Garbage Collector; OpenShift\u2019s resource constraints imposed at the container and cluster levels) which would require a malicious user to continue submitting attacks for there to be any enduring impact.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.aarch64",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.ppc64le",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.s390x",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.src",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.x86_64",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.aarch64",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.ppc64le",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.s390x",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.x86_64",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.aarch64",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.ppc64le",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.s390x",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-2880"
},
{
"category": "external",
"summary": "RHBZ#2132868",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2132868"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-2880",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-2880"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-2880",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2880"
},
{
"category": "external",
"summary": "https://github.com/golang/go/issues/54663",
"url": "https://github.com/golang/go/issues/54663"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/xtuG5faxtaU?pli=1",
"url": "https://groups.google.com/g/golang-announce/c/xtuG5faxtaU?pli=1"
}
],
"release_date": "2022-10-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-09T09:50:53+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.aarch64",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.ppc64le",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.s390x",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.src",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.x86_64",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.aarch64",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.ppc64le",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.s390x",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.x86_64",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.aarch64",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.ppc64le",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.s390x",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:2167"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.aarch64",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.ppc64le",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.s390x",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.src",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.x86_64",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.aarch64",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.ppc64le",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.s390x",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.x86_64",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.aarch64",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.ppc64le",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.s390x",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters"
},
{
"cve": "CVE-2022-27664",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-09-06T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2124669"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the golang package. In net/http in Go, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if a fatal error preempts the shutdown.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: net/http: handle server errors after sending GOAWAY",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The opportunity for a Denial of Service is limited to the golang runtime. In the case of OpenShift Container Platform, this would be restricted within each individual container. There are multiple layers of guide rails (Golang\u2019s Garbage Collector; OpenShift\u2019s resource constraints imposed at the container and cluster levels) which would require a malicious user to continue submitting attacks for there to be any enduring impact. They would also need access to external server resources to be able to send a massive volume of requests to cause a significant impact on server operations.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.aarch64",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.ppc64le",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.s390x",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.src",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.x86_64",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.aarch64",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.ppc64le",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.s390x",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.x86_64",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.aarch64",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.ppc64le",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.s390x",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-27664"
},
{
"category": "external",
"summary": "RHBZ#2124669",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2124669"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-27664",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-27664"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-27664",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27664"
},
{
"category": "external",
"summary": "https://go.dev/issue/54658",
"url": "https://go.dev/issue/54658"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/x49AQzIVX-s/m/0tgO0pjiBQAJ",
"url": "https://groups.google.com/g/golang-announce/c/x49AQzIVX-s/m/0tgO0pjiBQAJ"
}
],
"release_date": "2022-09-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-09T09:50:53+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.aarch64",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.ppc64le",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.s390x",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.src",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.x86_64",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.aarch64",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.ppc64le",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.s390x",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.x86_64",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.aarch64",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.ppc64le",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.s390x",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:2167"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.aarch64",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.ppc64le",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.s390x",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.src",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.x86_64",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.aarch64",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.ppc64le",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.s390x",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.x86_64",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.aarch64",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.ppc64le",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.s390x",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: net/http: handle server errors after sending GOAWAY"
},
{
"cve": "CVE-2022-35957",
"cwe": {
"id": "CWE-288",
"name": "Authentication Bypass Using an Alternate Path or Channel"
},
"discovery_date": "2022-09-09T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2125514"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the grafana package. Auth proxy allows authentication of a user by only providing the username (or email) in an X-WEBAUTH-USER HTTP header. The trust assumption is that a front proxy will take care of authentication and that the Grafana server is only publicly reachable with this front proxy.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "grafana: Escalation from admin to server admin when auth proxy is used",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.aarch64",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.ppc64le",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.s390x",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.src",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.x86_64",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.aarch64",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.ppc64le",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.s390x",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.x86_64",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.aarch64",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.ppc64le",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.s390x",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-35957"
},
{
"category": "external",
"summary": "RHBZ#2125514",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2125514"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-35957",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-35957"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-35957",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35957"
},
{
"category": "external",
"summary": "https://github.com/grafana/grafana/security/advisories/GHSA-ff5c-938w-8c9q",
"url": "https://github.com/grafana/grafana/security/advisories/GHSA-ff5c-938w-8c9q"
}
],
"release_date": "2022-09-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-09T09:50:53+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.aarch64",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.ppc64le",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.s390x",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.src",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.x86_64",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.aarch64",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.ppc64le",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.s390x",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.x86_64",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.aarch64",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.ppc64le",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.s390x",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:2167"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.aarch64",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.ppc64le",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.s390x",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.src",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.x86_64",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.aarch64",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.ppc64le",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.s390x",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.x86_64",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.aarch64",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.ppc64le",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.s390x",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "grafana: Escalation from admin to server admin when auth proxy is used"
},
{
"cve": "CVE-2022-39229",
"discovery_date": "2022-09-30T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2131149"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Grafana web application. When a user logs into the system, either the username or email address can be used. However, the login system allows both a username and connected email to be registered, which could allow an attacker to prevent a user which has an associated email address access.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "grafana: using email as a username can block other users from signing in",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.aarch64",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.ppc64le",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.s390x",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.src",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.x86_64",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.aarch64",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.ppc64le",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.s390x",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.x86_64",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.aarch64",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.ppc64le",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.s390x",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-39229"
},
{
"category": "external",
"summary": "RHBZ#2131149",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2131149"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-39229",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-39229"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-39229",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39229"
}
],
"release_date": "2022-10-14T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-09T09:50:53+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.aarch64",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.ppc64le",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.s390x",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.src",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.x86_64",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.aarch64",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.ppc64le",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.s390x",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.x86_64",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.aarch64",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.ppc64le",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.s390x",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:2167"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.aarch64",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.ppc64le",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.s390x",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.src",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.x86_64",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.aarch64",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.ppc64le",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.s390x",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.x86_64",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.aarch64",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.ppc64le",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.s390x",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "grafana: using email as a username can block other users from signing in"
},
{
"acknowledgments": [
{
"names": [
"Adam Korczynski"
],
"organization": "ADA Logics"
},
{
"names": [
"OSS-Fuzz"
]
}
],
"cve": "CVE-2022-41715",
"discovery_date": "2022-10-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2132872"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the golang package, where programs that compile regular expressions from untrusted sources are vulnerable to memory exhaustion or a denial of service. The parsed regexp representation is linear in the input size. Still, in some cases, the constant factor can be as high as 40,000, making a relatively small regexp consume larger amounts of memory. After the fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are rejected. Routine use of regular expressions is unaffected.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "golang: regexp/syntax: limit memory used by parsing regexps",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The opportunity for a Denial of Service is limited to the golang runtime. In the case of OpenShift Container Platform, this would be restricted within each individual container. There are multiple layers of guide rails (Golang\u2019s Garbage Collector; OpenShift\u2019s resource constraints imposed at the container and cluster levels) which would require a malicious user to continue submitting attacks for there to be any enduring impact. They would also need access to external server resources to be able to send a massive volume of requests to cause a significant impact on server operations.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.aarch64",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.ppc64le",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.s390x",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.src",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.x86_64",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.aarch64",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.ppc64le",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.s390x",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.x86_64",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.aarch64",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.ppc64le",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.s390x",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-41715"
},
{
"category": "external",
"summary": "RHBZ#2132872",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2132872"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-41715",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41715"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-41715",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41715"
},
{
"category": "external",
"summary": "https://github.com/golang/go/issues/55949",
"url": "https://github.com/golang/go/issues/55949"
},
{
"category": "external",
"summary": "https://groups.google.com/g/golang-announce/c/xtuG5faxtaU?pli=1",
"url": "https://groups.google.com/g/golang-announce/c/xtuG5faxtaU?pli=1"
}
],
"release_date": "2022-10-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-09T09:50:53+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.aarch64",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.ppc64le",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.s390x",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.src",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.x86_64",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.aarch64",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.ppc64le",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.s390x",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.x86_64",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.aarch64",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.ppc64le",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.s390x",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:2167"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.aarch64",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.ppc64le",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.s390x",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.src",
"AppStream-9.2.0.GA:grafana-0:9.0.9-2.el9.x86_64",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.aarch64",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.ppc64le",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.s390x",
"AppStream-9.2.0.GA:grafana-debuginfo-0:9.0.9-2.el9.x86_64",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.aarch64",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.ppc64le",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.s390x",
"AppStream-9.2.0.GA:grafana-debugsource-0:9.0.9-2.el9.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "golang: regexp/syntax: limit memory used by parsing regexps"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…