SB2022061621 - Multiple vulnerabilities in Grafana

Security Bulletin ID SB2022061621

Severity

Medium

Patch available

YES

Number of vulnerabilities 3

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Cross-site request forgery (CVE-ID: CVE-2022-21703)

The vulnerability allows a remote attacker to perform cross-site request forgery attacks.

The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim into inviting the attacker as a new user with high privileges to escalate privileges.

2) Cross-site scripting (CVE-ID: CVE-2022-21702)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in Grafana. A remote attacker can trick the victim to visit a specially crafted link, execute arbitrary HTML code, and perform a Cross-site scripting (XSS) attack.

3) Authorization bypass through user-controlled key (CVE-ID: CVE-2022-21713)

The vulnerability allows a remote user to gain access to sensitive information.

The vulnerability exists due to an Insecure Direct Object Reference (IDOR) error in Grafana Teams APIs. A remote authenticated user can view unintended data by querying for the specific team ID or search for teams and see the total number of available teams.

Remediation

Install update from vendor's website.

SB2022061621 - Multiple vulnerabilities in Grafana

Breakdown by Severity

Description

Remediation

References

Please verify you're human