Multiple vulnerabilities in Grafana
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 4 |
| CVE-ID | CVE-2022-39229 CVE-2022-39201 CVE-2022-31130 CVE-2022-31123 |
| CWE-ID | CWE-287 CWE-200 CWE-347 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Grafana Web applications / Other software |
| Vendor | Grafana Labs |
Security Bulletin
This security bulletin contains information about 4 vulnerabilities.
1) Improper Authentication
EUVDB-ID: #VU72132
Risk: Low
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2022-39229
CWE-ID:
CWE-287 - Improper Authentication
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to deny access to the application.
The vulnerability exists due to a logic error in the authentication process, where application allows usage of the same email address by different accounts. A remote user can set an existing email address that belongs to another user as their username and prevent that user from accessing the application.
Install updates from vendor's website.
Vulnerable software versionsGrafana: 8.0.0 - 9.1.7
CPE2.3- cpe:2.3:a:grafana_labs:grafana:8.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:grafana_labs:grafana:8.1.8:*:*:*:*:*:*:*
- cpe:2.3:a:grafana_labs:grafana:8.2.7:*:*:*:*:*:*:*
- cpe:2.3:a:grafana_labs:grafana:8.3.11:*:*:*:*:*:*:*
- cpe:2.3:a:grafana_labs:grafana:8.4.11:*:*:*:*:*:*:*
- cpe:2.3:a:grafana_labs:grafana:8.5.13:*:*:*:*:*:*:*
- cpe:2.3:a:grafana_labs:grafana:9.0.9:*:*:*:*:*:*:*
- cpe:2.3:a:grafana_labs:grafana:9.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:grafana_labs:grafana:9.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:grafana_labs:grafana:9.1.2:*:*:*:*:*:*:*
https://github.com/grafana/grafana/commit/5644758f0c5ae9955a4e5480d71f9bef57fdce35
https://github.com/grafana/grafana/releases/tag/v9.1.8
https://github.com/grafana/grafana/security/advisories/GHSA-gj7m-853r-289r
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Information disclosure
EUVDB-ID: #VU72131
Risk: Medium
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2022-39201
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote user to gain access to potentially sensitive information.
The vulnerability exists due to Grafana leaks the authentication cookie of users to plugins. A remote user can gain unauthorized access to sensitive information.
MitigationInstall updates from vendor's website.
Vulnerable software versionsGrafana: 5.0.0 beta1 - 9.1.7
CPE2.3- cpe:2.3:a:grafana_labs:grafana:5.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:grafana_labs:grafana:5.1.5:*:*:*:*:*:*:*
- cpe:2.3:a:grafana_labs:grafana:5.2.5:*:*:*:*:*:*:*
- cpe:2.3:a:grafana_labs:grafana:5.3.4:*:*:*:*:*:*:*
- cpe:2.3:a:grafana_labs:grafana:5.4.5:*:*:*:*:*:*:*
- cpe:2.3:a:grafana_labs:grafana:6.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:grafana_labs:grafana:6.1.6:*:*:*:*:*:*:*
- cpe:2.3:a:grafana_labs:grafana:6.2.5:*:*:*:*:*:*:*
- cpe:2.3:a:grafana_labs:grafana:6.3.7:*:*:*:*:*:*:*
- cpe:2.3:a:grafana_labs:grafana:6.4.5:*:*:*:*:*:*:*
https://github.com/grafana/grafana/security/advisories/GHSA-x744-mm8v-vpgr
https://github.com/grafana/grafana/releases/tag/v9.1.8
https://github.com/grafana/grafana/commit/c658816f5229d17f877579250c07799d3bbaebc9
https://github.com/grafana/grafana/commit/b571acc1dc130a33f24742c1f93b93216da6cf57
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Information disclosure
EUVDB-ID: #VU72130
Risk: Medium
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2022-31130
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote user to gain access to potentially sensitive information.
The vulnerability exists due to the GitLab data source plugin leaks the API key to GitLab. A remote privileged user can expose Grafana authentication token to a third-party.
Install updates from vendor's website.
Vulnerable software versionsGrafana: 7.0.0 - 9.1.7
CPE2.3- cpe:2.3:a:grafana_labs:grafana:7.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:grafana_labs:grafana:7.1.5:*:*:*:*:*:*:*
- cpe:2.3:a:grafana_labs:grafana:7.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:grafana_labs:grafana:7.3.10:*:*:*:*:*:*:*
- cpe:2.3:a:grafana_labs:grafana:7.4.5:*:*:*:*:*:*:*
- cpe:2.3:a:grafana_labs:grafana:7.5.17:*:*:*:*:*:*:*
- cpe:2.3:a:grafana_labs:grafana:8.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:grafana_labs:grafana:8.1.8:*:*:*:*:*:*:*
- cpe:2.3:a:grafana_labs:grafana:8.2.7:*:*:*:*:*:*:*
- cpe:2.3:a:grafana_labs:grafana:8.3.11:*:*:*:*:*:*:*
- cpe:2.3:a:grafana_labs:grafana:8.4.11:*:*:*:*:*:*:*
- cpe:2.3:a:grafana_labs:grafana:8.5.13:*:*:*:*:*:*:*
- cpe:2.3:a:grafana_labs:grafana:9.0.9:*:*:*:*:*:*:*
- cpe:2.3:a:grafana_labs:grafana:9.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:grafana_labs:grafana:9.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:grafana_labs:grafana:9.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:grafana_labs:grafana:9.1.3:*:*:*:*:*:*:*
https://github.com/grafana/grafana/security/advisories/GHSA-jv32-5578-pxjc
https://github.com/grafana/grafana/releases/tag/v9.1.8
https://github.com/grafana/grafana/commit/4dd56e4dabce10007bf4ba1059bf54178c35b177
https://github.com/grafana/grafana/commit/9da278c044ba605eb5a1886c48df9a2cb0d3885f
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Improper Verification of Cryptographic Signature
EUVDB-ID: #VU72128
Risk: Medium
CVSSv4.0: 4.5 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2022-31123
CWE-ID:
CWE-347 - Improper Verification of Cryptographic Signature
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the affected instance.
The vulnerability exists due to missing signature verification mechanism. A remote attacker can trick the server admin into installing a malicious plugin even though unsigned plugins are not allowed.
MitigationInstall updates from vendor's website.
Vulnerable software versionsGrafana: 7.0.0 - 9.1.7
CPE2.3- cpe:2.3:a:grafana_labs:grafana:7.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:grafana_labs:grafana:7.1.5:*:*:*:*:*:*:*
- cpe:2.3:a:grafana_labs:grafana:7.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:grafana_labs:grafana:7.3.10:*:*:*:*:*:*:*
- cpe:2.3:a:grafana_labs:grafana:7.4.5:*:*:*:*:*:*:*
- cpe:2.3:a:grafana_labs:grafana:7.5.17:*:*:*:*:*:*:*
- cpe:2.3:a:grafana_labs:grafana:8.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:grafana_labs:grafana:8.1.8:*:*:*:*:*:*:*
- cpe:2.3:a:grafana_labs:grafana:8.2.7:*:*:*:*:*:*:*
- cpe:2.3:a:grafana_labs:grafana:8.3.11:*:*:*:*:*:*:*
- cpe:2.3:a:grafana_labs:grafana:8.4.11:*:*:*:*:*:*:*
- cpe:2.3:a:grafana_labs:grafana:8.5.13:*:*:*:*:*:*:*
- cpe:2.3:a:grafana_labs:grafana:9.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:grafana_labs:grafana:9.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:grafana_labs:grafana:9.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:grafana_labs:grafana:9.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:grafana_labs:grafana:9.1.4:*:*:*:*:*:*:*
https://github.com/grafana/grafana/security/advisories/GHSA-rhxj-gh46-jvw8
https://github.com/grafana/grafana/releases/tag/v9.1.8
https://security.netapp.com/advisory/ntap-20221124-0002/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
