openEuler 22.03 LTS SP4 update for grafana
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 9 |
| CVE-ID | CVE-2022-31097 CVE-2022-31123 CVE-2022-31130 CVE-2022-35957 CVE-2022-36062 CVE-2022-39201 CVE-2022-39306 CVE-2022-39307 CVE-2022-39324 |
| CWE-ID | CWE-79 CWE-347 CWE-200 CWE-288 CWE-264 CWE-20 CWE-451 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
openEuler Operating systems & Components / Operating system grafana-selinux Operating systems & Components / Operating system package or component grafana-debugsource Operating systems & Components / Operating system package or component grafana-debuginfo Operating systems & Components / Operating system package or component grafana Operating systems & Components / Operating system package or component |
| Vendor | openEuler |
Security Bulletin
This security bulletin contains information about 9 vulnerabilities.
1) Stored cross-site scripting
EUVDB-ID: #VU65354
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]
CVE-ID: CVE-2022-31097
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote user to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote user can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsopenEuler: 22.03 LTS SP4
grafana-selinux: before 9.2.10-1
grafana-debugsource: before 9.2.10-1
grafana-debuginfo: before 9.2.10-1
grafana: before 9.2.10-1
CPE2.3- cpe:2.3:o:openeuler:openeuler:22.03:LTS SP4:*:*:*:*:*:*
- cpe:2.3:o:openeuler:grafana-selinux:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:grafana-debugsource:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:grafana-debuginfo:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:grafana:*:*:*:*:*:openeuler:*:*
https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2025-1189
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Improper Verification of Cryptographic Signature
EUVDB-ID: #VU72128
Risk: Medium
CVSSv4.0: 4.5 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2022-31123
CWE-ID:
CWE-347 - Improper Verification of Cryptographic Signature
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the affected instance.
The vulnerability exists due to missing signature verification mechanism. A remote attacker can trick the server admin into installing a malicious plugin even though unsigned plugins are not allowed.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsopenEuler: 22.03 LTS SP4
grafana-selinux: before 9.2.10-1
grafana-debugsource: before 9.2.10-1
grafana-debuginfo: before 9.2.10-1
grafana: before 9.2.10-1
CPE2.3- cpe:2.3:o:openeuler:openeuler:22.03:LTS SP4:*:*:*:*:*:*
- cpe:2.3:o:openeuler:grafana-selinux:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:grafana-debugsource:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:grafana-debuginfo:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:grafana:*:*:*:*:*:openeuler:*:*
https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2025-1189
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Information disclosure
EUVDB-ID: #VU72130
Risk: Medium
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2022-31130
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote user to gain access to potentially sensitive information.
The vulnerability exists due to the GitLab data source plugin leaks the API key to GitLab. A remote privileged user can expose Grafana authentication token to a third-party.
Install updates from vendor's repository.
Vulnerable software versionsopenEuler: 22.03 LTS SP4
grafana-selinux: before 9.2.10-1
grafana-debugsource: before 9.2.10-1
grafana-debuginfo: before 9.2.10-1
grafana: before 9.2.10-1
CPE2.3- cpe:2.3:o:openeuler:openeuler:22.03:LTS SP4:*:*:*:*:*:*
- cpe:2.3:o:openeuler:grafana-selinux:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:grafana-debugsource:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:grafana-debuginfo:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:grafana:*:*:*:*:*:openeuler:*:*
https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2025-1189
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Authentication bypass using an alternate path or channel
EUVDB-ID: #VU68557
Risk: Low
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2022-35957
CWE-ID:
CWE-288 - Authentication Bypass Using an Alternate Path or Channel
Exploit availability: No
DescriptionThe vulnerability allows a remote user to escalate privileges within the application.
The vulnerability exists due to the way Grafana handles authorization process when Auth proxy authentication is used. A remote user with admin privileges can authenticate as Server Admin by providing the username (or email) in a X-WEBAUTH-USER HTTP header.
Install updates from vendor's repository.
Vulnerable software versionsopenEuler: 22.03 LTS SP4
grafana-selinux: before 9.2.10-1
grafana-debugsource: before 9.2.10-1
grafana-debuginfo: before 9.2.10-1
grafana: before 9.2.10-1
CPE2.3- cpe:2.3:o:openeuler:openeuler:22.03:LTS SP4:*:*:*:*:*:*
- cpe:2.3:o:openeuler:grafana-selinux:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:grafana-debugsource:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:grafana-debuginfo:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:grafana:*:*:*:*:*:openeuler:*:*
https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2025-1189
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU67646
Risk: Medium
CVSSv4.0: 2.4 [CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2022-36062
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote user to escalate privileges on the system.
The vulnerability exists due to application does not properly impose security restrictions, which leads to security restrictions bypass and privilege escalation.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsopenEuler: 22.03 LTS SP4
grafana-selinux: before 9.2.10-1
grafana-debugsource: before 9.2.10-1
grafana-debuginfo: before 9.2.10-1
grafana: before 9.2.10-1
CPE2.3- cpe:2.3:o:openeuler:openeuler:22.03:LTS SP4:*:*:*:*:*:*
- cpe:2.3:o:openeuler:grafana-selinux:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:grafana-debugsource:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:grafana-debuginfo:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:grafana:*:*:*:*:*:openeuler:*:*
https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2025-1189
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Information disclosure
EUVDB-ID: #VU72131
Risk: Medium
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2022-39201
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote user to gain access to potentially sensitive information.
The vulnerability exists due to Grafana leaks the authentication cookie of users to plugins. A remote user can gain unauthorized access to sensitive information.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsopenEuler: 22.03 LTS SP4
grafana-selinux: before 9.2.10-1
grafana-debugsource: before 9.2.10-1
grafana-debuginfo: before 9.2.10-1
grafana: before 9.2.10-1
CPE2.3- cpe:2.3:o:openeuler:openeuler:22.03:LTS SP4:*:*:*:*:*:*
- cpe:2.3:o:openeuler:grafana-selinux:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:grafana-debugsource:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:grafana-debuginfo:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:grafana:*:*:*:*:*:openeuler:*:*
https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2025-1189
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Input validation error
EUVDB-ID: #VU69484
Risk: Medium
CVSSv4.0: 4.1 [CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2022-39306
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to insufficient validation of user-supplied input. A remote user can use the invitation link to sign up with an arbitrary username/email with a malicious intent.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsopenEuler: 22.03 LTS SP4
grafana-selinux: before 9.2.10-1
grafana-debugsource: before 9.2.10-1
grafana-debuginfo: before 9.2.10-1
grafana: before 9.2.10-1
CPE2.3- cpe:2.3:o:openeuler:openeuler:22.03:LTS SP4:*:*:*:*:*:*
- cpe:2.3:o:openeuler:grafana-selinux:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:grafana-debugsource:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:grafana-debuginfo:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:grafana:*:*:*:*:*:openeuler:*:*
https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2025-1189
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Information disclosure
EUVDB-ID: #VU69485
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2022-39307
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the application when using the forget password on the login page. A remote attacker can gain unauthorized access to sensitive information on the system.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsopenEuler: 22.03 LTS SP4
grafana-selinux: before 9.2.10-1
grafana-debugsource: before 9.2.10-1
grafana-debuginfo: before 9.2.10-1
grafana: before 9.2.10-1
CPE2.3- cpe:2.3:o:openeuler:openeuler:22.03:LTS SP4:*:*:*:*:*:*
- cpe:2.3:o:openeuler:grafana-selinux:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:grafana-debugsource:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:grafana-debuginfo:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:grafana:*:*:*:*:*:openeuler:*:*
https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2025-1189
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Spoofing attack
EUVDB-ID: #VU71566
Risk: Low
CVSSv4.0: 0.5 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2022-39324
CWE-ID:
CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to usage of a hidden originalUrl parameter in the shared dashboard. A remote attacker can trick the victim into opening a shared snapshot and click on the button in the Grafana web UI, which will redirect user to an attacker-controlled URL.
Install updates from vendor's repository.
Vulnerable software versionsopenEuler: 22.03 LTS SP4
grafana-selinux: before 9.2.10-1
grafana-debugsource: before 9.2.10-1
grafana-debuginfo: before 9.2.10-1
grafana: before 9.2.10-1
CPE2.3- cpe:2.3:o:openeuler:openeuler:22.03:LTS SP4:*:*:*:*:*:*
- cpe:2.3:o:openeuler:grafana-selinux:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:grafana-debugsource:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:grafana-debuginfo:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:grafana:*:*:*:*:*:openeuler:*:*
https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2025-1189
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
