CVE-2022-21703 — Cross-Site Request Forgery in Grafana Grafana PKG WEB

CWE-352 — Cross-Site Request Forgery10 documents7 sources

Severity

8.8HIGHNVD

CNA6.3

EPSS

1.9%

top 16.87%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Grafana Grafana PKG WEB Grafana Netapp E-series Performance Analyzer +1 more

Timeline

PublishedFeb 8

Latest updateApr 25

Description

Grafana is an open-source platform for monitoring and observability. Affected versions are subject to a cross site request forgery vulnerability which allows attackers to elevate their privileges by mounting cross-origin attacks against authenticated high-privilege Grafana users (for example, Editors or Admins). An attacker can exploit this vulnerability for privilege escalation by tricking an authenticated user into inviting the attacker as a new user with high privileges. Users are advised to …

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages4 packages

▶NVDgrafana/grafana3.0.1 — 7.5.15+2

▶Gogithub.com/grafana_grafana_pkg_web3.0-beta1 — 7.5.15+1

▶CVEListV5grafana/grafana>= 3.0-beta1, < 7.5.15, >= 8.0.0, < 8.3.5+1

▶NVDnetapp/e-series_performance_analyzer< 3.0

Also affects: Fedora 34, 35, 36

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

linux-oracle-5.15 vulnerabilities↗2025-04-25

▶

GHSA

Grafana Cross Site Request Forgery (CSRF)↗2024-02-01

▶

OSV

Grafana Cross Site Request Forgery (CSRF)↗2024-02-01

▶

CVEList

Cross Site Request Forgery in Grafana↗2022-02-08

▶

OSV

CVE-2022-21703: Grafana is an open-source platform for monitoring and observability↗2022-02-08

▶

📋Vendor Advisories

Red Hat

grafana: CSRF vulnerability can lead to privilege escalation↗2022-02-08

▶

Oracle

Oracle Oracle Communications Risk Matrix: Platform (PHP) — CVE-2021-21703↗2022-01-15

▶

💬Community

HackerOne

monitoring.prow-canary.k8s.io is vulnerable to CVE-2022-21703 (Grafana 0-day)↗2024-06-25

▶