CVE-2022-21713 — Incorrect Authorization in Grafana Grafana

CWE-863 — Incorrect Authorization CWE-639 — Authorization Bypass Through User-Controlled Key6 documents5 sources

Severity

4.3MEDIUMNVD

EPSS

0.2%

top 59.73%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Grafana Grafana Grafana Netapp E-series Performance Analyzer +1 more

Timeline

PublishedFeb 8

Latest updateMay 14

Description

Grafana is an open-source platform for monitoring and observability. Affected versions of Grafana expose multiple API endpoints which do not properly handle user authorization. `/teams/:teamId` will allow an authenticated attacker to view unintended data by querying for the specific team ID, `/teams/:search` will allow an authenticated attacker to search for teams and see the total number of available teams, including for those teams that the user does not have access to, and `/teams/:teamId/mem…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages4 packages

▶NVDgrafana/grafana5.0.0 — 7.5.15+2

▶Gogithub.com/grafana_grafana5.0.0-beta1 — 7.5.15+1

▶CVEListV5grafana/grafana>= 5.0.0-beta1, < 7.5.15, >= 8.0.0, < 8.3.5+1

▶NVDnetapp/e-series_performance_analyzer< 3.0

Also affects: Fedora 34, 35, 36

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Grafana API IDOR↗2024-05-14

▶

GHSA

Grafana API IDOR↗2024-05-14

▶

CVEList

Exposure of Sensitive Information in Grafana↗2022-02-08

▶

OSV

CVE-2022-21713: Grafana is an open-source platform for monitoring and observability↗2022-02-08

▶

📋Vendor Advisories

Red Hat

grafana: IDOR vulnerability can lead to information disclosure↗2022-02-08

▶