CVE-2022-26148
published 2022-03-21CVE-2022-26148: An issue was discovered in Grafana through 7.3.4, when integrated with Zabbix. The Zabbix password can be found in the api_jsonrpc.php HTML source code. When…
critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
An issue was discovered in Grafana through 7.3.4, when integrated with Zabbix. The Zabbix password can be found in the api_jsonrpc.php HTML source code. When the user logs in and allows the user to register, one can right click to view the source code and use Ctrl-F to search for password in api_jsonrpc.php to discover the Zabbix account password and URL address.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| grafana | grafana | <= 7.3.4 | — |
| redhat | ceph_storage | — | — |
| redhat | ceph_storage | — | — |
| redhat | ceph_storage | — | — |
| redhat | storage | — | — |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL