CVE-2022-31107Incorrect Authorization in Grafana Grafana

CWE-863Incorrect AuthorizationCWE-287Improper Authentication7 documents5 sources
Severity
7.5HIGHNVD
CNA7.1
EPSS
0.5%
top 33.51%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Github.com Grafana GrafanaGrafana
Timeline
PublishedJul 15
Latest updateJun 5

Description

Grafana is an open-source platform for monitoring and observability. In versions 5.3 until 9.0.3, 8.5.9, 8.4.10, and 8.3.10, it is possible for a malicious user who has authorization to log into a Grafana instance via a configured OAuth IdP which provides a login name to take over the account of another user in that Grafana instance. This can occur when the malicious user is authorized to log in to Grafana via OAuth, the malicious user's external user id is not already associated with an account

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.6 | Impact: 5.9

Affected Packages3 packages

NVDgrafana/grafana5.3.08.3.10+3
Gogithub.com/grafana_grafana5.3.0-beta18.3.10+3
CVEListV5grafana/grafana4 versions+3

🔴Vulnerability Details

5
OSV
Grafana account takeover via OAuth vulnerability in github.com/grafana/grafana2024-06-05
OSV
Grafana account takeover via OAuth vulnerability2024-05-14
GHSA
Grafana account takeover via OAuth vulnerability2024-05-14
CVEList
Grafana account takeover via OAuth vulnerability2022-07-15
OSV
CVE-2022-31107: Grafana is an open-source platform for monitoring and observability2022-07-15

📋Vendor Advisories

1
Red Hat
grafana: OAuth account takeover2022-07-14
CVE-2022-31107 — Incorrect Authorization | cvebase