CVE-2022-35957
published 2022-09-20CVE-2022-35957: Grafana is an open-source platform for monitoring and observability. Versions prior to 9.1.6 and 8.5.13 are vulnerable to an escalation from admin to server…
PriorityP337medium6.6CVSS 3.1
AVNACHPRHUINSUCHIHAH
EPSS
1.27%
66.1th percentile
Grafana is an open-source platform for monitoring and observability. Versions prior to 9.1.6 and 8.5.13 are vulnerable to an escalation from admin to server admin when auth proxy is used, allowing an admin to take over the server admin account and gain full control of the grafana instance. All installations should be upgraded as soon as possible. As a workaround deactivate auth proxy following the instructions at: https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/auth-proxy/
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| fedoraproject | fedora | — | — |
| github.com | grafana_grafana | >= 0 < 8.5.13 | 8.5.13 |
| github.com | grafana_grafana | >= 9.0.0 < 9.0.9 | 9.0.9 |
| github.com | grafana_grafana | >= 9.1.0 < 9.1.6 | 9.1.6 |
| grafana | grafana | < 8.5.13 | 8.5.13 |
| grafana | grafana | — | — |
| grafana | grafana | >= 9.0.0 < 9.0.9 | 9.0.9 |
| grafana | grafana | >= 9.1.0 < 9.1.6 | 9.1.6 |
CVSS provenance
nvdv3.16.6MEDIUMCVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
ghsa6.6MEDIUM
osv6.6MEDIUM
vendor_redhat6.6MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Grafana Escalation from admin to server admin when auth proxy is used in github.com/grafana/grafana
osv·2024-06-05
CVE-2022-35957 Grafana Escalation from admin to server admin when auth proxy is used in github.com/grafana/grafana
Grafana Escalation from admin to server admin when auth proxy is used in github.com/grafana/grafana
Grafana Escalation from admin to server admin when auth proxy is used in github.com/grafana/grafana.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)
The additional affected modules and versions are: github.com/grafana/grafana before v8.5.13, from v9.0.0 before v9.0.9, from v9.1.0 before v9.1.6.
OSV
Grafana Escalation from admin to server admin when auth proxy is used
osv·2024-05-14·CVSS 6.6
CVE-2022-35957 [MEDIUM] Grafana Escalation from admin to server admin when auth proxy is used
Grafana Escalation from admin to server admin when auth proxy is used
Today we are releasing Grafana 9.1.6, 9.0.9, 8.5.13. This patch release includes a Moderate severity security fix for CVE-2022-35957 that affects Grafana instances which are using Grafana [Auth Proxy](https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/auth-proxy/#configure-auth-proxy-authentication).
Release 9.1.6, latest patch, also containing security fix:
- [Download Grafana 9.1.6](https://grafana.com/grafana/download/9.1.6)
- [Release notes](https://grafana.com/docs/grafana/latest/release-notes/release-notes-9-1-6/)
Release 9.0.9, only containing security fix:
- [Download Grafana 9.0.9](https://grafana.com/grafana/download/9.0.9)
- [Release notes](https://grafana.co
GHSA
Grafana Escalation from admin to server admin when auth proxy is used
ghsa·2024-05-14·CVSS 6.6
CVE-2022-35957 [MEDIUM] CWE-290 Grafana Escalation from admin to server admin when auth proxy is used
Grafana Escalation from admin to server admin when auth proxy is used
Today we are releasing Grafana 9.1.6, 9.0.9, 8.5.13. This patch release includes a Moderate severity security fix for CVE-2022-35957 that affects Grafana instances which are using Grafana [Auth Proxy](https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/auth-proxy/#configure-auth-proxy-authentication).
Release 9.1.6, latest patch, also containing security fix:
- [Download Grafana 9.1.6](https://grafana.com/grafana/download/9.1.6)
- [Release notes](https://grafana.com/docs/grafana/latest/release-notes/release-notes-9-1-6/)
Release 9.0.9, only containing security fix:
- [Download Grafana 9.0.9](https://grafana.com/grafana/download/9.0.9)
- [Release notes](https://grafana.co
OSV
CVE-2022-35957: Grafana is an open-source platform for monitoring and observability
osv·2022-09-20·CVSS 6.6
CVE-2022-35957 [MEDIUM] CVE-2022-35957: Grafana is an open-source platform for monitoring and observability
Grafana is an open-source platform for monitoring and observability. Versions prior to 9.1.6 and 8.5.13 are vulnerable to an escalation from admin to server admin when auth proxy is used, allowing an admin to take over the server admin account and gain full control of the grafana instance. All installations should be upgraded as soon as possible. As a workaround deactivate auth proxy following the instructions at: https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/auth-proxy/
Red Hat
grafana: Escalation from admin to server admin when auth proxy is used
vendor_redhat·2022-09-20·CVSS 6.6
CVE-2022-35957 [MEDIUM] CWE-288 grafana: Escalation from admin to server admin when auth proxy is used
grafana: Escalation from admin to server admin when auth proxy is used
Grafana is an open-source platform for monitoring and observability. Versions prior to 9.1.6 and 8.5.13 are vulnerable to an escalation from admin to server admin when auth proxy is used, allowing an admin to take over the server admin account and gain full control of the grafana instance. All installations should be upgraded as soon as possible. As a workaround deactivate auth proxy following the instructions at: https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/auth-proxy/
A flaw was found in the grafana package. Auth proxy allows authentication of a user by only providing the username (or email) in an X-WEBAUTH-USER HTTP header. The trust assumption is that a front pr
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/grafana/grafana/security/advisories/GHSA-ff5c-938w-8c9qhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WYU5C2RITLHVZSTCWNGQWA6KSPYNXM2H/https://security.netapp.com/advisory/ntap-20221215-0001/https://github.com/grafana/grafana/security/advisories/GHSA-ff5c-938w-8c9qhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WYU5C2RITLHVZSTCWNGQWA6KSPYNXM2H/https://security.netapp.com/advisory/ntap-20221215-0001/
2022-09-20
Published