CVE-2022-36062 — Improper Preservation of Permissions in Grafana

CWE-281 — Improper Preservation of Permissions7 documents5 sources

Severity

3.8LOWNVD

CNA7.6

EPSS

0.1%

top 67.18%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Grafana Github.com Grafana Grafana

Timeline

PublishedSep 22

Latest updateJun 5

Description

Grafana is an open-source platform for monitoring and observability. In versions prior to 8.5.13, 9.0.9, and 9.1.6, Grafana is subject to Improper Preservation of Permissions resulting in privilege escalation on some folders where Admin is the only used permission. The vulnerability impacts Grafana instances where RBAC was disabled and enabled afterwards, as the migrations which are translating legacy folder permissions to RBAC permissions do not account for the scenario where the only user perm…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:NExploitability: 1.2 | Impact: 2.5

Affected Packages3 packages

▶CVEListV5grafana/grafana< 8.5.13+2

▶NVDgrafana/grafana9.0.0 — 9.0.9+2

▶Gogithub.com/grafana_grafana8.5.0 — 8.5.13+2

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Grafana folders admin only permission privilege escalation in github.com/grafana/grafana↗2024-06-05

▶

GHSA

Grafana folders admin only permission privilege escalation↗2024-05-14

▶

OSV

Grafana folders admin only permission privilege escalation↗2024-05-14

▶

OSV

CVE-2022-36062: Grafana is an open-source platform for monitoring and observability↗2022-09-22

▶

CVEList

Grafana folders admin only permission privilege escalation↗2022-09-22

▶

📋Vendor Advisories

Red Hat

grafana: Grafana RBAC folders/dashboards privilege escalation↗2022-09-20

▶