CVE-2022-39201
published 2022-10-13CVE-2022-39201: Grafana is an open source observability and data visualization platform. Starting with version 5.0.0-beta1 and prior to versions 8.5.14 and 9.1.8, Grafana…
PriorityP344high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
1.23%
65.1th percentile
Grafana is an open source observability and data visualization platform. Starting with version 5.0.0-beta1 and prior to versions 8.5.14 and 9.1.8, Grafana could leak the authentication cookie of users to plugins. The vulnerability impacts data source and plugin proxy endpoints under certain conditions. The destination plugin could receive a user's Grafana authentication cookie. Versions 9.1.8 and 8.5.14 contain a patch for this issue. There are no known workarounds.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | grafana_grafana | >= 5.0.0-beta1 < 8.5.14 | 8.5.14 |
| github.com | grafana_grafana | >= 5.0.0-beta1+incompatible | — |
| github.com | grafana_grafana | >= 9.0.0 < 9.1.8 | 9.1.8 |
| grafana | grafana | — | — |
| grafana | grafana | — | — |
| grafana | grafana | — | — |
| grafana | grafana | >= 5.0.1 < 8.5.14 | 8.5.14 |
| grafana | grafana | >= 9.0.0 < 9.1.8 | 9.1.8 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
ghsa7.5HIGH
osv7.5HIGH
vendor_redhat6.8MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Grafana Data source and plugin proxy endpoints could leak the authentication cookie to some destination plugins in github.com/grafana/grafana
osv·2024-06-10
CVE-2022-39201 Grafana Data source and plugin proxy endpoints could leak the authentication cookie to some destination plugins in github.com/grafana/grafana
Grafana Data source and plugin proxy endpoints could leak the authentication cookie to some destination plugins in github.com/grafana/grafana
Grafana Data source and plugin proxy endpoints could leak the authentication cookie to some destination plugins in github.com/grafana/grafana.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)
The additional affected modules and versions are: github.com/grafana/grafana before v8.5.14, from v9.0.0 before v9.1.8.
GHSA
Grafana Data source and plugin proxy endpoints could leak the authentication cookie to some destination plugins
ghsa·2024-05-14·CVSS 7.5
CVE-2022-39201 [HIGH] CWE-200 Grafana Data source and plugin proxy endpoints could leak the authentication cookie to some destination plugins
Grafana Data source and plugin proxy endpoints could leak the authentication cookie to some destination plugins
Today we are releasing Grafana 9.2. Alongside with new features and other bug fixes, this release includes a Moderate severity security fix for CVE-2022-39201
We are also releasing security patches for Grafana 9.1.8 and Grafana 8.5.14 to fix these issues.
Release 9.2, latest release, also containing security fix:
- [Download Grafana 9.2](https://grafana.com/grafana/download/9.2)
Release 9.1.8, only containing security fix:
- [Download Grafana 9.1.8](https://grafana.com/grafana/download/9.1.8)
Release 8.5.14, only containing security fix:
- [Download Grafana 8.5.14](https://grafana.com/grafana/download/8.5.14)
Appropriate patches have been applied to [Grafana Cloud](https
OSV
Grafana Data source and plugin proxy endpoints could leak the authentication cookie to some destination plugins
osv·2024-05-14·CVSS 7.5
CVE-2022-39201 [HIGH] Grafana Data source and plugin proxy endpoints could leak the authentication cookie to some destination plugins
Grafana Data source and plugin proxy endpoints could leak the authentication cookie to some destination plugins
Today we are releasing Grafana 9.2. Alongside with new features and other bug fixes, this release includes a Moderate severity security fix for CVE-2022-39201
We are also releasing security patches for Grafana 9.1.8 and Grafana 8.5.14 to fix these issues.
Release 9.2, latest release, also containing security fix:
- [Download Grafana 9.2](https://grafana.com/grafana/download/9.2)
Release 9.1.8, only containing security fix:
- [Download Grafana 9.1.8](https://grafana.com/grafana/download/9.1.8)
Release 8.5.14, only containing security fix:
- [Download Grafana 8.5.14](https://grafana.com/grafana/download/8.5.14)
Appropriate patches have been applied to [Grafana Cloud](https
OSV
CVE-2022-39201: Grafana is an open source observability and data visualization platform
osv·2022-10-13·CVSS 7.5
CVE-2022-39201 [HIGH] CVE-2022-39201: Grafana is an open source observability and data visualization platform
Grafana is an open source observability and data visualization platform. Starting with version 5.0.0-beta1 and prior to versions 8.5.14 and 9.1.8, Grafana could leak the authentication cookie of users to plugins. The vulnerability impacts data source and plugin proxy endpoints under certain conditions. The destination plugin could receive a user's Grafana authentication cookie. Versions 9.1.8 and 8.5.14 contain a patch for this issue. There are no known workarounds.
Red Hat
grafana: Data source and plugin proxy endpoints could leak the authentication cookie to some destination plugins
vendor_redhat·2022-10-14·CVSS 6.8
CVE-2022-39201 [MEDIUM] grafana: Data source and plugin proxy endpoints could leak the authentication cookie to some destination plugins
grafana: Data source and plugin proxy endpoints could leak the authentication cookie to some destination plugins
Grafana is an open source observability and data visualization platform. Starting with version 5.0.0-beta1 and prior to versions 8.5.14 and 9.1.8, Grafana could leak the authentication cookie of users to plugins. The vulnerability impacts data source and plugin proxy endpoints under certain conditions. The destination plugin could receive a user's Grafana authentication cookie. Versions 9.1.8 and 8.5.14 contain a patch for this issue. There are no known workarounds.
A flaw was found in Grafana. The vulnerability impacts data source and plugin proxy endpoints under certain conditions. Grafana could leak the authentication cookie of users to plugins, which could result in an imp
No detection rules found.
No public exploits indexed.
https://github.com/grafana/grafana/commit/b571acc1dc130a33f24742c1f93b93216da6cf57https://github.com/grafana/grafana/commit/c658816f5229d17f877579250c07799d3bbaebc9https://github.com/grafana/grafana/releases/tag/v9.1.8https://github.com/grafana/grafana/security/advisories/GHSA-x744-mm8v-vpgrhttps://github.com/grafana/grafana/commit/b571acc1dc130a33f24742c1f93b93216da6cf57https://github.com/grafana/grafana/commit/c658816f5229d17f877579250c07799d3bbaebc9https://github.com/grafana/grafana/releases/tag/v9.1.8https://github.com/grafana/grafana/security/advisories/GHSA-x744-mm8v-vpgr
2022-10-13
Published