CVE-2022-39201 — Sensitive Information Exposure in Grafana Grafana

CWE-200 — Sensitive Information Exposure7 documents5 sources

Severity

7.5HIGHNVD

CNA6.8

EPSS

0.9%

top 24.33%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Grafana Grafana Grafana

Timeline

PublishedOct 13

Latest updateJun 10

Description

Grafana is an open source observability and data visualization platform. Starting with version 5.0.0-beta1 and prior to versions 8.5.14 and 9.1.8, Grafana could leak the authentication cookie of users to plugins. The vulnerability impacts data source and plugin proxy endpoints under certain conditions. The destination plugin could receive a user's Grafana authentication cookie. Versions 9.1.8 and 8.5.14 contain a patch for this issue. There are no known workarounds.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶NVDgrafana/grafana5.0.1 — 8.5.14+2

▶Gogithub.com/grafana_grafana5.0.0-beta1 — 8.5.14+2

▶CVEListV5grafana/grafana>= 9.0.0, < 9.1.8, >= v5.0.0-beta1, < 8.5.14+1

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Grafana Data source and plugin proxy endpoints could leak the authentication cookie to some destination plugins in github.com/grafana/grafana↗2024-06-10

▶

GHSA

Grafana Data source and plugin proxy endpoints could leak the authentication cookie to some destination plugins↗2024-05-14

▶

OSV

Grafana Data source and plugin proxy endpoints could leak the authentication cookie to some destination plugins↗2024-05-14

▶

OSV

CVE-2022-39201: Grafana is an open source observability and data visualization platform↗2022-10-13

▶

CVEList

Data source and plugin proxy endpoints could leak the authentication cookie to some destination plugins↗2022-10-13

▶

📋Vendor Advisories

Red Hat

grafana: Data source and plugin proxy endpoints could leak the authentication cookie to some destination plugins↗2022-10-14

▶