CVE-2022-39306Improper Input Validation in Grafana

CWE-20Improper Input ValidationCWE-303Incorrect Implementation of Authentication Algorithm7 documents5 sources
Severity
8.1HIGHNVD
CNA6.4
EPSS
0.4%
top 41.33%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
GrafanaGithub.com Grafana Grafana
Timeline
PublishedNov 9
Latest updateJun 5

Description

Grafana is an open-source platform for monitoring and observability. Versions prior to 9.2.4, or 8.5.15 on the 8.X branch, are subject to Improper Input Validation. Grafana admins can invite other members to the organization they are an admin for. When admins add members to the organization, non existing users get an email invite, existing members are added directly to the organization. When an invite link is sent, it allows users to sign up with whatever username/email address the user chooses

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:NExploitability: 2.8 | Impact: 5.2

Affected Packages3 packages

CVEListV5grafana/grafana< 8.5.15+1
NVDgrafana/grafana8.0.08.5.15+1
Gogithub.com/grafana_grafana8.0.08.5.15+1

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

5
OSV
Grafana Email addresses and usernames can not be trusted in github.com/grafana/grafana2024-06-05
GHSA
Grafana Email addresses and usernames can not be trusted2024-05-14
OSV
Grafana Email addresses and usernames can not be trusted2024-05-14
OSV
CVE-2022-39306: Grafana is an open-source platform for monitoring and observability2022-11-09
CVEList
Grafana contains Improper Input Validation2022-11-09

📋Vendor Advisories

1
Red Hat
grafana: email addresses and usernames cannot be trusted2022-11-08
CVE-2022-39306 — Improper Input Validation in Grafana | cvebase