CVE-2022-39306
published 2022-11-09CVE-2022-39306: Grafana is an open-source platform for monitoring and observability. Versions prior to 9.2.4, or 8.5.15 on the 8.X branch, are subject to Improper Input…
PriorityP343high8.1CVSS 3.1
AVNACLPRNUIRSUCHIHAN
EPSS
0.74%
50.0th percentile
Grafana is an open-source platform for monitoring and observability. Versions prior to 9.2.4, or 8.5.15 on the 8.X branch, are subject to Improper Input Validation. Grafana admins can invite other members to the organization they are an admin for. When admins add members to the organization, non existing users get an email invite, existing members are added directly to the organization. When an invite link is sent, it allows users to sign up with whatever username/email address the user chooses and become a member of the organization. This introduces a vulnerability which can be used with malicious intent. This issue is patched in version 9.2.4, and has been backported to 8.5.15. There are no known workarounds.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | grafana_grafana | >= 8.0.0 < 8.5.15 | 8.5.15 |
| github.com | grafana_grafana | >= 9.0.0 < 9.2.4 | 9.2.4 |
| grafana | grafana | < 8.5.15 | 8.5.15 |
| grafana | grafana | — | — |
| grafana | grafana | >= 8.0.0 < 8.5.15 | 8.5.15 |
| grafana | grafana | >= 9.0.0 < 9.2.4 | 9.2.4 |
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
ghsa8.1HIGH
osv8.1HIGH
vendor_redhat6.4MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Grafana Email addresses and usernames can not be trusted in github.com/grafana/grafana
osv·2024-06-05
CVE-2022-39306 Grafana Email addresses and usernames can not be trusted in github.com/grafana/grafana
Grafana Email addresses and usernames can not be trusted in github.com/grafana/grafana
Grafana Email addresses and usernames can not be trusted in github.com/grafana/grafana.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)
The additional affected modules and versions are: github.com/grafana/grafana from v8.0.0 before v8.5.15, from v9.0.0 before v9.2.4.
GHSA
Grafana Email addresses and usernames can not be trusted
ghsa·2024-05-14·CVSS 8.1
CVE-2022-39306 [HIGH] CWE-20 Grafana Email addresses and usernames can not be trusted
Grafana Email addresses and usernames can not be trusted
Today we are releasing Grafana 9.2.4. Alongside other bug fixes, this patch release includes moderate severity security fixes for CVE-2022-39306.
We are also releasing security patches for Grafana 8.5.15 to fix these issues.
Release 9.2.4, latest patch, also containing security fix:
- [Download Grafana 9.2.4](https://grafana.com/grafana/download/9.2.4)
Release 8.5.15, only containing security fix:
- [Download Grafana 8.5.15](https://grafana.com/grafana/download/8.5.15)
Appropriate patches have been applied to [Grafana Cloud](https://grafana.com/cloud) and as always, we closely coordinated with all cloud providers licensed to offer Grafana Pro. They have received early notification under embargo and confirmed that their offerin
OSV
Grafana Email addresses and usernames can not be trusted
osv·2024-05-14·CVSS 8.1
CVE-2022-39306 [HIGH] Grafana Email addresses and usernames can not be trusted
Grafana Email addresses and usernames can not be trusted
Today we are releasing Grafana 9.2.4. Alongside other bug fixes, this patch release includes moderate severity security fixes for CVE-2022-39306.
We are also releasing security patches for Grafana 8.5.15 to fix these issues.
Release 9.2.4, latest patch, also containing security fix:
- [Download Grafana 9.2.4](https://grafana.com/grafana/download/9.2.4)
Release 8.5.15, only containing security fix:
- [Download Grafana 8.5.15](https://grafana.com/grafana/download/8.5.15)
Appropriate patches have been applied to [Grafana Cloud](https://grafana.com/cloud) and as always, we closely coordinated with all cloud providers licensed to offer Grafana Pro. They have received early notification under embargo and confirmed that their offerin
OSV
CVE-2022-39306: Grafana is an open-source platform for monitoring and observability
osv·2022-11-09·CVSS 8.1
CVE-2022-39306 [HIGH] CVE-2022-39306: Grafana is an open-source platform for monitoring and observability
Grafana is an open-source platform for monitoring and observability. Versions prior to 9.2.4, or 8.5.15 on the 8.X branch, are subject to Improper Input Validation. Grafana admins can invite other members to the organization they are an admin for. When admins add members to the organization, non existing users get an email invite, existing members are added directly to the organization. When an invite link is sent, it allows users to sign up with whatever username/email address the user chooses and become a member of the organization. This introduces a vulnerability which can be used with malicious intent. This issue is patched in version 9.2.4, and has been backported to 8.5.15. There are no known workarounds.
Red Hat
grafana: email addresses and usernames cannot be trusted
vendor_redhat·2022-11-08·CVSS 6.4
CVE-2022-39306 [MEDIUM] CWE-303 grafana: email addresses and usernames cannot be trusted
grafana: email addresses and usernames cannot be trusted
Grafana is an open-source platform for monitoring and observability. Versions prior to 9.2.4, or 8.5.15 on the 8.X branch, are subject to Improper Input Validation. Grafana admins can invite other members to the organization they are an admin for. When admins add members to the organization, non existing users get an email invite, existing members are added directly to the organization. When an invite link is sent, it allows users to sign up with whatever username/email address the user chooses and become a member of the organization. This introduces a vulnerability which can be used with malicious intent. This issue is patched in version 9.2.4, and has been backported to 8.5.15. There are no known workarounds.
An authentication by
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2022-11-09
Published