CVE-2022-39324
published 2023-01-27CVE-2022-39324: Grafana is an open-source platform for monitoring and observability. Prior to versions 8.5.16 and 9.2.8, malicious user can create a snapshot and arbitrarily…
PriorityP414low3.5CVSS 3.1
AVNACLPRLUIRSUCNILAN
EPSS
0.83%
52.9th percentile
Grafana is an open-source platform for monitoring and observability. Prior to versions 8.5.16 and 9.2.8, malicious user can create a snapshot and arbitrarily choose the `originalUrl` parameter by editing the query, thanks to a web proxy. When another user opens the URL of the snapshot, they will be presented with the regular web interface delivered by the trusted Grafana server. The `Open original dashboard` button no longer points to the to the real original dashboard but to the attacker’s injected URL. This issue is fixed in versions 8.5.16 and 9.2.8.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| aimeos | ai-admin-graphql | >= 2022.04.1 < 2022.10.10 | 2022.10.10 |
| aimeos | ai-admin-graphql | >= 2023.04.1 < 2023.10.6 | 2023.10.6 |
| aimeos | ai-admin-graphql | >= 2024.04.1 < 2024.04.2 | 2024.04.2 |
| github.com | grafana_grafana | >= 0 < 8.5.16 | 8.5.16 |
| github.com | grafana_grafana | >= 9.0.0 < 9.2.8 | 9.2.8 |
| grafana | grafana | < 8.5.16 | 8.5.16 |
| grafana | grafana | — | — |
| grafana | grafana | >= 9.0.0 < 9.2.8 | 9.2.8 |
CVSS provenance
nvdv3.13.5LOWCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
osv3.5LOW
vendor_redhat6.7MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
aimeos/ai-admin-graphql improper access control vulnerability allows editors to manage own services
ghsa·2024-07-02
CVE-2024-39324 [LOW] CWE-1220 aimeos/ai-admin-graphql improper access control vulnerability allows editors to manage own services
aimeos/ai-admin-graphql improper access control vulnerability allows editors to manage own services
aimeos/ai-admin-graphql is the Aimeos GraphQL API admin interface. Starting in version 2022.04.1 and prior to versions 2022.10.10, 2023.10.6, and 2024.4.2, improper access control allows a editors to manage own services via GraphQL API which isn't allowed in the JQAdm front end. Versions 2022.10.10, 2023.10.6, and 2024.4.2 contain a patch for the issue.
OSV
Grafana Spoofing originalUrl of snapshots in github.com/grafana/grafana
osv·2024-06-05
CVE-2022-39324 Grafana Spoofing originalUrl of snapshots in github.com/grafana/grafana
Grafana Spoofing originalUrl of snapshots in github.com/grafana/grafana
Grafana Spoofing originalUrl of snapshots in github.com/grafana/grafana.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)
The additional affected modules and versions are: github.com/grafana/grafana before v8.5.16, from v9.0.0 before v9.2.8.
GHSA
Grafana Spoofing originalUrl of snapshots
ghsa·2024-05-14
CVE-2022-39324 [MEDIUM] CWE-79 Grafana Spoofing originalUrl of snapshots
Grafana Spoofing originalUrl of snapshots
To create a snapshot (and insert an arbitrary URL) the built-in role Viewer is sufficient.
When a dashboard is shared as a local snapshot, the following three fields are offered in the web UI for a user to fill out:
• Snapshotname
• Expire
• Timeout(seconds)
After the user confirms creation of the snapshot (i.e. clicks the ”Local Snapshot” button) an HTTP POST request is sent to the Grafana server. The HTTP request contains additional parameters that are not visible in the web UI. The parameter originalUrl is not visible in the web UI, but sent in the HTTP POST request.
The value of the originalUrl parameter is automatically generated. The purpose of the presented originalUrl parameter is to provide a user that views the snapshot the possibility
OSV
Grafana Spoofing originalUrl of snapshots
osv·2024-05-14
CVE-2022-39324 [MEDIUM] Grafana Spoofing originalUrl of snapshots
Grafana Spoofing originalUrl of snapshots
To create a snapshot (and insert an arbitrary URL) the built-in role Viewer is sufficient.
When a dashboard is shared as a local snapshot, the following three fields are offered in the web UI for a user to fill out:
• Snapshotname
• Expire
• Timeout(seconds)
After the user confirms creation of the snapshot (i.e. clicks the ”Local Snapshot” button) an HTTP POST request is sent to the Grafana server. The HTTP request contains additional parameters that are not visible in the web UI. The parameter originalUrl is not visible in the web UI, but sent in the HTTP POST request.
The value of the originalUrl parameter is automatically generated. The purpose of the presented originalUrl parameter is to provide a user that views the snapshot the possibility
OSV
CVE-2022-39324: Grafana is an open-source platform for monitoring and observability
osv·2023-01-27·CVSS 3.5
CVE-2022-39324 [LOW] CVE-2022-39324: Grafana is an open-source platform for monitoring and observability
Grafana is an open-source platform for monitoring and observability. Prior to versions 8.5.16 and 9.2.8, malicious user can create a snapshot and arbitrarily choose the `originalUrl` parameter by editing the query, thanks to a web proxy. When another user opens the URL of the snapshot, they will be presented with the regular web interface delivered by the trusted Grafana server. The `Open original dashboard` button no longer points to the to the real original dashboard but to the attacker’s injected URL. This issue is fixed in versions 8.5.16 and 9.2.8.
Red Hat
grafana: Spoofing of the originalUrl parameter of snapshots
vendor_redhat·2023-01-30·CVSS 6.7
CVE-2022-39324 [MEDIUM] CWE-472 grafana: Spoofing of the originalUrl parameter of snapshots
grafana: Spoofing of the originalUrl parameter of snapshots
Grafana is an open-source platform for monitoring and observability. Prior to versions 8.5.16 and 9.2.8, malicious user can create a snapshot and arbitrarily choose the `originalUrl` parameter by editing the query, thanks to a web proxy. When another user opens the URL of the snapshot, they will be presented with the regular web interface delivered by the trusted Grafana server. The `Open original dashboard` button no longer points to the to the real original dashboard but to the attacker’s injected URL. This issue is fixed in versions 8.5.16 and 9.2.8.
A flaw was found in the grafana package. While creating a snapshot, an attacker may manipulate a hidden HTTP parameter to inject a malicious URL in the "Open original dashboard"
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/grafana/grafana/commit/239888f22983010576bb3a9135a7294e88c0c74ahttps://github.com/grafana/grafana/commit/d7dcea71ea763780dc286792a0afd560bff2985chttps://github.com/grafana/grafana/pull/60232https://github.com/grafana/grafana/pull/60256https://github.com/grafana/grafana/security/advisories/GHSA-4724-7jwc-3fpwhttps://github.com/grafana/grafana/commit/239888f22983010576bb3a9135a7294e88c0c74ahttps://github.com/grafana/grafana/commit/d7dcea71ea763780dc286792a0afd560bff2985chttps://github.com/grafana/grafana/pull/60232https://github.com/grafana/grafana/pull/60256https://github.com/grafana/grafana/security/advisories/GHSA-4724-7jwc-3fpwhttps://security.netapp.com/advisory/ntap-20230309-0010/
2023-01-27
Published