cvelistv5 - CVE-2022-36062

Source	URL	Tags
security-advisories@github.com	https://github.com/grafana/grafana/security/advisories/GHSA-p978-56hq-r492	Patch, Release Notes, Vendor Advisory
security-advisories@github.com	https://security.netapp.com/advisory/ntap-20221215-0001/	Third Party Advisory

Vendor	Product
grafana	grafana

ghsa-p978-56hq-r492

Vulnerability from github

Published

2024-05-14 22:29

Modified

2024-07-08 20:47

Severity

7.6 (High) - CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
7.2 (High) - CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N

Summary

Grafana folders admin only permission privilege escalation

Details

Today we are releasing Grafana 9.1.6, 9.0.9, 8.5.13. This patch release includes a Moderate severity security fix for CVE-2022-36062 that affects Grafana instances which are using Grafana role-based access control (RBAC).

Release 9.1.6, latest patch, also containing security fix:

Release 9.0.9, only containing security fix:

Release 8.5.13, only containing security fix:

Appropriate patches have been applied to Grafana Cloud and as always, we closely coordinated with all cloud providers licensed to offer Grafana Pro. They have received early notification under embargo and confirmed that their offerings are secure at the time of this announcement. This is applicable to Amazon Managed Grafana and Azure's Grafana as a service offering.

Privilege escalation (CVE-2022-36062)

Summary

On August 29 we have received a bug report for Grafana role-based access control (RBAC) and confirmed a vulnerability in the Grafana. This vulnerability impacts folders/dashboards with Admin only permissions and where RBAC was ever enabled at least once.

When RBAC is enabled, Grafana runs migrations which translate legacy access control permissions into RBAC permissions. The migrations contain a bug, which grants additional access to folders/dashboards which only had Admin role grant, resulting in a privilege escalation where Editors can edit and Viewers can view the folder/dashboard which they should not have access to.

The CVSS score for this vulnerability is 6.4 Moderate (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L).

Impacted versions

All Grafana installations where the RBAC was at least enabled once and there are folders/dashboards with only Admin grant.

Solutions and mitigations

To fully address CVE-2022-36062 please upgrade your Grafana instances. They are only required if you have ever enabled RBAC and have dashboards/folders where Admin is the only permission..

If you can’t upgrade, as a workaround when impacted folder/dashboard is known, the additional permissions can be removed manually.

Appropriate patches have been applied to Grafana Cloud.

Timeline

Here is a timeline starting from when we originally learned of the issue.

2022-08-27: External report received about a bug in Grafana role-based access control.
2022-08-30: The bug is confirmed as a vulnerability.
2022-08-31: Mitigation is applied to Grafana Cloud.
2022-08-31: Release timeline determined: 2022-09-06 for private customer release, 2022-09-20 for public release.
2022-09-06: Private release.
2022-09-20: Public release.

Reporting security issues

If you think you have found a security vulnerability, please send a report to security@grafana.com. This address can be used for all of Grafana Labs' open source and commercial products (including, but not limited to Grafana, Grafana Cloud, Grafana Enterprise, and grafana.com). We can accept only vulnerability reports at this address. We would prefer that you encrypt your message to us by using our PGP key. The key fingerprint is

F988 7BEA 027A 049F AE8E 5CAA D125 8932 BE24 C5CA

The key is available from keyserver.ubuntu.com.

Security announcements

We maintain a security category on our blog, where we will always post a summary, remediation, and mitigation details for any patch containing security fixes.

You can also subscribe to our RSS feed.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/grafana/grafana"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.5.0"
            },
            {
              "fixed": "8.5.13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/grafana/grafana"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.0.0"
            },
            {
              "fixed": "9.0.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/grafana/grafana"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.1.0"
            },
            {
              "fixed": "9.1.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-36062"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-281"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-14T22:29:44Z",
    "nvd_published_at": "2022-09-22T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "Today we are releasing Grafana 9.1.6, 9.0.9, 8.5.13. This patch release includes a Moderate severity security fix for CVE-2022-36062 that affects Grafana instances which are using Grafana role-based access control (RBAC).\n\nRelease 9.1.6, latest patch, also containing security fix:\n\n- [Download Grafana 9.1.6](https://grafana.com/grafana/download/9.1.6)\n- [Release notes](https://grafana.com/docs/grafana/latest/release-notes/release-notes-9-1-6/)\n\nRelease 9.0.9, only containing security fix:\n\n- [Download Grafana 9.0.9](https://grafana.com/grafana/download/9.0.9)\n- [Release notes](https://grafana.com/docs/grafana/latest/release-notes/release-notes-9-0-9/)\n\nRelease 8.5.13, only containing security fix:\n\n- [Download Grafana 8.5.13](https://grafana.com/grafana/download/8.5.13)\n- [Release notes](https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-5-13/)\n\nAppropriate patches have been applied to [Grafana Cloud](https://grafana.com/cloud) and as always, we closely coordinated with all cloud providers licensed to offer Grafana Pro. They have received early notification under embargo and confirmed that their offerings are secure at the time of this announcement. This is applicable to Amazon Managed Grafana and Azure\u0027s Grafana as a service offering.\n\n## Privilege escalation (CVE-2022-36062)\n\n### Summary \n\nOn August 29 we have received a bug report for Grafana role-based access control (RBAC) and confirmed a vulnerability in the Grafana. This vulnerability impacts folders/dashboards with Admin only permissions and where RBAC was ever enabled at least once.\n\nWhen RBAC is enabled, Grafana runs migrations which translate legacy access control permissions into RBAC permissions. The migrations contain a bug, which grants additional access to folders/dashboards which only had Admin role grant, resulting in a privilege escalation where Editors can edit and Viewers can view the folder/dashboard which they should not have access to.\n\nThe CVSS score for this vulnerability is 6.4 Moderate (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L).\n\n### Impacted versions\n\nAll Grafana installations where the [RBAC](https://grafana.com/docs/grafana/latest/administration/roles-and-permissions/access-control/) was at least enabled once and there are folders/dashboards with only Admin grant.\n\n### Solutions and mitigations\n\nTo fully address CVE-2022-36062 please upgrade your Grafana instances. They are only required if you have ever enabled RBAC and have dashboards/folders where Admin is the only permission..\n\nIf you can\u2019t upgrade, as a workaround when impacted folder/dashboard is known, the additional permissions can be removed manually.\n\nAppropriate patches have been applied to [Grafana Cloud](https://grafana.com/cloud).\n\n### Timeline\n\nHere is a timeline starting from when we originally learned of the issue. \n\n* 2022-08-27: External report received about a bug in Grafana role-based access control.\n* 2022-08-30: The bug is confirmed as a vulnerability.\n* 2022-08-31: Mitigation is applied to Grafana Cloud.\n* 2022-08-31: Release timeline determined: 2022-09-06 for private customer release, 2022-09-20 for public release.\n* 2022-09-06: Private release.\n* 2022-09-20: Public release.\n\n## Reporting security issues\n\nIf you think you have found a security vulnerability, please send a report to security@grafana.com. This address can be used for all of Grafana Labs\u0027 open source and commercial products (including, but not limited to Grafana, Grafana Cloud, Grafana Enterprise, and grafana.com). We can accept only vulnerability reports at this address. We would prefer that you encrypt your message to us by using our PGP key. The key fingerprint is\n\nF988 7BEA 027A 049F AE8E 5CAA D125 8932 BE24 C5CA\n\nThe key is available from keyserver.ubuntu.com.\n\n## Security announcements\n\nWe maintain a [security category](https://community.grafana.com/c/support/security-announcements) on our blog, where we will always post a summary, remediation, and mitigation details for any patch containing security fixes.\n\nYou can also subscribe to our [RSS feed](https://grafana.com/tags/security/index.xml).",
  "id": "GHSA-p978-56hq-r492",
  "modified": "2024-07-08T20:47:52Z",
  "published": "2024-05-14T22:29:44Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/grafana/grafana/security/advisories/GHSA-p978-56hq-r492"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36062"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/grafana/grafana"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20221215-0001"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Grafana folders admin only permission privilege escalation"
}

wid-sec-w-2022-1486

Vulnerability from csaf_certbund

Published

2022-09-20 22:00

Modified

2024-01-23 23:00

Summary

Grafana: Mehrere Schwachstellen ermöglichen Privilegieneskalation

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

Grafana ist eine Open-Source Analyse- und Visualisierungssoftware.

Angriff

Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in Grafana ausnutzen, um seine Privilegien zu erhöhen.

Betroffene Betriebssysteme

- UNIX - Linux - Windows

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "mittel"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Grafana ist eine Open-Source Analyse- und Visualisierungssoftware.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in Grafana ausnutzen, um seine Privilegien zu erh\u00f6hen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- UNIX\n- Linux\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2022-1486 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2022/wid-sec-w-2022-1486.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2022-1486 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1486"
      },
      {
        "category": "external",
        "summary": "Grafana Release Notes vom 2022-09-20",
        "url": "https://grafana.com/blog/2022/09/20/grafana-security-releases-new-versions-with-moderate-severity-security-fixes-for-cve-2022-35957-and-cve-2022-36062/"
      },
      {
        "category": "external",
        "summary": "Github Security Advisory vom 2022-09-20",
        "url": "https://github.com/grafana/grafana/security/advisories/GHSA-ff5c-938w-8c9q"
      },
      {
        "category": "external",
        "summary": "Github Security Advisory vom 2022-09-20",
        "url": "https://github.com/grafana/grafana/security/advisories/GHSA-p978-56hq-r492"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2022:3676-1 vom 2022-10-20",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2022-October/012594.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2022:4439-1 vom 2022-12-13",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2022-December/013221.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2022:4437-1 vom 2022-12-13",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2022-December/013220.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2022:4428-1 vom 2022-12-13",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2022-December/013218.html"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2023:2167 vom 2023-05-09",
        "url": "https://access.redhat.com/errata/RHSA-2023:2167"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2024:0191-1 vom 2024-01-23",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-January/017744.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2024:0196-1 vom 2024-01-23",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-January/017743.html"
      }
    ],
    "source_lang": "en-US",
    "title": "Grafana: Mehrere Schwachstellen erm\u00f6glichen Privilegieneskalation",
    "tracking": {
      "current_release_date": "2024-01-23T23:00:00.000+00:00",
      "generator": {
        "date": "2024-02-15T16:58:52.895+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.0"
        }
      },
      "id": "WID-SEC-W-2022-1486",
      "initial_release_date": "2022-09-20T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2022-09-20T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2022-10-20T22:00:00.000+00:00",
          "number": "2",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2022-12-12T23:00:00.000+00:00",
          "number": "3",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2023-05-09T22:00:00.000+00:00",
          "number": "4",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2024-01-23T23:00:00.000+00:00",
          "number": "5",
          "summary": "Neue Updates von SUSE aufgenommen"
        }
      ],
      "status": "final",
      "version": "5"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Open Source Grafana \u003c 9.1.6",
                "product": {
                  "name": "Open Source Grafana \u003c 9.1.6",
                  "product_id": "T024674",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:grafana:grafana:9.1.6"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Open Source Grafana \u003c 9.0.9",
                "product": {
                  "name": "Open Source Grafana \u003c 9.0.9",
                  "product_id": "T024675",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:grafana:grafana:9.0.9"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Open Source Grafana \u003c 8.5.13",
                "product": {
                  "name": "Open Source Grafana \u003c 8.5.13",
                  "product_id": "T024676",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:grafana:grafana:8.5.13"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Grafana"
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Red Hat Enterprise Linux",
            "product": {
              "name": "Red Hat Enterprise Linux",
              "product_id": "67646",
              "product_identification_helper": {
                "cpe": "cpe:/o:redhat:enterprise_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "SUSE Linux",
            "product": {
              "name": "SUSE Linux",
              "product_id": "T002207",
              "product_identification_helper": {
                "cpe": "cpe:/o:suse:suse_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2022-35957",
      "notes": [
        {
          "category": "description",
          "text": "In Grafana existieren mehrere Schwachstellen. Diese bestehen bei der Nutzung von \"Auth proxy\" sowie \"RBAC\" (Role-based-access-control). Ein entfernter, authentisierter Angreifer mit erweiterten Rechten kann diese Schwachstelle ausnutzen, um seine Privilegien zu erweitern."
        }
      ],
      "product_status": {
        "known_affected": [
          "T002207",
          "67646"
        ]
      },
      "release_date": "2022-09-20T22:00:00Z",
      "title": "CVE-2022-35957"
    },
    {
      "cve": "CVE-2022-36062",
      "notes": [
        {
          "category": "description",
          "text": "In Grafana existieren mehrere Schwachstellen. Diese bestehen bei der Nutzung von \"Auth proxy\" sowie \"RBAC\" (Role-based-access-control). Ein entfernter, authentisierter Angreifer mit erweiterten Rechten kann diese Schwachstelle ausnutzen, um seine Privilegien zu erweitern."
        }
      ],
      "product_status": {
        "known_affected": [
          "T002207",
          "67646"
        ]
      },
      "release_date": "2022-09-20T22:00:00Z",
      "title": "CVE-2022-36062"
    }
  ]
}

gsd-2022-36062

Vulnerability from gsd

Modified

2023-12-13 01:19

Details

Grafana is an open-source platform for monitoring and observability. In versions prior to 8.5.13, 9.0.9, and 9.1.6, Grafana is subject to Improper Preservation of Permissions resulting in privilege escalation on some folders where Admin is the only used permission. The vulnerability impacts Grafana instances where RBAC was disabled and enabled afterwards, as the migrations which are translating legacy folder permissions to RBAC permissions do not account for the scenario where the only user permission in the folder is Admin, as a result RBAC adds permissions for Editors and Viewers which allow them to edit and view folders accordingly. This issue has been patched in versions 8.5.13, 9.0.9, and 9.1.6. A workaround when the impacted folder/dashboard is known is to remove the additional permissions manually.

Aliases

CVE-2022-36062

Aliases

CVE-2022-36062

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2022-36062",
    "description": "Grafana is an open-source platform for monitoring and observability. In versions prior to 8.5.13, 9.0.9, and 9.1.6, Grafana is subject to Improper Preservation of Permissions resulting in privilege escalation on some folders where Admin is the only used permission. The vulnerability impacts Grafana instances where RBAC was disabled and enabled afterwards, as the migrations which are translating legacy folder permissions to RBAC permissions do not account for the scenario where the only user permission in the folder is Admin, as a result RBAC adds permissions for Editors and Viewers which allow them to edit and view folders accordingly. This issue has been patched in versions 8.5.13, 9.0.9, and 9.1.6. A workaround when the impacted folder/dashboard is known is to remove the additional permissions manually.",
    "id": "GSD-2022-36062",
    "references": [
      "https://www.suse.com/security/cve/CVE-2022-36062.html"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2022-36062"
      ],
      "details": "Grafana is an open-source platform for monitoring and observability. In versions prior to 8.5.13, 9.0.9, and 9.1.6, Grafana is subject to Improper Preservation of Permissions resulting in privilege escalation on some folders where Admin is the only used permission. The vulnerability impacts Grafana instances where RBAC was disabled and enabled afterwards, as the migrations which are translating legacy folder permissions to RBAC permissions do not account for the scenario where the only user permission in the folder is Admin, as a result RBAC adds permissions for Editors and Viewers which allow them to edit and view folders accordingly. This issue has been patched in versions 8.5.13, 9.0.9, and 9.1.6. A workaround when the impacted folder/dashboard is known is to remove the additional permissions manually.",
      "id": "GSD-2022-36062",
      "modified": "2023-12-13T01:19:21.157944Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2022-36062",
        "STATE": "PUBLIC",
        "TITLE": "Grafana folders admin only permission privilege escalation"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "grafana",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "\u003c 8.5.13"
                        },
                        {
                          "version_value": "\u003e= 9.0.0, \u003c 9.0.9"
                        },
                        {
                          "version_value": "\u003e=  9.1.0, \u003c 9.1.6"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "grafana"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Grafana is an open-source platform for monitoring and observability. In versions prior to 8.5.13, 9.0.9, and 9.1.6, Grafana is subject to Improper Preservation of Permissions resulting in privilege escalation on some folders where Admin is the only used permission. The vulnerability impacts Grafana instances where RBAC was disabled and enabled afterwards, as the migrations which are translating legacy folder permissions to RBAC permissions do not account for the scenario where the only user permission in the folder is Admin, as a result RBAC adds permissions for Editors and Viewers which allow them to edit and view folders accordingly. This issue has been patched in versions 8.5.13, 9.0.9, and 9.1.6. A workaround when the impacted folder/dashboard is known is to remove the additional permissions manually."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 7.6,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-281: Improper Preservation of Permissions"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/grafana/grafana/security/advisories/GHSA-p978-56hq-r492",
            "refsource": "CONFIRM",
            "url": "https://github.com/grafana/grafana/security/advisories/GHSA-p978-56hq-r492"
          },
          {
            "name": "https://security.netapp.com/advisory/ntap-20221215-0001/",
            "refsource": "CONFIRM",
            "url": "https://security.netapp.com/advisory/ntap-20221215-0001/"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-p978-56hq-r492",
        "discovery": "UNKNOWN"
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "9.1.6",
                "versionStartIncluding": "9.1.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "9.0.9",
                "versionStartIncluding": "9.0.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "8.5.13",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2022-36062"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Grafana is an open-source platform for monitoring and observability. In versions prior to 8.5.13, 9.0.9, and 9.1.6, Grafana is subject to Improper Preservation of Permissions resulting in privilege escalation on some folders where Admin is the only used permission. The vulnerability impacts Grafana instances where RBAC was disabled and enabled afterwards, as the migrations which are translating legacy folder permissions to RBAC permissions do not account for the scenario where the only user permission in the folder is Admin, as a result RBAC adds permissions for Editors and Viewers which allow them to edit and view folders accordingly. This issue has been patched in versions 8.5.13, 9.0.9, and 9.1.6. A workaround when the impacted folder/dashboard is known is to remove the additional permissions manually."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-281"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/grafana/grafana/security/advisories/GHSA-p978-56hq-r492",
              "refsource": "CONFIRM",
              "tags": [
                "Patch",
                "Release Notes",
                "Vendor Advisory"
              ],
              "url": "https://github.com/grafana/grafana/security/advisories/GHSA-p978-56hq-r492"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20221215-0001/",
              "refsource": "CONFIRM",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://security.netapp.com/advisory/ntap-20221215-0001/"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 3.8,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 1.2,
          "impactScore": 2.5
        }
      },
      "lastModifiedDate": "2023-02-16T03:19Z",
      "publishedDate": "2022-09-22T18:15Z"
    }
  }
}

Action not permitted

CVE-2022-36062

Vulnerability from cvelistv5

ghsa-p978-56hq-r492

Vulnerability from github

Privilege escalation (CVE-2022-36062)

Summary

Impacted versions

Solutions and mitigations

Timeline

Reporting security issues

Security announcements

wid-sec-w-2022-1486

Vulnerability from csaf_certbund

gsd-2022-36062

Vulnerability from gsd

Tags