cvelistv5 - cve-2022-39328

CVE-2022-39328 (GCVE-0-2022-39328)

Vulnerability from cvelistv5 – Published: 2022-11-08 00:00 – Updated: 2025-04-23 16:40

Summary

Grafana is an open-source platform for monitoring and observability. Versions starting with 9.2.0 and less than 9.2.4 contain a race condition in the authentication middlewares logic which may allow an unauthenticated user to query an administration endpoint under heavy load. This issue is patched in 9.2.4. There are no known workarounds.

Severity ?

9.8 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Assigner

GitHub_M

References

URL

Tags

	https://github.com/grafana/grafana/security/advis…
	https://security.netapp.com/advisory/ntap-2022121…

Impacted products

	Vendor	Product	Version
	grafana	grafana	Affected: >= 9.2.0, < 9.2.4

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T12:00:44.037Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/grafana/grafana/security/advisories/GHSA-vqc4-mpj8-jxch"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20221215-0003/"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-39328",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-23T15:48:17.733991Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-23T16:40:06.552Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "grafana",
          "vendor": "grafana",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 9.2.0, \u003c 9.2.4"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Grafana is an open-source platform for monitoring and observability. Versions starting with 9.2.0 and less than 9.2.4 contain a race condition in the authentication middlewares logic which may allow an unauthenticated user to query an administration endpoint under heavy load. This issue is patched in 9.2.4. There are no known workarounds."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-362",
              "description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-12-15T00:00:00.000Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "url": "https://github.com/grafana/grafana/security/advisories/GHSA-vqc4-mpj8-jxch"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20221215-0003/"
        }
      ],
      "source": {
        "advisory": "GHSA-vqc4-mpj8-jxch",
        "discovery": "UNKNOWN"
      },
      "title": "Grafana vulnerable to race condition allowing privilege escalation"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2022-39328",
    "datePublished": "2022-11-08T00:00:00.000Z",
    "dateReserved": "2022-09-02T00:00:00.000Z",
    "dateUpdated": "2025-04-23T16:40:06.552Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"9.2.0\", \"versionEndExcluding\": \"9.2.4\", \"matchCriteriaId\": \"F0ED42D9-FCEE-4A77-8D62-7AE5BDFB603B\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Grafana is an open-source platform for monitoring and observability. Versions starting with 9.2.0 and less than 9.2.4 contain a race condition in the authentication middlewares logic which may allow an unauthenticated user to query an administration endpoint under heavy load. This issue is patched in 9.2.4. There are no known workarounds.\"}, {\"lang\": \"es\", \"value\": \"Grafana es una plataforma de c\\u00f3digo abierto para monitorizaci\\u00f3n y observabilidad. Las versiones que comienzan con 9.2.0 y menos que 9.2.4 contienen una condici\\u00f3n de ejecuci\\u00f3n en la l\\u00f3gica del middleware de autenticaci\\u00f3n que puede permitir que un usuario no autenticado consulte un endpoint de administraci\\u00f3n bajo una carga pesada. Este problema se solucion\\u00f3 en 9.2.4. No se conocen workarounds.\"}]",
      "id": "CVE-2022-39328",
      "lastModified": "2024-11-21T07:18:02.917",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 8.1, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.2, \"impactScore\": 5.9}]}",
      "published": "2022-11-08T23:15:11.737",
      "references": "[{\"url\": \"https://github.com/grafana/grafana/security/advisories/GHSA-vqc4-mpj8-jxch\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://security.netapp.com/advisory/ntap-20221215-0003/\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://github.com/grafana/grafana/security/advisories/GHSA-vqc4-mpj8-jxch\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://security.netapp.com/advisory/ntap-20221215-0003/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-362\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-362\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-39328\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2022-11-08T23:15:11.737\",\"lastModified\":\"2024-11-21T07:18:02.917\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Grafana is an open-source platform for monitoring and observability. Versions starting with 9.2.0 and less than 9.2.4 contain a race condition in the authentication middlewares logic which may allow an unauthenticated user to query an administration endpoint under heavy load. This issue is patched in 9.2.4. There are no known workarounds.\"},{\"lang\":\"es\",\"value\":\"Grafana es una plataforma de c\u00f3digo abierto para monitorizaci\u00f3n y observabilidad. Las versiones que comienzan con 9.2.0 y menos que 9.2.4 contienen una condici\u00f3n de ejecuci\u00f3n en la l\u00f3gica del middleware de autenticaci\u00f3n que puede permitir que un usuario no autenticado consulte un endpoint de administraci\u00f3n bajo una carga pesada. Este problema se solucion\u00f3 en 9.2.4. No se conocen workarounds.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.2,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-362\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-362\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"9.2.0\",\"versionEndExcluding\":\"9.2.4\",\"matchCriteriaId\":\"F0ED42D9-FCEE-4A77-8D62-7AE5BDFB603B\"}]}]}],\"references\":[{\"url\":\"https://github.com/grafana/grafana/security/advisories/GHSA-vqc4-mpj8-jxch\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://security.netapp.com/advisory/ntap-20221215-0003/\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/grafana/grafana/security/advisories/GHSA-vqc4-mpj8-jxch\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://security.netapp.com/advisory/ntap-20221215-0003/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"title\": \"Grafana vulnerable to race condition allowing privilege escalation\", \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2022-12-15T00:00:00.000Z\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Grafana is an open-source platform for monitoring and observability. Versions starting with 9.2.0 and less than 9.2.4 contain a race condition in the authentication middlewares logic which may allow an unauthenticated user to query an administration endpoint under heavy load. This issue is patched in 9.2.4. There are no known workarounds.\"}], \"affected\": [{\"vendor\": \"grafana\", \"product\": \"grafana\", \"versions\": [{\"version\": \"\u003e= 9.2.0, \u003c 9.2.4\", \"status\": \"affected\"}]}], \"references\": [{\"url\": \"https://github.com/grafana/grafana/security/advisories/GHSA-vqc4-mpj8-jxch\"}, {\"url\": \"https://security.netapp.com/advisory/ntap-20221215-0003/\"}], \"metrics\": [{\"cvssV3_1\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\"}}], \"problemTypes\": [{\"descriptions\": [{\"type\": \"CWE\", \"lang\": \"en\", \"description\": \"CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)\", \"cweId\": \"CWE-362\"}]}], \"source\": {\"advisory\": \"GHSA-vqc4-mpj8-jxch\", \"discovery\": \"UNKNOWN\"}}, \"adp\": [{\"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T12:00:44.037Z\"}, \"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/grafana/grafana/security/advisories/GHSA-vqc4-mpj8-jxch\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://security.netapp.com/advisory/ntap-20221215-0003/\", \"tags\": [\"x_transferred\"]}]}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-39328\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-04-23T15:48:17.733991Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-04-23T15:48:19.746Z\"}}]}",
      "cveMetadata": "{\"state\": \"PUBLISHED\", \"cveId\": \"CVE-2022-39328\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"assignerShortName\": \"GitHub_M\", \"dateUpdated\": \"2025-04-23T16:40:06.552Z\", \"dateReserved\": \"2022-09-02T00:00:00.000Z\", \"datePublished\": \"2022-11-08T00:00:00.000Z\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

GHSA-VQC4-MPJ8-JXCH

Vulnerability from github – Published: 2024-05-14 22:26 – Updated: 2024-07-08 21:00

Summary

Grafana Race condition allowing privilege escalation

Details

Today we are releasing Grafana 9.2.4. Alongside other bug fixes, this patch release includes critical security fixes for CVE-2022-39328.

Release 9.2.4, latest patch, also containing security fix:

Download Grafana 9.2.4

Appropriate patches have been applied to Grafana Cloud and as always, we closely coordinated with all cloud providers licensed to offer Grafana Pro. They have received early notification under embargo and confirmed that their offerings are secure at the time of this announcement. This is applicable to Amazon Managed Grafana and Azure Managed Grafana as a service offering.

Privilege escalation

Summary

Internal security audit identified a race condition in the Grafana codebase, which allowed an unauthenticated user to query an arbitrary endpoint in Grafana. A race condition in the HTTP context creation could make a HTTP request being assigned the authentication/authorization middlewares of another call. Under heavy load it is possible that a call protected by a privileged middleware receives instead the middleware of a public query. As a result, an unauthenticated user can successfully query protected endpoints.

The CVSS score for this vulnerability is 9.8 Critical

Impact

Unauthenticated users can query arbitrary endpoints with malicious intent.

Impacted versions

All installations for Grafana versions >=9.2.x.

Solutions and mitigations

To fully address CVE-2022-39328, please upgrade your Grafana instances. Appropriate patches have been applied to Grafana Cloud.

Reporting security issues

If you think you have found a security vulnerability, please send a report to security@grafana.com. This address can be used for all of Grafana Labs' open source and commercial products (including, but not limited to Grafana, Grafana Cloud, Grafana Enterprise, and grafana.com). We can accept only vulnerability reports at this address. We would prefer that you encrypt your message to us by using our PGP key. The key fingerprint is

F988 7BEA 027A 049F AE8E 5CAA D125 8932 BE24 C5CA

The key is available from keyserver.ubuntu.com.

Security announcements

We maintain a security category on our blog, where we will always post a summary, remediation, and mitigation details for any patch containing security fixes.

You can also subscribe to our RSS feed.

Severity ?

9.8 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.3 (Critical)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/grafana/grafana"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.2.0"
            },
            {
              "fixed": "9.2.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-39328"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-14T22:26:48Z",
    "nvd_published_at": "2022-11-08T23:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Today we are releasing Grafana 9.2.4. Alongside other bug fixes, this patch release includes critical security fixes for CVE-2022-39328.\n\nRelease 9.2.4, latest patch, also containing security fix:\n\n- [Download Grafana 9.2.4](https://grafana.com/grafana/download/9.2.4)\n\nAppropriate patches have been applied to [Grafana Cloud](https://grafana.com/cloud) and as always, we closely coordinated with all cloud providers licensed to offer Grafana Pro. They have received early notification under embargo and confirmed that their offerings are secure at the time of this announcement. This is applicable to Amazon Managed Grafana and Azure Managed Grafana as a service offering.\n\n## Privilege escalation\n\n### Summary\n\nInternal security audit identified a race condition in the Grafana codebase, which allowed an unauthenticated user to query an arbitrary endpoint in Grafana.\nA race condition in the [HTTP context creation](https://github.com/grafana/grafana/blob/main/pkg/web/router.go#L153) could make a HTTP request being assigned the authentication/authorization middlewares of another call. Under heavy load it is possible that a call protected by a privileged middleware receives instead the middleware of a public query. \nAs a result, an unauthenticated user can successfully query protected endpoints.\n\nThe CVSS score for this vulnerability is [9.8 Critical](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\u0026version=3.1)\n\n### Impact\n\nUnauthenticated users can query arbitrary endpoints with malicious intent.\n\n### Impacted versions\n\nAll installations for Grafana versions \u003e=9.2.x.\n\n### Solutions and mitigations\n\nTo fully address CVE-2022-39328, please upgrade your Grafana instances. \nAppropriate patches have been applied to [Grafana Cloud](https://grafana.com/cloud).\n\n## Reporting security issues\n\nIf you think you have found a security vulnerability, please send a report to security@grafana.com. This address can be used for all of Grafana Labs\u0027 open source and commercial products (including, but not limited to Grafana, Grafana Cloud, Grafana Enterprise, and grafana.com). We can accept only vulnerability reports at this address. We would prefer that you encrypt your message to us by using our PGP key. The key fingerprint is\n\nF988 7BEA 027A 049F AE8E 5CAA D125 8932 BE24 C5CA\n\nThe key is available from keyserver.ubuntu.com.\n\n## Security announcements\n\nWe maintain a [security category](https://community.grafana.com/c/support/security-announcements) on our blog, where we will always post a summary, remediation, and mitigation details for any patch containing security fixes.\n\nYou can also subscribe to our [RSS feed](https://grafana.com/tags/security/index.xml).",
  "id": "GHSA-vqc4-mpj8-jxch",
  "modified": "2024-07-08T21:00:28Z",
  "published": "2024-05-14T22:26:48Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/grafana/grafana/security/advisories/GHSA-vqc4-mpj8-jxch"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39328"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/grafana/grafana"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20221215-0003"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Grafana Race condition allowing privilege escalation"
}

FKIE_CVE-2022-39328

Vulnerability from fkie_nvd - Published: 2022-11-08 23:15 - Updated: 2024-11-21 07:18

Severity ?

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
8.1 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/grafana/grafana/security/advisories/GHSA-vqc4-mpj8-jxch	Vendor Advisory
security-advisories@github.com	https://security.netapp.com/advisory/ntap-20221215-0003/	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/grafana/grafana/security/advisories/GHSA-vqc4-mpj8-jxch	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://security.netapp.com/advisory/ntap-20221215-0003/	Third Party Advisory

Impacted products

	Vendor	Product	Version
	grafana	grafana	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "F0ED42D9-FCEE-4A77-8D62-7AE5BDFB603B",
              "versionEndExcluding": "9.2.4",
              "versionStartIncluding": "9.2.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Grafana is an open-source platform for monitoring and observability. Versions starting with 9.2.0 and less than 9.2.4 contain a race condition in the authentication middlewares logic which may allow an unauthenticated user to query an administration endpoint under heavy load. This issue is patched in 9.2.4. There are no known workarounds."
    },
    {
      "lang": "es",
      "value": "Grafana es una plataforma de c\u00f3digo abierto para monitorizaci\u00f3n y observabilidad. Las versiones que comienzan con 9.2.0 y menos que 9.2.4 contienen una condici\u00f3n de ejecuci\u00f3n en la l\u00f3gica del middleware de autenticaci\u00f3n que puede permitir que un usuario no autenticado consulte un endpoint de administraci\u00f3n bajo una carga pesada. Este problema se solucion\u00f3 en 9.2.4. No se conocen workarounds."
    }
  ],
  "id": "CVE-2022-39328",
  "lastModified": "2024-11-21T07:18:02.917",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.1,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.2,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2022-11-08T23:15:11.737",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/grafana/grafana/security/advisories/GHSA-vqc4-mpj8-jxch"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.netapp.com/advisory/ntap-20221215-0003/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/grafana/grafana/security/advisories/GHSA-vqc4-mpj8-jxch"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.netapp.com/advisory/ntap-20221215-0003/"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-362"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-362"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

CNVD-2022-78211

Vulnerability from cnvd - Published: 2022-11-17

Title

Grafana竞争条件漏洞

Description

Grafana是Grafana开源的一套提供可视化监控界面的开源监控工具。该工具主要用于监控和分析Graphite、InfluxDB和Prometheus等。 Grafana存在竞争条件漏洞，该漏洞源于在身份验证中间件逻辑中包含竞争条件，未经身份验证的攻击者可利用该漏洞在重负载下查询管理端点。

Severity

高

Patch Name

Grafana竞争条件漏洞的补丁

Patch Description

Grafana是Grafana开源的一套提供可视化监控界面的开源监控工具。该工具主要用于监控和分析Graphite、InfluxDB和Prometheus等。 Grafana存在竞争条件漏洞，该漏洞源于在身份验证中间件逻辑中包含竞争条件，未经身份验证的攻击者可利用该漏洞在重负载下查询管理端点。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://grafana.com/blog/2022/11/08/security-release-new-versions-of-grafana-with-critical-and-moderate-fixes-for-cve-2022-39328-cve-2022-39307-and-cve-2022-39306/

Reference

https://nvd.nist.gov/vuln/detail/CVE-2022-39328

Impacted products

Name
Grafana Grafana >=9.2.0，<9.2.4

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2022-39328",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2022-39328"
    }
  },
  "description": "Grafana\u662fGrafana\u5f00\u6e90\u7684\u4e00\u5957\u63d0\u4f9b\u53ef\u89c6\u5316\u76d1\u63a7\u754c\u9762\u7684\u5f00\u6e90\u76d1\u63a7\u5de5\u5177\u3002\u8be5\u5de5\u5177\u4e3b\u8981\u7528\u4e8e\u76d1\u63a7\u548c\u5206\u6790Graphite\u3001InfluxDB\u548cPrometheus\u7b49\u3002\n\nGrafana\u5b58\u5728\u7ade\u4e89\u6761\u4ef6\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5728\u8eab\u4efd\u9a8c\u8bc1\u4e2d\u95f4\u4ef6\u903b\u8f91\u4e2d\u5305\u542b\u7ade\u4e89\u6761\u4ef6\uff0c\u672a\u7ecf\u8eab\u4efd\u9a8c\u8bc1\u7684\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5728\u91cd\u8d1f\u8f7d\u4e0b\u67e5\u8be2\u7ba1\u7406\u7aef\u70b9\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://grafana.com/blog/2022/11/08/security-release-new-versions-of-grafana-with-critical-and-moderate-fixes-for-cve-2022-39328-cve-2022-39307-and-cve-2022-39306/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2022-78211",
  "openTime": "2022-11-17",
  "patchDescription": "Grafana\u662fGrafana\u5f00\u6e90\u7684\u4e00\u5957\u63d0\u4f9b\u53ef\u89c6\u5316\u76d1\u63a7\u754c\u9762\u7684\u5f00\u6e90\u76d1\u63a7\u5de5\u5177\u3002\u8be5\u5de5\u5177\u4e3b\u8981\u7528\u4e8e\u76d1\u63a7\u548c\u5206\u6790Graphite\u3001InfluxDB\u548cPrometheus\u7b49\u3002\r\n\r\nGrafana\u5b58\u5728\u7ade\u4e89\u6761\u4ef6\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5728\u8eab\u4efd\u9a8c\u8bc1\u4e2d\u95f4\u4ef6\u903b\u8f91\u4e2d\u5305\u542b\u7ade\u4e89\u6761\u4ef6\uff0c\u672a\u7ecf\u8eab\u4efd\u9a8c\u8bc1\u7684\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5728\u91cd\u8d1f\u8f7d\u4e0b\u67e5\u8be2\u7ba1\u7406\u7aef\u70b9\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Grafana\u7ade\u4e89\u6761\u4ef6\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Grafana Grafana \u003e=9.2.0\uff0c\u003c9.2.4"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2022-39328",
  "serverity": "\u9ad8",
  "submitTime": "2022-11-10",
  "title": "Grafana\u7ade\u4e89\u6761\u4ef6\u6f0f\u6d1e"
}

GSD-2022-39328

Vulnerability from gsd - Updated: 2023-12-13 01:19

Details

Aliases

CVE-2022-39328

Aliases

CVE-2022-39328

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2022-39328",
    "description": "Grafana is an open-source platform for monitoring and observability. Versions starting with 9.2.0 and less than 9.2.4 contain a race condition in the authentication middlewares logic which may allow an unauthenticated user to query an administration endpoint under heavy load. This issue is patched in 9.2.4. There are no known workarounds.",
    "id": "GSD-2022-39328",
    "references": [
      "https://www.suse.com/security/cve/CVE-2022-39328.html"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2022-39328"
      ],
      "details": "Grafana is an open-source platform for monitoring and observability. Versions starting with 9.2.0 and less than 9.2.4 contain a race condition in the authentication middlewares logic which may allow an unauthenticated user to query an administration endpoint under heavy load. This issue is patched in 9.2.4. There are no known workarounds.",
      "id": "GSD-2022-39328",
      "modified": "2023-12-13T01:19:20.462163Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2022-39328",
        "STATE": "PUBLIC",
        "TITLE": "Grafana vulnerable to race condition allowing privilege escalation"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "grafana",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "\u003e= 9.2.0, \u003c 9.2.4"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "grafana"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Grafana is an open-source platform for monitoring and observability. Versions starting with 9.2.0 and less than 9.2.4 contain a race condition in the authentication middlewares logic which may allow an unauthenticated user to query an administration endpoint under heavy load. This issue is patched in 9.2.4. There are no known workarounds."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/grafana/grafana/security/advisories/GHSA-vqc4-mpj8-jxch",
            "refsource": "CONFIRM",
            "url": "https://github.com/grafana/grafana/security/advisories/GHSA-vqc4-mpj8-jxch"
          },
          {
            "name": "https://security.netapp.com/advisory/ntap-20221215-0003/",
            "refsource": "CONFIRM",
            "url": "https://security.netapp.com/advisory/ntap-20221215-0003/"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-vqc4-mpj8-jxch",
        "discovery": "UNKNOWN"
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "9.2.4",
                "versionStartIncluding": "9.2.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2022-39328"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Grafana is an open-source platform for monitoring and observability. Versions starting with 9.2.0 and less than 9.2.4 contain a race condition in the authentication middlewares logic which may allow an unauthenticated user to query an administration endpoint under heavy load. This issue is patched in 9.2.4. There are no known workarounds."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-362"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/grafana/grafana/security/advisories/GHSA-vqc4-mpj8-jxch",
              "refsource": "CONFIRM",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://github.com/grafana/grafana/security/advisories/GHSA-vqc4-mpj8-jxch"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20221215-0003/",
              "refsource": "CONFIRM",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://security.netapp.com/advisory/ntap-20221215-0003/"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 2.2,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2023-02-16T03:14Z",
      "publishedDate": "2022-11-08T23:15Z"
    }
  }
}

WID-SEC-W-2023-0334

Vulnerability from csaf_certbund - Published: 2022-11-08 23:00 - Updated: 2024-01-23 23:00

Summary

Grafana: Mehrere Schwachstellen

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

Grafana ist eine Open-Source Analyse- und Visualisierungssoftware.

Angriff

Ein entfernter, authentisierter oder anonymer Angreifer kann mehrere Schwachstellen in Grafana ausnutzen, um Benutzerrechte zu erlangen, seine Privilegien zu erweitern und um Informationen offenzulegen.

Betroffene Betriebssysteme

- UNIX - Linux - Windows - Sonstiges

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Grafana ist eine Open-Source Analyse- und Visualisierungssoftware.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, authentisierter oder anonymer Angreifer kann mehrere Schwachstellen in Grafana ausnutzen, um Benutzerrechte zu erlangen, seine Privilegien zu erweitern und um Informationen offenzulegen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- UNIX\n- Linux\n- Windows\n- Sonstiges",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2023-0334 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2022/wid-sec-w-2023-0334.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2023-0334 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-0334"
      },
      {
        "category": "external",
        "summary": "Grafana Security release vom 2022-11-08",
        "url": "https://grafana.com/blog/2022/11/08/security-release-new-versions-of-grafana-with-critical-and-moderate-fixes-for-cve-2022-39328-cve-2022-39307-and-cve-2022-39306/"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2023:0362-1 vom 2023-02-10",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2023-February/013726.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2023:0353-1 vom 2023-02-10",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2023-February/013725.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2023:0352-1 vom 2023-02-10",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2023-February/013729.html"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2023:3642 vom 2023-06-15",
        "url": "https://access.redhat.com/errata/RHSA-2023:3642"
      },
      {
        "category": "external",
        "summary": "Hitachi Vulnerability Information HITACHI-SEC-2023-144 vom 2023-10-03",
        "url": "https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2023-144/index.html"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2023:6420 vom 2023-11-07",
        "url": "https://access.redhat.com/errata/RHSA-2023:6420"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2024:0191-1 vom 2024-01-23",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-January/017744.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2024:0196-1 vom 2024-01-23",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-January/017743.html"
      }
    ],
    "source_lang": "en-US",
    "title": "Grafana: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2024-01-23T23:00:00.000+00:00",
      "generator": {
        "date": "2024-08-15T17:43:22.465+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.5"
        }
      },
      "id": "WID-SEC-W-2023-0334",
      "initial_release_date": "2022-11-08T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2022-11-08T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2023-02-12T23:00:00.000+00:00",
          "number": "2",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2023-06-15T22:00:00.000+00:00",
          "number": "3",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2023-10-03T22:00:00.000+00:00",
          "number": "4",
          "summary": "Neue Updates von HITACHI aufgenommen"
        },
        {
          "date": "2023-11-07T23:00:00.000+00:00",
          "number": "5",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2024-01-23T23:00:00.000+00:00",
          "number": "6",
          "summary": "Neue Updates von SUSE aufgenommen"
        }
      ],
      "status": "final",
      "version": "6"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Hitachi Ops Center \u003c Analyzer 10.9.3-00",
                "product": {
                  "name": "Hitachi Ops Center \u003c Analyzer 10.9.3-00",
                  "product_id": "T030196",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:hitachi:ops_center:analyzer_10.9.3-00"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Hitachi Ops Center \u003c Viewpoint 10.9.3-00",
                "product": {
                  "name": "Hitachi Ops Center \u003c Viewpoint 10.9.3-00",
                  "product_id": "T030197",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:hitachi:ops_center:viewpoint_10.9.3-00"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Ops Center"
          }
        ],
        "category": "vendor",
        "name": "Hitachi"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Open Source Grafana \u003c 9.2.4",
                "product": {
                  "name": "Open Source Grafana \u003c 9.2.4",
                  "product_id": "T025262",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:grafana:grafana:9.2.4"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Open Source Grafana \u003c 8.5.15",
                "product": {
                  "name": "Open Source Grafana \u003c 8.5.15",
                  "product_id": "T025263",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:grafana:grafana:8.5.15"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Grafana"
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Red Hat Enterprise Linux",
            "product": {
              "name": "Red Hat Enterprise Linux",
              "product_id": "67646",
              "product_identification_helper": {
                "cpe": "cpe:/o:redhat:enterprise_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "SUSE Linux",
            "product": {
              "name": "SUSE Linux",
              "product_id": "T002207",
              "product_identification_helper": {
                "cpe": "cpe:/o:suse:suse_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2022-39306",
      "notes": [
        {
          "category": "description",
          "text": "Es existiert eine Schwachstelle in Grafana im Zusammenhang mit Einladungs-Mails. Administratoren k\u00f6nnen Einladungen an Empf\u00e4nger versenden, die noch kein Nutzerkonto in Grafana besitzen, damit diese sich ein Nutzerkonto anlegen k\u00f6nnen. Bei der Nutzung des Einladungs-Links wird jedoch nicht gepr\u00fcft, ob die neu registrierte E-Mail Adresse die Adresse aus der Einladung ist. Somit kann ein Angreifer, der \u00fcber den Einladungs-Link verf\u00fcgt, ein Nutzerkonto f\u00fcr beliebige E-Mail Adressen registrieren und somit Nutzerrechte erlangen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T002207",
          "67646",
          "T030196",
          "T030197"
        ]
      },
      "release_date": "2022-11-08T23:00:00.000+00:00",
      "title": "CVE-2022-39306"
    },
    {
      "cve": "CVE-2022-39307",
      "notes": [
        {
          "category": "description",
          "text": "Es existiert eine Schwachstelle in Grafana im Zusammenhang mit der \"Passwort Vergessen\" Seite. Diese l\u00f6st einen API-Aufruf an \"/api/user/password/sent-reset-email\" aus. Die JSON-Antwort dieses Endpunkts gibt bei nicht bekannten E-Mail Adressen einen \"user not found\" Fehler aus. Ein Angreifer kann dadurch offenlegen, ob ein bestimmter Nutzer im System existiert."
        }
      ],
      "product_status": {
        "known_affected": [
          "T002207",
          "67646",
          "T030196",
          "T030197"
        ]
      },
      "release_date": "2022-11-08T23:00:00.000+00:00",
      "title": "CVE-2022-39307"
    },
    {
      "cve": "CVE-2022-39328",
      "notes": [
        {
          "category": "description",
          "text": "Es existiert eine Schwachstelle in Grafana aufgrund einer \"Race Condition\" bei der \"HTTP Context\"-Erzeugung. Unter hoher Last kann es dadurch vorkommen, dass eine HTTP Anfrage an die Middleware einer anderen Anfrage gekn\u00fcpft wird. Beispielsweise kann kann eine unprivilegierte Anfrage mit einer privilegierten Anfrage verkn\u00fcpft werden. Ein Angreifer kann dadurch seine Privilegien erweitern."
        }
      ],
      "product_status": {
        "known_affected": [
          "T002207",
          "67646",
          "T030196",
          "T030197"
        ]
      },
      "release_date": "2022-11-08T23:00:00.000+00:00",
      "title": "CVE-2022-39328"
    }
  ]
}

CERTFR-2022-AVI-1006

Vulnerability from certfr_avis - Published: - Updated:

De multiples vulnérabilités ont été découvertes dans Grafana. Elles permettent à un attaquant de provoquer une atteinte à la confidentialité des données et une élévation de privilèges.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

	Vendor	Product	Description
	Grafana Labs	Grafana	Grafana versions 9.x antérieures à 9.2.4
	Grafana Labs	Grafana	Grafana versions 8.x antérieures à 8.5.15

References

Title

Publication Time

Tags

Bulletin de sécurité Grafana GHSA-3p62-42x7-gxg5 du 08 novembre 2022	None	vendor-advisory
Bulletin de sécurité Grafana GHSA-vqc4-mpj8-jxch du 08 novembre 2022	None	vendor-advisory
Bulletin de sécurité Grafana GHSA-2x6g-h2hg-rq84 du 08 novembre 2022	None	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Grafana versions 9.x ant\u00e9rieures \u00e0 9.2.4",
      "product": {
        "name": "Grafana",
        "vendor": {
          "name": "Grafana Labs",
          "scada": false
        }
      }
    },
    {
      "description": "Grafana versions 8.x ant\u00e9rieures \u00e0 8.5.15",
      "product": {
        "name": "Grafana",
        "vendor": {
          "name": "Grafana Labs",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2022-39307",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-39307"
    },
    {
      "name": "CVE-2022-39306",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-39306"
    },
    {
      "name": "CVE-2022-39328",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-39328"
    }
  ],
  "links": [],
  "reference": "CERTFR-2022-AVI-1006",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2022-11-09T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    },
    {
      "description": "\u00c9l\u00e9vation de privil\u00e8ges"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Grafana. Elles\npermettent \u00e0 un attaquant de provoquer une atteinte \u00e0 la confidentialit\u00e9\ndes donn\u00e9es et une \u00e9l\u00e9vation de privil\u00e8ges.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans Grafana",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Grafana GHSA-3p62-42x7-gxg5 du 08 novembre 2022",
      "url": "https://github.com/grafana/grafana/security/advisories/GHSA-3p62-42x7-gxg5"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Grafana GHSA-vqc4-mpj8-jxch du 08 novembre 2022",
      "url": "https://github.com/grafana/grafana/security/advisories/GHSA-vqc4-mpj8-jxch"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Grafana GHSA-2x6g-h2hg-rq84 du 08 novembre 2022",
      "url": "https://github.com/grafana/grafana/security/advisories/GHSA-2x6g-h2hg-rq84"
    }
  ]
}

CERTFR-2022-AVI-1006

Vulnerability from certfr_avis - Published: - Updated:

De multiples vulnérabilités ont été découvertes dans Grafana. Elles permettent à un attaquant de provoquer une atteinte à la confidentialité des données et une élévation de privilèges.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

	Vendor	Product	Description
	Grafana Labs	Grafana	Grafana versions 9.x antérieures à 9.2.4
	Grafana Labs	Grafana	Grafana versions 8.x antérieures à 8.5.15

References

Title

Publication Time

Tags

Bulletin de sécurité Grafana GHSA-3p62-42x7-gxg5 du 08 novembre 2022	None	vendor-advisory
Bulletin de sécurité Grafana GHSA-vqc4-mpj8-jxch du 08 novembre 2022	None	vendor-advisory
Bulletin de sécurité Grafana GHSA-2x6g-h2hg-rq84 du 08 novembre 2022	None	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Grafana versions 9.x ant\u00e9rieures \u00e0 9.2.4",
      "product": {
        "name": "Grafana",
        "vendor": {
          "name": "Grafana Labs",
          "scada": false
        }
      }
    },
    {
      "description": "Grafana versions 8.x ant\u00e9rieures \u00e0 8.5.15",
      "product": {
        "name": "Grafana",
        "vendor": {
          "name": "Grafana Labs",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2022-39307",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-39307"
    },
    {
      "name": "CVE-2022-39306",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-39306"
    },
    {
      "name": "CVE-2022-39328",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-39328"
    }
  ],
  "links": [],
  "reference": "CERTFR-2022-AVI-1006",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2022-11-09T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    },
    {
      "description": "\u00c9l\u00e9vation de privil\u00e8ges"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Grafana. Elles\npermettent \u00e0 un attaquant de provoquer une atteinte \u00e0 la confidentialit\u00e9\ndes donn\u00e9es et une \u00e9l\u00e9vation de privil\u00e8ges.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans Grafana",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Grafana GHSA-3p62-42x7-gxg5 du 08 novembre 2022",
      "url": "https://github.com/grafana/grafana/security/advisories/GHSA-3p62-42x7-gxg5"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Grafana GHSA-vqc4-mpj8-jxch du 08 novembre 2022",
      "url": "https://github.com/grafana/grafana/security/advisories/GHSA-vqc4-mpj8-jxch"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Grafana GHSA-2x6g-h2hg-rq84 du 08 novembre 2022",
      "url": "https://github.com/grafana/grafana/security/advisories/GHSA-2x6g-h2hg-rq84"
    }
  ]
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2022-39328 (GCVE-0-2022-39328)

GHSA-VQC4-MPJ8-JXCH

Privilege escalation

Summary

Impact

Impacted versions

Solutions and mitigations

Reporting security issues

Security announcements

FKIE_CVE-2022-39328

CNVD-2022-78211

GSD-2022-39328

WID-SEC-W-2023-0334

CERTFR-2022-AVI-1006

Solution

CERTFR-2022-AVI-1006

Solution

Tags

Sightings

Nomenclature