- 268/2022
- Critical
Grafana has released security updates (Grafana 9.2.4, Grafana 8.5.15) to fix several vulnerabilities.
The severity of the addressed vulnerabilities could allow the remote attacker to gain elevated privileges on the system by sending specially-crafted requests or obtaining sensitive information.
Samples of the addressed vulnerabilities:
1. Privilege Escalation: Unauthorized access to arbitrary endpoints (CVE-2022- 39328):
• CVSS: 9.8
• Attack Vector: Network
• Attack Complexity: Low
• Privileges Required: None
• User Interaction: None
• Consequences: Gain Access
2. Privilege Escalation: Usernames/email addresses cannot be trusted (CVE-2022-39306):
• CVSS: 6.4
• Attack Vector: Network
• Attack Complexity: High
• Privileges Required: Low
• User Interaction: Required
• Consequences: Gain Privilege
Vulnerabilities
- CVE-2022-39328
- CVE-2022-39306
- CVE-2022-39307
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.