CVE-2022-23498

EUVD-2022-28551
Grafana is an open-source platform for monitoring and observability. When datasource query caching is enabled, Grafana caches all headers, including `grafana_session`. As a result, any user that queries a datasource where the caching is enabled can acquire another user’s session. To mitigate the vulnerability you can disable datasource query caching for all datasources. This issue has been patched in versions 9.2.10 and 9.3.4.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.1 HIGH
NETWORK
HIGH
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L
GitHub_MCNA
7.1 HIGH
NETWORK
HIGH
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 31%
Affected Products (NVD)
VendorProductVersion
grafanagrafana
8.3.1 ≤
𝑥
< 9.2.10
grafanagrafana
9.3.0 ≤
𝑥
< 9.3.4
grafanagrafana
8.3.0:beta1
grafanagrafana
8.3.0:beta2
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
grafana
bionic
dne
focal
dne
jammy
dne
kinetic
dne
trusty
ignored
xenial
needed
Common Weakness Enumeration
References
https://github.com/grafana/grafana/security/advisories/GHSA-2j8f-6whh-frc8
https://github.com/grafana/grafana/security/advisories/GHSA-2j8f-6whh-frc8
https://security.netapp.com/advisory/ntap-20230309-0007/