CVE-2022-23498

Grafana is an open-source platform for monitoring and observability. When datasource query caching is enabled, Grafana caches all headers, including `grafana_session`. As a result, any user that queries a datasource where the caching is enabled can acquire another users session. To mitigate the vulnerability you can disable datasource query caching for all datasources. This issue has been patched in versions 9.2.10 and 9.3.4.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.1 HIGH
NETWORK
HIGH
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L
GitHub_MCNA
7.1 HIGH
NETWORK
HIGH
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 28%
VendorProductVersion
grafanagrafana
8.3.1 ≤
𝑥
< 9.2.10
grafanagrafana
9.3.0 ≤
𝑥
< 9.3.4
grafanagrafana
8.3.0:beta1
grafanagrafana
8.3.0:beta2
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
grafana
kinetic
dne
jammy
dne
focal
dne
bionic
dne
xenial
needed
trusty
ignored
Common Weakness Enumeration
References
https://github.com/grafana/grafana/security/advisories/GHSA-2j8f-6whh-frc8
https://github.com/grafana/grafana/security/advisories/GHSA-2j8f-6whh-frc8
https://security.netapp.com/advisory/ntap-20230309-0007/