CVE-2022-36062

EUVD-2024-1710
Grafana is an open-source platform for monitoring and observability. In versions prior to 8.5.13, 9.0.9, and 9.1.6, Grafana is subject to Improper Preservation of Permissions resulting in privilege escalation on some folders where Admin is the only used permission. The vulnerability impacts Grafana instances where RBAC was disabled and enabled afterwards, as the migrations which are translating legacy folder permissions to RBAC permissions do not account for the scenario where the only user permission in the folder is Admin, as a result RBAC adds permissions for Editors and Viewers which allow them to edit and view folders accordingly. This issue has been patched in versions 8.5.13, 9.0.9, and 9.1.6. A workaround when the impacted folder/dashboard is known is to remove the additional permissions manually.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.6 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
GitHub_MCNA
7.6 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 35%
Affected Products (NVD)
VendorProductVersion
grafanagrafana
𝑥
< 8.5.13
grafanagrafana
9.0.0 ≤
𝑥
< 9.0.9
grafanagrafana
9.1.0 ≤
𝑥
< 9.1.6
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
grafana
bionic
dne
focal
dne
jammy
dne
trusty
ignored
xenial
needed
Common Weakness Enumeration
References
https://github.com/grafana/grafana/security/advisories/GHSA-p978-56hq-r492
https://security.netapp.com/advisory/ntap-20221215-0001/
https://github.com/grafana/grafana/security/advisories/GHSA-p978-56hq-r492
https://security.netapp.com/advisory/ntap-20221215-0001/