CVE-2022-39201

13.10.2022, 23:15

Grafana is an open source observability and data visualization platform. Starting with version 5.0.0-beta1 and prior to versions 8.5.14 and 9.1.8, Grafana could leak the authentication cookie of users to plugins. The vulnerability impacts data source and plugin proxy endpoints under certain conditions. The destination plugin could receive a user's Grafana authentication cookie. Versions 9.1.8 and 8.5.14 contain a patch for this issue. There are no known workarounds.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	6.8 MEDIUM	NETWORK	LOW	HIGH	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 76%

Affected Products (NVD)

Vendor	Product	Version
grafana	grafana	5.0.1 ≤ 𝑥 < 8.5.14
grafana	grafana	9.0.0 ≤ 𝑥 < 9.1.8
grafana	grafana	5.0.0
grafana	grafana	5.0.0:beta1
grafana	grafana	5.0.0:beta2
grafana	grafana	5.0.0:beta3
grafana	grafana	5.0.0:beta4
grafana	grafana	5.0.0:beta5