CVE-2022-39324
Publication date 27 January 2023
Last updated 24 July 2024
Ubuntu priority
Cvss 3 Severity Score
Grafana is an open-source platform for monitoring and observability. Prior to versions 8.5.16 and 9.2.8, malicious user can create a snapshot and arbitrarily choose the `originalUrl` parameter by editing the query, thanks to a web proxy. When another user opens the URL of the snapshot, they will be presented with the regular web interface delivered by the trusted Grafana server. The `Open original dashboard` button no longer points to the to the real original dashboard but to the attacker’s injected URL. This issue is fixed in versions 8.5.16 and 9.2.8.
Status
Package | Ubuntu Release | Status |
---|---|---|
grafana | ||
22.04 LTS jammy | Not in release | |
20.04 LTS focal | Not in release | |
18.04 LTS bionic | Not in release | |
16.04 LTS xenial |
Vulnerable
|
|
14.04 LTS trusty | Ignored end of standard support |
Notes
alexmurray
A quick look at the code and it appears that grafana in xenial may be affected by this - but needs a closer look
Severity score breakdown
Parameter | Value |
---|---|
Base score |
|
Attack vector | Network |
Attack complexity | Low |
Privileges required | Low |
User interaction | Required |
Scope | Unchanged |
Confidentiality | None |
Integrity impact | Low |
Availability impact | None |
Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N |
References
Other references
- https://github.com/grafana/grafana/security/advisories/GHSA-4724-7jwc-3fpw
- https://github.com/grafana/grafana/commit/239888f22983010576bb3a9135a7294e88c0c74a
- https://github.com/grafana/grafana/commit/d7dcea71ea763780dc286792a0afd560bff2985c
- https://github.com/grafana/grafana/pull/60232
- https://github.com/grafana/grafana/pull/60256
- https://www.cve.org/CVERecord?id=CVE-2022-39324