CVE-2022-21703

MEDIUM

Grafana 3.0.1-7.5.14 - Cross-Site Request Forgery for Privilege Escalation

Title source: llm
STIX 2.1

Description

Grafana is an open-source platform for monitoring and observability. Affected versions are subject to a cross site request forgery vulnerability which allows attackers to elevate their privileges by mounting cross-origin attacks against authenticated high-privilege Grafana users (for example, Editors or Admins). An attacker can exploit this vulnerability for privilege escalation by tricking an authenticated user into inviting the attacker as a new user with high privileges. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue.

References (7)

Core 7
Core References
Mitigation, Release Notes, Third Party Advisory x_refsource_confirm
https://github.com/grafana/grafana/security/advisories/GHSA-cmf4-h3xc-jw8w
Issue Tracking, Patch, Third Party Advisory x_refsource_misc
https://github.com/grafana/grafana/pull/45083
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20220303-0005/

Scores

CVSS v3 6.3
EPSS 0.0187
EPSS Percentile 83.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-352
Status published
Products (7)
fedoraproject/fedora 34
fedoraproject/fedora 35
fedoraproject/fedora 36
grafana/grafana 3.0.0 beta1 (7 CPE variants)
grafana/grafana 3.0-beta1 - 7.5.15Go
grafana/grafana 3.0.1 - 7.5.15
netapp/e-series_performance_analyzer < 3.0
Published Feb 08, 2022
Tracked Since Feb 18, 2026