CVE-2022-23498
HIGHGrafana 8.3.1-9.2.9 - Unauthenticated Session Exposure via Datasource Query Cache
Title source: llmDescription
Grafana is an open-source platform for monitoring and observability. When datasource query caching is enabled, Grafana caches all headers, including `grafana_session`. As a result, any user that queries a datasource where the caching is enabled can acquire another user’s session. To mitigate the vulnerability you can disable datasource query caching for all datasources. This issue has been patched in versions 9.2.10 and 9.3.4.
References (2)
Core 2
Core References
Exploit, Mitigation, Third Party Advisory x_refsource_confirm
https://github.com/grafana/grafana/security/advisories/GHSA-2j8f-6whh-frc8
Vendor Advisory
https://security.netapp.com/advisory/ntap-20230309-0007/
Scores
CVSS v3
7.1
EPSS
0.0113
EPSS Percentile
62.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-200
Status
published
Products (2)
grafana/grafana
8.3.0 beta1 (2 CPE variants)
grafana/grafana
8.3.1 - 9.2.10
Published
Feb 03, 2023
Tracked Since
Feb 18, 2026