CVE-2022-35957

MEDIUM

Grafana <9.1.6, 8.5.13 - Privilege Escalation

Title source: llm

Description

Grafana is an open-source platform for monitoring and observability. Versions prior to 9.1.6 and 8.5.13 are vulnerable to an escalation from admin to server admin when auth proxy is used, allowing an admin to take over the server admin account and gain full control of the grafana instance. All installations should be upgraded as soon as possible. As a workaround deactivate auth proxy following the instructions at: https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/auth-proxy/

References (3)

Core 3

Core References

Mailing List, Third Party Advisory vendor-advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WYU5C2RITLHVZSTCWNGQWA6KSPYNXM2H/

Vendor Advisory

https://github.com/grafana/grafana/security/advisories/GHSA-ff5c-938w-8c9q

Third Party Advisory

https://security.netapp.com/advisory/ntap-20221215-0001/

Scores

CVSS v3 6.6

EPSS 0.0088

EPSS Percentile 75.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-290

Status published

Products (3)

fedoraproject/fedora 37

grafana/grafana < 8.5.13

grafana/grafana 9.1.0 - 9.1.6Go

Published Sep 20, 2022

Tracked Since Feb 18, 2026