CVE-2022-23498

Published: Feb 3, 2023Modified: Nov 21, 2024

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

Grafana is an open-source platform for monitoring and observability. When datasource query caching is enabled, Grafana caches all headers, including `grafana_session`. As a result, any user that queries a datasource where the caching is enabled can acquire another user’s session. To mitigate the vulnerability you can disable datasource query caching for all datasources. This issue has been patched in versions 9.2.10 and 9.3.4.

Affected (4)

Products: Grafana: Grafana

1 product

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Grafana Grafana	From 8.3.1 to 9.2.10
Grafana Grafana	From 9.3.0 to 9.3.4
Grafana Grafana	Version 8.3.0 beta1
Grafana Grafana	Version 8.3.0 beta2

Related CWEs

Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

References (3)

https://github.com/grafana/grafana/security/advisories/GHSA-2j8f-6whh-frc8

Source: security-advisories@github.com

ExploitMitigationThird Party Advisory

https://github.com/grafana/grafana/security/advisories/GHSA-2j8f-6whh-frc8

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitMitigationThird Party Advisory

https://security.netapp.com/advisory/ntap-20230309-0007/

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.