CVE-2022-28660

Published: May 20, 2022Modified: Nov 21, 2024

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

The querier component in Grafana Enterprise Logs 1.1.x through 1.3.x before 1.4.0 does not require authentication when X-Scope-OrgID is used. Versions 1.2.1, 1.3.1, and 1.4.0 contain the bugfix. This affects -auth.type=enterprise in microservices mode

Affected (2)

Products: Grafana: Grafana

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Grafana Grafana	From 1.1.0 to 1.2.1
Grafana Grafana	Version 1.3.0

Related CWEs

Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

References (4)

https://grafana.com/docs/enterprise-logs/latest/gel-releases/#v121----may-3-2022

Source: cve@mitre.org

Release NotesVendor Advisory

https://security.netapp.com/advisory/ntap-20220707-0004/

Source: cve@mitre.org

Third Party Advisory

https://grafana.com/docs/enterprise-logs/latest/gel-releases/#v121----may-3-2022

Source: af854a3a-2127-422b-91ae-364da2661108

Release NotesVendor Advisory

https://security.netapp.com/advisory/ntap-20220707-0004/

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.