CVE-2022-44643

Published: Dec 20, 2022Modified: Apr 15, 2025

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

A vulnerability in the label-based access control of Grafana Labs Grafana Enterprise Metrics allows an attacker more access than intended. If an access policy which has label selector restrictions also has been granted access to all tenants in the system, the label selector restrictions will not be applied when using this policy with the affected versions of the software. This issue affects: Grafana Labs Grafana Enterprise Metrics GEM 1.X versions prior to 1.7.1 on AMD64; GEM 2.X versions prior to 2.3.1 on AMD64.

Affected (2)

Products: Grafana: Enterprise Metrics

1 product

Enterprise Metrics

Configuration A

2 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Grafana Enterprise Metrics	From 1.0.0 to 1.7.1
Grafana Enterprise Metrics	From 2.0.0 to 2.3.1

Running on/with	Platform Versions
Amd Amd64	All versions

Related CWEs

Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

References (4)

https://grafana.com/docs/enterprise-metrics/v2.4.x/downloads/#v171----november-14th-2022

Source: cve@mitre.org

PatchRelease NotesVendor Advisory

https://grafana.com/docs/enterprise-metrics/v2.4.x/downloads/#v231----november-14th-2022

Source: cve@mitre.org

PatchRelease NotesVendor Advisory

https://grafana.com/docs/enterprise-metrics/v2.4.x/downloads/#v171----november-14th-2022

Source: af854a3a-2127-422b-91ae-364da2661108

PatchRelease NotesVendor Advisory

https://grafana.com/docs/enterprise-metrics/v2.4.x/downloads/#v231----november-14th-2022

Source: af854a3a-2127-422b-91ae-364da2661108

PatchRelease NotesVendor Advisory

Timeline

No history available yet.