Lucene search

MitreCVELIST:CVE-2022-44643

HistoryDec 21, 2022 - 1:21 a.m.

CVE-2022-44643 Access policy with access to all tenants and using label selectors has more access

2022-12-2101:21:43

mitre

www.cve.org

grafana labs

access control

label-based

vulnerability

amd64

gem 1.x

gem 2.x.

CVSS3

5.7

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

AI Score

8.8

Confidence

High

EPSS

0.001

Percentile

37.1%

JSON

A vulnerability in the label-based access control of Grafana Labs Grafana Enterprise Metrics allows an attacker more access than intended. If an access policy which has label selector restrictions also has been granted access to all tenants in the system, the label selector restrictions will not be applied when using this policy with the affected versions of the software. This issue affects: Grafana Labs Grafana Enterprise Metrics GEM 1.X versions prior to 1.7.1 on AMD64; GEM 2.X versions prior to 2.3.1 on AMD64.

References

grafana.com/docs/enterprise-metrics/v2.4.x/downloads/#v171----november-14th-2022

grafana.com/docs/enterprise-metrics/v2.4.x/downloads/#v231----november-14th-2022

CVSS3

5.7

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

AI Score

8.8

Confidence

High

EPSS

0.001

Percentile

37.1%

JSON

Related for CVELIST:CVE-2022-44643