CVE-2022-31097

2022-07-1512:15:08

CWE-79

[email protected]

web.nvd.nist.gov

grafana

cross-site scripting

unified alerting

privilege escalation

patch

workaround

CVSS3

8.7

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

EPSS

0.006

Percentile

77.6%

JSON

Grafana is an open-source platform for monitoring and observability. Versions on the 8.x and 9.x branch prior to 9.0.3, 8.5.9, 8.4.10, and 8.3.10 are vulnerable to stored cross-site scripting via the Unified Alerting feature of Grafana. An attacker can exploit this vulnerability to escalate privilege from editor to admin by tricking an authenticated admin to click on a link. Versions 9.0.3, 8.5.9, 8.4.10, and 8.3.10 contain a patch. As a workaround, it is possible to disable alerting or use legacy alerting.

Affected configurations

Nvd

Node

grafanagrafanaRange8.0.0–8.3.10

grafanagrafanaRange8.4.0–8.4.10

grafanagrafanaRange8.5.0–8.5.9

grafanagrafanaRange9.0.0–9.0.3

Node

netappe-series_performance_analyzerMatch-

VendorProductVersionCPE
grafanagrafana*cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*
netappe-series_performance_analyzer-cpe:2.3:a:netapp:e-series_performance_analyzer:-:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
grafana	grafana	*	cpe:2.3:a:grafana:grafana::::::::
netapp	e-series_performance_analyzer	-	cpe:2.3:a:netapp:e-series_performance_analyzer:-:::::::*