3.5 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
3.5 Low
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:N/I:P/A:N
0.001 Low
EPSS
Percentile
50.4%
Grafana is an open-source platform for monitoring and observability. Prior
to versions 8.5.16 and 9.2.8, malicious user can create a snapshot and
arbitrarily choose the originalUrl
parameter by editing the query, thanks
to a web proxy. When another user opens the URL of the snapshot, they will
be presented with the regular web interface delivered by the trusted
Grafana server. The Open original dashboard
button no longer points to
the to the real original dashboard but to the attackerβs injected URL. This
issue is fixed in versions 8.5.16 and 9.2.8.
Author | Note |
---|---|
alexmurray | A quick look at the code and it appears that grafana in xenial may be affected by this - but needs a closer look |
github.com/grafana/grafana/commit/239888f22983010576bb3a9135a7294e88c0c74a
github.com/grafana/grafana/commit/d7dcea71ea763780dc286792a0afd560bff2985c
github.com/grafana/grafana/pull/60232
github.com/grafana/grafana/pull/60256
github.com/grafana/grafana/security/advisories/GHSA-4724-7jwc-3fpw
launchpad.net/bugs/cve/CVE-2022-39324
nvd.nist.gov/vuln/detail/CVE-2022-39324
security-tracker.debian.org/tracker/CVE-2022-39324
www.cve.org/CVERecord?id=CVE-2022-39324
3.5 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
3.5 Low
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:N/I:P/A:N
0.001 Low
EPSS
Percentile
50.4%