Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2022-23498

Grafana is an open-source platform for monitoring and observability. When datasource query caching is enabled, Grafana caches all headers, including `grafana_session`. As a result, any user that queries a datasource where the caching is enabled can acquire another user’s session. To mitigate the vulnerability you can disable datasource query caching for all datasources. This issue has been patched in versions 9.2.10 and 9.3.4.

Published

2023-02-03T22:15:09.463

Last Modified

2024-11-21T06:48:41.343

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 7.1 (HIGH)

Weaknesses

Type: Secondary
CWE-200
Type: Primary
NVD-CWE-Other

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	grafana	grafana	< 9.2.10	Yes
Application	grafana	grafana	< 9.3.4	Yes
Application	grafana	grafana	8.3.0	Yes
Application	grafana	grafana	8.3.0	Yes

References

https://github.com/grafana/grafana/security/advisories/GHSA-2j8f-6whh-frc8 Exploit, Mitigation, Third Party Advisory ([email protected])
https://github.com/grafana/grafana/security/advisories/GHSA-2j8f-6whh-frc8 Exploit, Mitigation, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://security.netapp.com/advisory/ntap-20230309-0007/ (af854a3a-2127-422b-91ae-364da2661108)