Main Vulnerability Database Vulnerabilities #VU64402

Information disclosure in Grafana - CVE-2022-21673

Published: June 15, 2022 / Updated: June 16, 2022

Vulnerability identifier: #VU64402

CSH Severity: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2022-21673

CWE-ID: CWE-200

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Grafana

Software vendor:
Grafana Labs

Description

The vulnerability allows a remote user to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application. A remote user can pass a specially crafted query to the data source with an API token and Forward OAuth Identity feature enabled to gain unauthorized access to sensitive information on the system.

Remediation

Install updates from vendor's website.

External links

https://github.com/grafana/grafana/security/advisories/GHSA-8wjh-59cw-9xh4
https://github.com/grafana/grafana/releases/tag/v8.3.4
https://github.com/grafana/grafana/releases/tag/v7.5.13
https://security.netapp.com/advisory/ntap-20220303-0004/
https://bugzilla.redhat.com/show_bug.cgi?id=2044628

Information disclosure in Grafana - CVE-2022-21673

Description

Remediation

External links

Please verify you're human