Information disclosure in Grafana - CVE-2022-23498

 

Information disclosure in Grafana - CVE-2022-23498

Published: February 1, 2023


Vulnerability identifier: #VU71740
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2022-23498
CWE-ID: CWE-200
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Grafana Labs
Affected software:
Grafana

Detailed vulnerability description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to all headers being cached, when datasource query caching is enabled (including when rotating the Grafana session cookie via a Set-Cookie grafana_session header). A remote attacker can gain unauthorized access to sensitive information on the system.


How to mitigate CVE-2022-23498

Install updates from vendor's website.

Sources