#VU64394 Authorization bypass through user-controlled key in Grafana - CVE-2022-21713
Published: June 15, 2022 / Updated: June 16, 2022
Vulnerability identifier: #VU64394
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2022-21713
CWE-ID: CWE-639
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Grafana
Grafana
Software vendor:
Grafana Labs
Grafana Labs
Description
The vulnerability allows a remote user to gain access to sensitive information.
The vulnerability exists due to an Insecure Direct Object Reference (IDOR) error in Grafana Teams APIs. A remote authenticated user can view unintended data by querying for the specific team ID or search for teams and see the total number of available teams.
Remediation
Install updates from vendor's website.
External links
- https://github.com/grafana/grafana/pull/45083
- https://grafana.com/blog/2022/02/08/grafana-7.5.15-and-8.3.5-released-with-moderate-severity-security-fixes/
- https://github.com/grafana/grafana/security/advisories/GHSA-63g3-9jq3-mccv
- https://security.netapp.com/advisory/ntap-20220303-0005/
- https://bugzilla.redhat.com/show_bug.cgi?id=2050743