CVE-2022-21703

Grafana is an open-source platform for monitoring and observability. Affected versions are subject to a cross site request forgery vulnerability which allows attackers to elevate their privileges by mounting cross-origin attacks against authenticated high-privilege Grafana users (for example, Editors or Admins). An attacker can exploit this vulnerability for privilege escalation by tricking an authenticated user into inviting the attacker as a new user with high privileges. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue.

CVSS v3 6.3 MEDIUM
CVSS v2.0 6.8 MEDIUM

6.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.1 / Impact : 4.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

6.8^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:M/Au:N/C:P/I:P/A:P

Exploitability : 8.6 / Impact : 6.4

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://github.com/grafana/grafana/pull/45083	Issue Tracking Patch Third Party Advisory
https://github.com/grafana/grafana/security/advisories/GHSA-cmf4-h3xc-jw8w	Mitigation Release Notes Third Party Advisory
https://grafana.com/blog/2022/02/08/grafana-7.5.15-and-8.3.5-released-with-moderate-severity-security-fixes/	Mitigation Release Notes Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2PFW6Q2LXXWTFRTMTRN4ZGADFRQPKJ3D/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/36GUEPA5TPSC57DZTPYPBL6T7UPQ2FRH/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HLAQRRGNSO5MYCPAXGPH2OCSHOGHSQMQ/
https://security.netapp.com/advisory/ntap-20220303-0005/	Third Party Advisory
https://github.com/grafana/grafana/pull/45083	Issue Tracking Patch Third Party Advisory
https://github.com/grafana/grafana/security/advisories/GHSA-cmf4-h3xc-jw8w	Mitigation Release Notes Third Party Advisory
https://grafana.com/blog/2022/02/08/grafana-7.5.15-and-8.3.5-released-with-moderate-severity-security-fixes/	Mitigation Release Notes Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2PFW6Q2LXXWTFRTMTRN4ZGADFRQPKJ3D/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/36GUEPA5TPSC57DZTPYPBL6T7UPQ2FRH/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HLAQRRGNSO5MYCPAXGPH2OCSHOGHSQMQ/
https://security.netapp.com/advisory/ntap-20220303-0005/	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:grafana:grafana::::::::
	cpe:2.3:a:grafana:grafana::::::::
	cpe:2.3:a:grafana:grafana:3.0.0:beta1::::::
	cpe:2.3:a:grafana:grafana:3.0.0:beta2::::::
	cpe:2.3:a:grafana:grafana:3.0.0:beta3::::::
	cpe:2.3:a:grafana:grafana:3.0.0:beta4::::::
	cpe:2.3:a:grafana:grafana:3.0.0:beta5::::::
	cpe:2.3:a:grafana:grafana:3.0.0:beta6::::::
	cpe:2.3:a:grafana:grafana:3.0.0:beta7::::::

Configuration 2 (hide)

cpe:2.3:a:netapp:e-series_performance_analyzer:*:*:*:*:*:*:*:*

Configuration 3 (hide)

OR	cpe:2.3:o:fedoraproject:fedora:34:::::::*
	cpe:2.3:o:fedoraproject:fedora:35:::::::*
	cpe:2.3:o:fedoraproject:fedora:36:::::::*

History

21 Nov 2024, 06:45

Type	Values Removed	Values Added
CVSS	v2 : ~~6.8~~ v3 : ~~8.8~~	v2 : 6.8 v3 : 6.3
References	~~() https://github.com/grafana/grafana/pull/45083 - Issue Tracking, Patch, Third Party Advisory~~	() https://github.com/grafana/grafana/pull/45083 - Issue Tracking, Patch, Third Party Advisory
References	~~() https://github.com/grafana/grafana/security/advisories/GHSA-cmf4-h3xc-jw8w - Mitigation, Release Notes, Third Party Advisory~~	() https://github.com/grafana/grafana/security/advisories/GHSA-cmf4-h3xc-jw8w - Mitigation, Release Notes, Third Party Advisory
References	~~() https://grafana.com/blog/2022/02/08/grafana-7.5.15-and-8.3.5-released-with-moderate-severity-security-fixes/ - Mitigation, Release Notes, Vendor Advisory~~	() https://grafana.com/blog/2022/02/08/grafana-7.5.15-and-8.3.5-released-with-moderate-severity-security-fixes/ - Mitigation, Release Notes, Vendor Advisory
References	~~() https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2PFW6Q2LXXWTFRTMTRN4ZGADFRQPKJ3D/ -~~	() https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2PFW6Q2LXXWTFRTMTRN4ZGADFRQPKJ3D/ -
References	~~() https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/36GUEPA5TPSC57DZTPYPBL6T7UPQ2FRH/ -~~	() https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/36GUEPA5TPSC57DZTPYPBL6T7UPQ2FRH/ -
References	~~() https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HLAQRRGNSO5MYCPAXGPH2OCSHOGHSQMQ/ -~~	() https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HLAQRRGNSO5MYCPAXGPH2OCSHOGHSQMQ/ -
References	~~() https://security.netapp.com/advisory/ntap-20220303-0005/ - Third Party Advisory~~	() https://security.netapp.com/advisory/ntap-20220303-0005/ - Third Party Advisory

Information

Published : 2022-02-08 21:15

Updated : 2024-11-21 06:45

NVD link : CVE-2022-21703

Mitre link : CVE-2022-21703

CVE.ORG link : CVE-2022-21703

JSON object : View

Products Affected

grafana

grafana

netapp

e-series_performance_analyzer

fedoraproject

fedora

CWE

CWE-352

Cross-Site Request Forgery (CSRF)

{"id": "CVE-2022-21703", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 4.2, "exploitabilityScore": 2.1}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2022-02-08T21:15:20.150", "references": [{"url": "https://github.com/grafana/grafana/pull/45083", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/grafana/grafana/security/advisories/GHSA-cmf4-h3xc-jw8w", "tags": ["Mitigation", "Release Notes", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://grafana.com/blog/2022/02/08/grafana-7.5.15-and-8.3.5-released-with-moderate-severity-security-fixes/", "tags": ["Mitigation", "Release Notes", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2PFW6Q2LXXWTFRTMTRN4ZGADFRQPKJ3D/", "source": "security-advisories@github.com"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/36GUEPA5TPSC57DZTPYPBL6T7UPQ2FRH/", "source": "security-advisories@github.com"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HLAQRRGNSO5MYCPAXGPH2OCSHOGHSQMQ/", "source": "security-advisories@github.com"}, {"url": "https://security.netapp.com/advisory/ntap-20220303-0005/", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/grafana/grafana/pull/45083", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/grafana/grafana/security/advisories/GHSA-cmf4-h3xc-jw8w", "tags": ["Mitigation", "Release Notes", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://grafana.com/blog/2022/02/08/grafana-7.5.15-and-8.3.5-released-with-moderate-severity-security-fixes/", "tags": ["Mitigation", "Release Notes", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2PFW6Q2LXXWTFRTMTRN4ZGADFRQPKJ3D/", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/36GUEPA5TPSC57DZTPYPBL6T7UPQ2FRH/", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HLAQRRGNSO5MYCPAXGPH2OCSHOGHSQMQ/", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://security.netapp.com/advisory/ntap-20220303-0005/", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-352"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-352"}]}], "descriptions": [{"lang": "en", "value": "Grafana is an open-source platform for monitoring and observability. Affected versions are subject to a cross site request forgery vulnerability which allows attackers to elevate their privileges by mounting cross-origin attacks against authenticated high-privilege Grafana users (for example, Editors or Admins). An attacker can exploit this vulnerability for privilege escalation by tricking an authenticated user into inviting the attacker as a new user with high privileges. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue."}, {"lang": "es", "value": "Grafana es una plataforma de c\u00f3digo abierto para la monitorizaci\u00f3n y la observabilidad. Las versiones afectadas est\u00e1n sujetas a una vulnerabilidad de tipo cross site request forgery que permite a atacantes elevar sus privilegios al montar ataques de origen cruzado contra usuarios autenticados de Grafana con altos privilegios (por ejemplo, editores o administradores). Un atacante puede explotar esta vulnerabilidad para una elevaci\u00f3n de privilegios al enga\u00f1ar a un usuario autenticado para que invite al atacante como un nuevo usuario con altos privilegios. Se recomienda a usuarios actualizar lo antes posible. No hay medidas de mitigaci\u00f3n adicionales conocidas para este problema"}], "lastModified": "2024-11-21T06:45:16.160", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1F2335D6-B310-42E7-8FC8-25B8E2264829", "versionEndExcluding": "7.5.15", "versionStartIncluding": "3.0.1"}, {"criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "16145A8D-9FF1-4EEE-8E29-198B408582B8", "versionEndExcluding": "8.3.5", "versionStartIncluding": "8.0.0"}, {"criteria": "cpe:2.3:a:grafana:grafana:3.0.0:beta1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D738463C-2E39-42D3-A730-5A49594825CC"}, {"criteria": "cpe:2.3:a:grafana:grafana:3.0.0:beta2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "152CFB89-E06C-455E-8B72-016F44D33DA1"}, {"criteria": "cpe:2.3:a:grafana:grafana:3.0.0:beta3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3E44CD01-FC42-4A90-B976-87E65F3C3E44"}, {"criteria": "cpe:2.3:a:grafana:grafana:3.0.0:beta4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6B0D67F3-2D3C-4DB7-BF59-4719BCF8A613"}, {"criteria": "cpe:2.3:a:grafana:grafana:3.0.0:beta5:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1804B55D-0FAA-4529-9749-8342A779430D"}, {"criteria": "cpe:2.3:a:grafana:grafana:3.0.0:beta6:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EAF5DF18-EAD2-4888-B1B7-0506C0F893EB"}, {"criteria": "cpe:2.3:a:grafana:grafana:3.0.0:beta7:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9376D16C-2453-4E08-981C-4789F741FA5E"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:netapp:e-series_performance_analyzer:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CC05F69D-6C6B-472D-87B7-84231F14CA8B", "versionEndExcluding": "3.0"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A930E247-0B43-43CB-98FF-6CE7B8189835"}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "80E516C0-98A4-4ADE-B69F-66A772E2BAAA"}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5C675112-476C-4D7C-BCB9-A2FB2D0BC9FD"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}

6.3 /10