6.6

CVE-2022-35957

EPSS 0.75%
Veröffentlicht 20.09.2022 23:15:09
Zuletzt bearbeitet 21.11.2024 07:12:03
Quelle security-advisories@github.com
Teams Watchlist Login
Unerledigt Login

Grafana is an open-source platform for monitoring and observability. Versions prior to 9.1.6 and 8.5.13 are vulnerable to an escalation from admin to server admin when auth proxy is used, allowing an admin to take over the server admin account and gain full control of the grafana instance. All installations should be upgraded as soon as possible. As a workaround deactivate auth proxy following the instructions at: https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/auth-proxy/

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Grafana ≫ Grafana Version < 8.5.13

Grafana ≫ Grafana Version >= 9.0.0 < 9.0.9

Grafana ≫ Grafana Version >= 9.1.0 < 9.1.6

Fedoraproject ≫ Fedora Version37

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.75%	0.724

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.6	0.7	5.9	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com	6.6	0.7	5.9	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE-290 Authentication Bypass by Spoofing

This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.

https://github.com/grafana/grafana/security/advisories/GHSA-ff5c-938w-8c9q

Vendor Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WYU5C2RITLHVZSTCWNGQWA6KSPYNXM2H/

https://security.netapp.com/advisory/ntap-20221215-0001/

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2022-35957

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-35957

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-35957

EUVD