6.6

CVE-2022-35957

EPSS 0.75%
Published 20.09.2022 23:15:09
Last modified 21.11.2024 07:12:03
Source security-advisories@github.com
Teams watchlist Login
Open Login

Grafana is an open-source platform for monitoring and observability. Versions prior to 9.1.6 and 8.5.13 are vulnerable to an escalation from admin to server admin when auth proxy is used, allowing an admin to take over the server admin account and gain full control of the grafana instance. All installations should be upgraded as soon as possible. As a workaround deactivate auth proxy following the instructions at: https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/auth-proxy/

Affected products Warnungen 0 Metrics 3 CWE 1 References 6

Data is provided by the National Vulnerability Database (NVD)

Grafana ≫ Grafana Version < 8.5.13

Grafana ≫ Grafana Version >= 9.0.0 < 9.0.9

Grafana ≫ Grafana Version >= 9.1.0 < 9.1.6

Fedoraproject ≫ Fedora Version37

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.75%	0.724

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	6.6	0.7	5.9	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com	6.6	0.7	5.9	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE-290 Authentication Bypass by Spoofing

This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.

https://github.com/grafana/grafana/security/advisories/GHSA-ff5c-938w-8c9q

Vendor Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WYU5C2RITLHVZSTCWNGQWA6KSPYNXM2H/

https://security.netapp.com/advisory/ntap-20221215-0001/

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2022-35957

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-35957

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-35957

EUVD