Grafana is an open-source platform for monitoring and observability. When datasource query caching is enabled, Grafana caches all headers, including `grafana_session`. As a result, any user that queries a datasource where the caching is enabled can acquire another user’s session. To mitigate the vulnerability you can disable datasource query caching for all datasources. This issue has been patched in versions 9.2.10 and 9.3.4.
References
Link | Resource |
---|---|
https://github.com/grafana/grafana/security/advisories/GHSA-2j8f-6whh-frc8 | Exploit Mitigation Third Party Advisory |
Configurations
Configuration 1 (hide)
|
History
07 Nov 2023, 03:44
Type | Values Removed | Values Added |
---|---|---|
Summary | Grafana is an open-source platform for monitoring and observability. When datasource query caching is enabled, Grafana caches all headers, including `grafana_session`. As a result, any user that queries a datasource where the caching is enabled can acquire another user’s session. To mitigate the vulnerability you can disable datasource query caching for all datasources. This issue has been patched in versions 9.2.10 and 9.3.4. |
14 Jul 2023, 19:34
Type | Values Removed | Values Added |
---|---|---|
CWE | NVD-CWE-Other |
14 Feb 2023, 02:01
Type | Values Removed | Values Added |
---|---|---|
First Time |
Grafana
Grafana grafana |
|
References | (MISC) https://github.com/grafana/grafana/security/advisories/GHSA-2j8f-6whh-frc8 - Exploit, Mitigation, Third Party Advisory | |
CPE | cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:* cpe:2.3:a:grafana:grafana:8.3.0:beta2:*:*:*:*:*:* cpe:2.3:a:grafana:grafana:8.3.0:beta1:*:*:*:*:*:* |
|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 8.8 |
03 Feb 2023, 22:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-02-03 22:15
Updated : 2023-12-10 14:48
NVD link : CVE-2022-23498
Mitre link : CVE-2022-23498
CVE.ORG link : CVE-2022-23498
JSON object : View
Products Affected
grafana
- grafana
CWE