ByteOS Network

NVD Vulnerability Details :

CVE-2022-39306

Analyzed

Source-security-advisories@github.com

Published At-09 Nov, 2022 | 22:15

Updated At-16 Feb, 2023 | 03:19

Grafana is an open-source platform for monitoring and observability. Versions prior to 9.2.4, or 8.5.15 on the 8.X branch, are subject to Improper Input Validation. Grafana admins can invite other members to the organization they are an admin for. When admins add members to the organization, non existing users get an email invite, existing members are added directly to the organization. When an invite link is sent, it allows users to sign up with whatever username/email address the user chooses and become a member of the organization. This introduces a vulnerability which can be used with malicious intent. This issue is patched in version 9.2.4, and has been backported to 8.5.15. There are no known workarounds.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Primary	3.1	8.1	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Secondary	3.1	6.4	MEDIUM	CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N

CPE Matches

Grafana Labs

>>grafana>>Versions from 8.0.0(inclusive) to 8.5.15(exclusive)

cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*

Grafana Labs

>>grafana>>Versions from 9.0.0(inclusive) to 9.2.4(exclusive)

cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*

Weaknesses

CWE ID	Type	Source
CWE-20	Primary	security-advisories@github.com
CWE-20	Secondary	nvd@nist.gov

References

Hyperlink	Source	Resource
https://github.com/grafana/grafana/security/advisories/GHSA-2x6g-h2hg-rq84	security-advisories@github.com	Patch Vendor Advisory
https://security.netapp.com/advisory/ntap-20221215-0004/	security-advisories@github.com	Third Party Advisory

CISA Catalog

Metrics

CPE Matches

Weaknesses

Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References

Change History