Vulnerability Description
Grafana is an open-source platform for monitoring and observability. When datasource query caching is enabled, Grafana caches all headers, including `grafana_session`. As a result, any user that queries a datasource where the caching is enabled can acquire another user’s session. To mitigate the vulnerability you can disable datasource query caching for all datasources. This issue has been patched in versions 9.2.10 and 9.3.4.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Grafana | Grafana | >= 8.3.1, < 9.2.10 |
Related Weaknesses (CWE)
References
- https://github.com/grafana/grafana/security/advisories/GHSA-2j8f-6whh-frc8ExploitMitigationThird Party Advisory
- https://github.com/grafana/grafana/security/advisories/GHSA-2j8f-6whh-frc8ExploitMitigationThird Party Advisory
- https://security.netapp.com/advisory/ntap-20230309-0007/
FAQ
What is CVE-2022-23498?
CVE-2022-23498 is a vulnerability with a CVSS score of 7.1 (HIGH). Grafana is an open-source platform for monitoring and observability. When datasource query caching is enabled, Grafana caches all headers, including `grafana_session`. As a result, any user that queri...
How severe is CVE-2022-23498?
CVE-2022-23498 has been rated HIGH with a CVSS base score of 7.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-23498?
Check the references section above for vendor advisories and patch information. Affected products include: Grafana Grafana.