Release Date: | 2023-01-30 |
Grafana is an open-source platform for monitoring and observability. Prior to versions 8.5.16 and 9.2.8, malicious user can create a snapshot and arbitrarily choose the `originalUrl` parameter by editing the query, thanks to a web proxy. When another user opens the URL of the snapshot, they will be presented with the regular web interface delivered by the trusted Grafana server. The `Open original dashboard` button no longer points to the to the real original dashboard but to the attacker's injected URL. This issue is fixed in versions 8.5.16 and 9.2.8.
See more information about CVE-2022-39324 from MITRE CVE dictionary and NIST NVD
NOTE: The following CVSS v3.0 metrics and score provided are preliminary and subject to review.
Base Score: | 6.7 | Base Metrics: | AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L |
Access Vector: | Network | Attack Complexity: | High |
Privileges Required: | Low | User Interaction: | Required |
Scope: | Unchanged | Confidentiality Impact: | High |
Integrity Impact: | High | Availability Impact: | Low |
Platform | Errata | Release Date |
Oracle Linux version 9 (grafana) | ELSA-2023-6420 | 2023-11-11 |
This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections please contact the Oracle Linux ULN team