CVE-2022-23498

HIGH severity · CVSS 7.1 · Information disclosure

7.1CVSS HIGH

Summary

Grafana is an open-source platform for monitoring and observability. When datasource query caching is enabled, Grafana caches all headers, including `grafana_session`. As a result, any user that queries a datasource where the caching is enabled can acquire another user’s session. To mitigate the vulnerability you can disable datasource query caching for all datasources. This issue has been patched in versions 9.2.10 and 9.3.4.

Impact & exploitability

Attack vectorNetwork

Attack complexityHigh

Privileges requiredLow

User interactionNone

Confidentiality impactHigh

Integrity impactHigh

Availability impactLow

Exploit probability (EPSS)0%

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L

Affected products we track (1)

Grafana

Recommendation

Apply the vendor fix promptly. Open any affected product above for its exact safe version.

Additional information

NVD record
https://github.com/grafana/grafana/security/advisories/GHSA-2j8f-6whh-frc8Advisory
https://github.com/grafana/grafana/security/advisories/GHSA-2j8f-6whh-frc8Advisory
https://security.netapp.com/advisory/ntap-20230309-0007/