CVE-2022-39201

Aliases:GHSA-x744-mm8v-vpgrBIT-grafana-2022-39201GO-2024-2858

Advisory lineage Upstream: 0 Downstream: 8

Downstream

OPENSUSE-SU-2024:12508-1 RHSA-2023:6420 SUSE-SU-2023:0352-1 SUSE-SU-2023:0353-1 SUSE-SU-2023:0362-1 SUSE-SU-2024:0191-1

Modified

Published: 13 Oct 2022, 00:00

Last modified:23 Apr 2025, 16:50

Vulnerability Summary

Overall Risk (default)

medium

30/100

CVSS Score

7.5 HIGH

v3.1 (nvd)

EPSS Score

0.9% LOW

1% probability +0.31%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

13 Oct 2022, 00:00

Published

Vulnerability first disclosed

23 Apr 2025, 16:50

Last Modified

Vulnerability information updated

Description

Grafana is an open source observability and data visualization platform. Starting with version 5.0.0-beta1 and prior to versions 8.5.14 and 9.1.8, Grafana could leak the authentication cookie of users to plugins. The vulnerability impacts data source and plugin proxy endpoints under certain conditions. The destination plugin could receive a user's Grafana authentication cookie. Versions 9.1.8 and 8.5.14 contain a patch for this issue. There are no known workarounds.

CVSS Metrics

v4.0•HIGH•Score: 8.5CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
v3.1•MEDIUM•Score: 6.8CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
v3.1•HIGH•Score: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Trends

Current EPSS score: 0.90%• Percentile: 76%

Techniques & Countermeasures

CWE-200•Exposure of Sensitive Information to an Unauthorized Actor
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Affected Systems

github.com/grafana•grafana
≥ 5.0.0-beta1, < 8.5.14 | ≥ 9.0.0, < 9.1.8 | ≥ 5.0.0-beta1+incompatible
grafana•grafana
≥ v5.0.0-beta1, < 8.5.14 | ≥ 5.0.1, < 8.5.14 | ≥ 9.0.0, < 9.1.8 | 5.0.0 | 5.0.0:beta1 | 5.0.0:beta2 | 5.0.0:beta3 | 5.0.0:beta4 | 5.0.0:beta5