CVE-2022-23498 — Vulnetix

CVE-2022-23498 PUBLISHED

Grafana is an open-source platform for monitoring and observability. When datasource query caching is enabled, Grafana caches all headers, including `grafana_session`. As a result, any user that queries a datasource where the caching is enabled can acquire another user’s session. To mitigate the vulnerability you can disable datasource query caching for all datasources. This issue has been patched in versions 9.2.10 and 9.3.4.

EPSS 0.12% · 31.0th percentile

Risk Scores

EPSS Score

0.12%

31.0th percentile

Affected Products

Vendor	Product	Versions
Bitnami	grafana	8.3.1, 9.3.0
Bitnami	grafana	8.3.1, 9.3.0

Timeline

Feb 1, 2023 CVE Published
Feb 4, 2023 EPSS Score
Mar 7, 2023 EPSS Score
Mar 16, 2023 EPSS Score
Apr 25, 2023 EPSS Score
Jun 4, 2023 EPSS Score
Jul 14, 2023 EPSS Score
Aug 23, 2023 EPSS Score
Oct 2, 2023 EPSS Score
Nov 11, 2023 EPSS Score
Dec 21, 2023 EPSS Score
Jan 30, 2024 EPSS Score

References

https://github.com/grafana/grafana/security/advisories/GHSA-2j8f-6whh-frc8 url
https://security.netapp.com/advisory/ntap-20230309-0007/ url
https://nvd.nist.gov/vuln/detail/CVE-2022-23498 url

Open in Interactive Console →