Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2022-36062

Опубликовано: 20 сент. 2022
Источник: redhat
CVSS3: 6.4
EPSS Низкий

Описание

Grafana is an open-source platform for monitoring and observability. In versions prior to 8.5.13, 9.0.9, and 9.1.6, Grafana is subject to Improper Preservation of Permissions resulting in privilege escalation on some folders where Admin is the only used permission. The vulnerability impacts Grafana instances where RBAC was disabled and enabled afterwards, as the migrations which are translating legacy folder permissions to RBAC permissions do not account for the scenario where the only user permission in the folder is Admin, as a result RBAC adds permissions for Editors and Viewers which allow them to edit and view folders accordingly. This issue has been patched in versions 8.5.13, 9.0.9, and 9.1.6. A workaround when the impacted folder/dashboard is known is to remove the additional permissions manually.

A flaw was found in Grafana. This vulnerability impacts folders/dashboards with Admin-only permissions and where role-based access control (RBAC) was ever enabled at least once. When RBAC is enabled, Grafana runs migrations that translate legacy access control permissions into RBAC permissions. The migrations contain a bug, which grants additional access to folders/dashboards that only had the Admin role grant, resulting in a privilege escalation where Editors can edit and Viewers can view the folder/dashboard to which they should not have access.

Отчет

Grafana RBAC is available in Grafana Enterprise, which is not shipped in any of the Red Hat products.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
OpenShift Service Mesh 2.0servicemesh-grafanaNot affected
OpenShift Service Mesh 2.1servicemesh-grafanaNot affected
Red Hat Advanced Cluster Management for Kubernetes 2rhacm2/acm-grafana-rhel8Not affected
Red Hat build of QuarkusgrafanaNot affected
Red Hat Ceph Storage 3grafanaNot affected
Red Hat Ceph Storage 4rhceph/rhceph-4-dashboard-rhel8Not affected
Red Hat Ceph Storage 5rhceph/rhceph-5-dashboard-rhel8Not affected
Red Hat Enterprise Linux 8grafanaNot affected
Red Hat Enterprise Linux 9grafanaNot affected
Red Hat OpenShift Container Platform 4openshift4/ose-grafanaNot affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
https://bugzilla.redhat.com/show_bug.cgi?id=2125521grafana: Grafana RBAC folders/dashboards privilege escalation

EPSS

Процентиль: 35%
0.00142
Низкий

6.4 Medium

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2022-36062

CVSS3: 7.6
ubuntu
больше 2 лет назад

Grafana is an open-source platform for monitoring and observability. In versions prior to 8.5.13, 9.0.9, and 9.1.6, Grafana is subject to Improper Preservation of Permissions resulting in privilege escalation on some folders where Admin is the only used permission. The vulnerability impacts Grafana instances where RBAC was disabled and enabled afterwards, as the migrations which are translating legacy folder permissions to RBAC permissions do not account for the scenario where the only user permission in the folder is Admin, as a result RBAC adds permissions for Editors and Viewers which allow them to edit and view folders accordingly. This issue has been patched in versions 8.5.13, 9.0.9, and 9.1.6. A workaround when the impacted folder/dashboard is known is to remove the additional permissions manually.

nvd логотип

CVE-2022-36062

CVSS3: 7.6
nvd
больше 2 лет назад

Grafana is an open-source platform for monitoring and observability. In versions prior to 8.5.13, 9.0.9, and 9.1.6, Grafana is subject to Improper Preservation of Permissions resulting in privilege escalation on some folders where Admin is the only used permission. The vulnerability impacts Grafana instances where RBAC was disabled and enabled afterwards, as the migrations which are translating legacy folder permissions to RBAC permissions do not account for the scenario where the only user permission in the folder is Admin, as a result RBAC adds permissions for Editors and Viewers which allow them to edit and view folders accordingly. This issue has been patched in versions 8.5.13, 9.0.9, and 9.1.6. A workaround when the impacted folder/dashboard is known is to remove the additional permissions manually.

debian логотип

CVE-2022-36062

CVSS3: 7.6
debian
больше 2 лет назад

Grafana is an open-source platform for monitoring and observability. I ...

github логотип

GHSA-p978-56hq-r492

CVSS3: 7.6
github
около 1 года назад

Grafana folders admin only permission privilege escalation

suse-cvrf логотип

SUSE-SU-2022:4437-1

suse-cvrf
больше 2 лет назад

Security update for SUSE Manager Client Tools

EPSS

Процентиль: 35%
0.00142
Низкий

6.4 Medium

CVSS3

Уязвимость CVE-2022-36062