Vulnerability Name:

CVE-2022-31097 (CCN-231305)

Assigned:2022-07-14
Published:2022-07-14
Updated:2022-11-23
Summary:Grafana is an open-source platform for monitoring and observability. Versions on the 8.x and 9.x branch prior to 9.0.3, 8.5.9, 8.4.10, and 8.3.10 are vulnerable to stored cross-site scripting via the Unified Alerting feature of Grafana. An attacker can exploit this vulnerability to escalate privilege from editor to admin by tricking an authenticated admin to click on a link. Versions 9.0.3, 8.5.9, 8.4.10, and 8.3.10 contain a patch. As a workaround, it is possible to disable alerting or use legacy alerting.
CVSS v3 Severity:8.7 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N)
7.6 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): Required
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): None
7.3 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N)
6.4 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): Required
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): None
CVSS v2 Severity:8.5 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:C/I:C/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): None
Vulnerability Type:CWE-79
Vulnerability Consequences:Cross-Site Scripting
References:Source: MITRE
Type: CNA
CVE-2022-31097

Source: XF
Type: UNKNOWN
grafana-cve202231097-xss(231305)

Source: CCN
Type: Grafana GIT Repository
Stored XSS in Unified Alerting

Source: CONFIRM
Type: Release Notes, Third Party Advisory
https://github.com/grafana/grafana/security/advisories/GHSA-vw7q-p2qg-4m5f

Source: MISC
Type: Release Notes, Vendor Advisory
https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-5-9/

Source: MISC
Type: Release Notes, Vendor Advisory
https://grafana.com/docs/grafana/latest/release-notes/release-notes-9-0-3/

Source: MISC
Type: Release Notes, Vendor Advisory
https://grafana.com/docs/grafana/next/release-notes/release-notes-8-4-10/

Source: CONFIRM
Type: Third Party Advisory
https://security.netapp.com/advisory/ntap-20220901-0010/

Vulnerable Configuration:Configuration 1:
  • cpe:/a:grafana:grafana:*:*:*:*:*:*:*:* (Version >= 9.0.0 and < 9.0.3)
  • OR cpe:/a:grafana:grafana:*:*:*:*:*:*:*:* (Version >= 8.5.0 and < 8.5.9)
  • OR cpe:/a:grafana:grafana:*:*:*:*:*:*:*:* (Version >= 8.4.0 and < 8.4.10)
  • OR cpe:/a:grafana:grafana:*:*:*:*:*:*:*:* (Version >= 8.0.0 and < 8.3.10)

    • Configuration 2:
  • cpe:/a:netapp:e-series_performance_analyzer:-:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:8169
    P
    		Security update for SUSE Manager Client Tools (Important)
    2023-06-21
    oval:org.opensuse.security:def:639
    P
    		Security update for grafana (Important) (in QA)
    2022-10-06
    oval:org.opensuse.security:def:640
    P
    		Security update for SUSE Manager Client Tools (Moderate) (in QA)
    2022-09-29
    BACK
    grafana grafana *
    grafana grafana *
    grafana grafana *
    grafana grafana *
    netapp e-series performance analyzer -