CVE-2022-39201: Data source and plugin proxy endpoints could leak the authentication cookie to some destination plugins
First published: Fri Sep 30 2022(Updated: )
CVE-2022-39201: Data source and plugin proxy endpoints could leak the authentication cookie to some destination plugins Grafana could leak the authentication cookie of users to plugins. The vulnerability impacts data source and plugin proxy endpoints under certain conditions. Affected versions: Grafana <= 9.1.x
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Grafana Grafana | >=5.0.1<8.5.14 | |
| Grafana Grafana | >=9.0.0<9.1.8 | |
| Grafana Grafana | =5.0.0 | |
| Grafana Grafana | =5.0.0-beta1 | |
| Grafana Grafana | =5.0.0-beta2 | |
| Grafana Grafana | =5.0.0-beta3 | |
| Grafana Grafana | =5.0.0-beta4 | |
| Grafana Grafana | =5.0.0-beta5 | |
| go/github.com/grafana/grafana | >=9.0.0<9.1.8 | 9.1.8 |
| go/github.com/grafana/grafana | >=5.0.0-beta1<8.5.14 | 8.5.14 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/grafana/grafana/commit/b571acc1dc130a33f24742c1f93b93216da6cf57
- https://github.com/grafana/grafana/commit/c658816f5229d17f877579250c07799d3bbaebc9
- https://github.com/grafana/grafana/releases/tag/v9.1.8
- https://github.com/grafana/grafana/security/advisories/GHSA-x744-mm8v-vpgr
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2134706
- https://access.redhat.com/errata/RHSA-2023:3642
- https://access.redhat.com/errata/RHSA-2023:6420
- https://bugzilla.redhat.com/show_bug.cgi?id=2131148
- https://nvd.nist.gov/vuln/detail/CVE-2022-39201
- https://github.com/advisories/GHSA-x744-mm8v-vpgr (Advisory)
Frequently Asked Questions
What is CVE-2022-39201?
CVE-2022-39201 is a vulnerability in Grafana that could leak the authentication cookie of users to plugins.
What is the severity of CVE-2022-39201?
CVE-2022-39201 has a severity score of 7.5, which is considered high.
Which versions of Grafana are affected by CVE-2022-39201?
Versions 5.0.0-beta1 to 8.5.14 and 9.0.0 to 9.1.8 of Grafana are affected by CVE-2022-39201.
How can the authentication cookie leak vulnerability be exploited?
The authentication cookie leak vulnerability in Grafana can be exploited by certain conditions on data source and plugin proxy endpoints.
Where can I find more information about CVE-2022-39201?
More information about CVE-2022-39201 can be found at the following references: [Reference 1](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2134706), [Reference 2](https://access.redhat.com/errata/RHSA-2023:3642), [Reference 3](https://bugzilla.redhat.com/show_bug.cgi?id=2131148)
- collector/nvd-index
- agent/type
- agent/remedy
- agent/first-publish-date
- agent/weakness
- agent/references
- agent/softwarecombine
- agent/severity
- agent/description
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- agent/author
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2022-39201
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/event
- agent/tags
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-x744-mm8v-vpgr
- agent/last-modified-date
- collector/github-advisory
- agent/trending
- vendor/grafana
- canonical/grafana grafana
- version/grafana grafana/5.0.1
- version/grafana grafana/9.0.0
- version/grafana grafana/5.0.0
- version/grafana grafana/5.0.0-beta1
- version/grafana grafana/5.0.0-beta2
- version/grafana grafana/5.0.0-beta3
- version/grafana grafana/5.0.0-beta4
- version/grafana grafana/5.0.0-beta5
- package-manager/go