CVE-2022-39306: Grafana contains Improper Input Validation
First published: Wed Oct 26 2022(Updated: )
Grafana is an open-source platform for monitoring and observability. Versions prior to 9.2.4, or 8.5.15 on the 8.X branch, are subject to Improper Input Validation. Grafana admins can invite other members to the organization they are an admin for. When admins add members to the organization, non existing users get an email invite, existing members are added directly to the organization. When an invite link is sent, it allows users to sign up with whatever username/email address the user chooses and become a member of the organization. This introduces a vulnerability which can be used with malicious intent. This issue is patched in version 9.2.4, and has been backported to 8.5.15. There are no known workarounds.
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Grafana Grafana | >=8.0.0<8.5.15 | |
| Grafana Grafana | >=9.0.0<9.2.4 | |
| redhat/grafana 9.2.4 grafana | <8.5.15 | 8.5.15 |
| go/github.com/grafana/grafana | >=9.0.0<9.2.4 | 9.2.4 |
| go/github.com/grafana/grafana | >=8.0.0<8.5.15 | 8.5.15 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/grafana/grafana/security/advisories/GHSA-2x6g-h2hg-rq84
- https://security.netapp.com/advisory/ntap-20221215-0004/
- http://tracker.ceph.com/issues/48
- https://pkg.go.dev/github.com/grafana/grafana
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2141184
- https://access.redhat.com/errata/RHSA-2023:3642
- https://access.redhat.com/errata/RHSA-2023:6420
- https://bugzilla.redhat.com/show_bug.cgi?id=2138014
- https://nvd.nist.gov/vuln/detail/CVE-2022-39306
- https://github.com/advisories/GHSA-2x6g-h2hg-rq84 (Advisory)
- https://security.netapp.com/advisory/ntap-20221215-0004
Frequently Asked Questions
What is CVE-2022-39306?
CVE-2022-39306 is a vulnerability in Grafana, an open-source platform for monitoring and observability.
What is the severity of CVE-2022-39306?
The severity of CVE-2022-39306 is high, with a CVSS score of 8.1.
How does CVE-2022-39306 affect Grafana?
CVE-2022-39306 affects versions prior to 9.2.4, or 8.5.15 on the 8.X branch, of Grafana and involves improper input validation in the process of adding members to organizations.
How can I fix CVE-2022-39306?
To fix CVE-2022-39306, it is recommended to upgrade to version 9.2.4 or version 8.5.15 (on the 8.X branch) of Grafana.
Where can I find more information about CVE-2022-39306?
You can find more information about CVE-2022-39306 on the following references: [http://tracker.ceph.com/issues/48](http://tracker.ceph.com/issues/48), [https://pkg.go.dev/github.com/grafana/grafana](https://pkg.go.dev/github.com/grafana/grafana), [https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2141184](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2141184).
- collector/nvd-index
- agent/type
- agent/first-publish-date
- agent/weakness
- agent/remedy
- agent/softwarecombine
- agent/severity
- agent/description
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- agent/author
- agent/references
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2022-39306
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/event
- agent/tags
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-2x6g-h2hg-rq84
- agent/last-modified-date
- collector/github-advisory
- agent/trending
- vendor/grafana
- canonical/grafana grafana
- version/grafana grafana/8.0.0
- version/grafana grafana/9.0.0
- package-manager/redhat
- package-manager/go