Grafana is an open source observability and data visualization platform. Versions of Grafana for endpoints prior to 9.1.8 and 8.5.14 could leak authentication tokens to some destination plugins under some conditions. The vulnerability impacts data source and plugin proxy endpoints with authentication tokens. The destination plugin could receive a user's Grafana authentication token. Versions 9.1.8 and 8.5.14 contain a patch for this issue. As a workaround, do not use API keys, JWT authentication, or any HTTP Header based authentication.

The remote Oracle Linux 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the ELSA-2023-6420 advisory.

  - Grafana is an open-source platform for monitoring and observability. Starting with the 8.1 branch and     prior to versions 8.5.16, 9.2.10, and 9.3.4, Grafana had a stored XSS vulnerability affecting the core     plugin GeoMap. The stored XSS vulnerability was possible because SVG files weren't properly sanitized and     allowed arbitrary JavaScript to be executed in the context of the currently authorized user of the Grafana     instance. An attacker needs to have the Editor role in order to change a panel to include either an     external URL to a SVG-file containing JavaScript, or use the `data:` scheme to load an inline SVG-file     containing JavaScript. This means that vertical privilege escalation is possible, where a user with Editor     role can change to a known password for a user having Admin role if the user with Admin role executes     malicious JavaScript viewing a dashboard. Users may upgrade to version 8.5.16, 9.2.10, or 9.3.4 to receive     a fix. (CVE-2022-23552)

  - Grafana is an open source observability and data visualization platform. Starting with version 5.0.0-beta1     and prior to versions 8.5.14 and 9.1.8, Grafana could leak the authentication cookie of users to plugins.
    The vulnerability impacts data source and plugin proxy endpoints under certain conditions. The destination     plugin could receive a user's Grafana authentication cookie. Versions 9.1.8 and 8.5.14 contain a patch for     this issue. There are no known workarounds. (CVE-2022-39201)

  - Grafana is an open-source platform for monitoring and observability. When using the forget password on the     login page, a POST request is made to the `/api/user/password/sent-reset-email` URL. When the username or     email does not exist, a JSON response contains a user not found message. This leaks information to     unauthenticated users and introduces a security risk. This issue has been patched in 9.2.4 and backported     to 8.5.15. There are no known workarounds. (CVE-2022-39307)

  - Grafana is an open-source platform for monitoring and observability. Versions prior to 9.2.4, or 8.5.15 on     the 8.X branch, are subject to Improper Input Validation. Grafana admins can invite other members to the     organization they are an admin for. When admins add members to the organization, non existing users get an     email invite, existing members are added directly to the organization. When an invite link is sent, it     allows users to sign up with whatever username/email address the user chooses and become a member of the     organization. This introduces a vulnerability which can be used with malicious intent. This issue is     patched in version 9.2.4, and has been backported to 8.5.15. There are no known workarounds.
    (CVE-2022-39306)

  - Grafana is an open-source platform for monitoring and observability. Prior to versions 8.5.16 and 9.2.8,     malicious user can create a snapshot and arbitrarily choose the `originalUrl` parameter by editing the     query, thanks to a web proxy. When another user opens the URL of the snapshot, they will be presented with     the regular web interface delivered by the trusted Grafana server. The `Open original dashboard` button no     longer points to the to the real original dashboard but to the attacker's injected URL. This issue is     fixed in versions 8.5.16 and 9.2.8. (CVE-2022-39324)

  - Grafana is an open source observability and data visualization platform. Versions prior to 9.1.8 and     8.5.14 are vulnerable to a bypass in the plugin signature verification. An attacker can convince a server     admin to download and successfully run a malicious plugin even though unsigned plugins are not allowed.
    Versions 9.1.8 and 8.5.14 contain a patch for this issue. As a workaround, do not install plugins     downloaded from untrusted sources. (CVE-2022-31123)

  - Grafana is an open source observability and data visualization platform. Versions of Grafana for endpoints     prior to 9.1.8 and 8.5.14 could leak authentication tokens to some destination plugins under some     conditions. The vulnerability impacts data source and plugin proxy endpoints with authentication tokens.
    The destination plugin could receive a user's Grafana authentication token. Versions 9.1.8 and 8.5.14     contain a patch for this issue. As a workaround, do not use API keys, JWT authentication, or any HTTP     Header based authentication. (CVE-2022-31130)

  - An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server     connections contain a cache of HTTP header keys sent by the client. While the total number of entries in     this cache is capped, an attacker sending very large keys can cause the server to allocate approximately     64 MiB per open connection. (CVE-2022-41717)

  - HTTP and MIME header parsing can allocate large amounts of memory, even when parsing small inputs,     potentially leading to a denial of service. Certain unusual patterns of input data can cause the common     function used to parse HTTP and MIME headers to allocate substantially more memory than required to hold     the parsed headers. An attacker can exploit this behavior to cause an HTTP server to allocate large     amounts of memory from a small request, potentially leading to memory exhaustion and a denial of service.
    With fix, header parsing now correctly allocates only the memory required to hold parsed headers.
    (CVE-2023-24534)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2023:6420 advisory.

  - grafana: persistent xss in grafana core plugins (CVE-2022-23552)

  - grafana: plugin signature bypass (CVE-2022-31123)

  - grafana: data source and plugin proxy endpoints leaking authentication tokens to some destination plugins     (CVE-2022-31130)

  - grafana: Data source and plugin proxy endpoints could leak the authentication cookie to some destination     plugins (CVE-2022-39201)

  - grafana: email addresses and usernames cannot be trusted (CVE-2022-39306)

  - grafana: User enumeration via forget password (CVE-2022-39307)

  - grafana: Spoofing of the originalUrl parameter of snapshots (CVE-2022-39324)

  - golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717)

  - golang: net/http, net/textproto: denial of service from excessive memory allocation (CVE-2023-24534)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:0353-1 advisory.

  - Grafana is an open source observability and data visualization platform. Versions prior to 9.1.8 and     8.5.14 are vulnerable to a bypass in the plugin signature verification. An attacker can convince a server     admin to download and successfully run a malicious plugin even though unsigned plugins are not allowed.
    Versions 9.1.8 and 8.5.14 contain a patch for this issue. As a workaround, do not install plugins     downloaded from untrusted sources. (CVE-2022-31123)

  - Grafana is an open source observability and data visualization platform. Versions of Grafana for endpoints     prior to 9.1.8 and 8.5.14 could leak authentication tokens to some destination plugins under some     conditions. The vulnerability impacts data source and plugin proxy endpoints with authentication tokens.
    The destination plugin could receive a user's Grafana authentication token. Versions 9.1.8 and 8.5.14     contain a patch for this issue. As a workaround, do not use API keys, JWT authentication, or any HTTP     Header based authentication. (CVE-2022-31130)

  - Grafana is an open source observability and data visualization platform. Starting with version 5.0.0-beta1     and prior to versions 8.5.14 and 9.1.8, Grafana could leak the authentication cookie of users to plugins.
    The vulnerability impacts data source and plugin proxy endpoints under certain conditions. The destination     plugin could receive a user's Grafana authentication cookie. Versions 9.1.8 and 8.5.14 contain a patch for     this issue. There are no known workarounds. (CVE-2022-39201)

  - Grafana is an open source data visualization platform for metrics, logs, and traces. Versions prior to     9.1.8 and 8.5.14 allow one user to block another user's login attempt by registering someone else'e email     address as a username. A Grafana user's username and email address are unique fields, that means no other     user can have the same username or email address as another user. A user can have an email address as a     username. However, the login system allows users to log in with either username or email address. Since     Grafana allows a user to log in with either their username or email address, this creates an usual     behavior where `user_1` can register with one email address and `user_2` can register their username as     `user_1`'s email address. This prevents `user_1` logging into the application since `user_1`'s password     won't match with `user_2`'s email address. Versions 9.1.8 and 8.5.14 contain a patch. There are no     workarounds for this issue. (CVE-2022-39229)

  - Grafana is an open-source platform for monitoring and observability. Versions prior to 9.2.4, or 8.5.15 on     the 8.X branch, are subject to Improper Input Validation. Grafana admins can invite other members to the     organization they are an admin for. When admins add members to the organization, non existing users get an     email invite, existing members are added directly to the organization. When an invite link is sent, it     allows users to sign up with whatever username/email address the user chooses and become a member of the     organization. This introduces a vulnerability which can be used with malicious intent. This issue is     patched in version 9.2.4, and has been backported to 8.5.15. There are no known workarounds.
    (CVE-2022-39306)

  - Grafana is an open-source platform for monitoring and observability. When using the forget password on the     login page, a POST request is made to the `/api/user/password/sent-reset-email` URL. When the username or     email does not exist, a JSON response contains a user not found message. This leaks information to     unauthenticated users and introduces a security risk. This issue has been patched in 9.2.4 and backported     to 8.5.15. There are no known workarounds. (CVE-2022-39307)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:0362-1 advisory.

  - Grafana is an open source observability and data visualization platform. Versions prior to 9.1.8 and     8.5.14 are vulnerable to a bypass in the plugin signature verification. An attacker can convince a server     admin to download and successfully run a malicious plugin even though unsigned plugins are not allowed.
    Versions 9.1.8 and 8.5.14 contain a patch for this issue. As a workaround, do not install plugins     downloaded from untrusted sources. (CVE-2022-31123)

  - Grafana is an open source observability and data visualization platform. Versions of Grafana for endpoints     prior to 9.1.8 and 8.5.14 could leak authentication tokens to some destination plugins under some     conditions. The vulnerability impacts data source and plugin proxy endpoints with authentication tokens.
    The destination plugin could receive a user's Grafana authentication token. Versions 9.1.8 and 8.5.14     contain a patch for this issue. As a workaround, do not use API keys, JWT authentication, or any HTTP     Header based authentication. (CVE-2022-31130)

  - Grafana is an open source observability and data visualization platform. Starting with version 5.0.0-beta1     and prior to versions 8.5.14 and 9.1.8, Grafana could leak the authentication cookie of users to plugins.
    The vulnerability impacts data source and plugin proxy endpoints under certain conditions. The destination     plugin could receive a user's Grafana authentication cookie. Versions 9.1.8 and 8.5.14 contain a patch for     this issue. There are no known workarounds. (CVE-2022-39201)

  - Grafana is an open source data visualization platform for metrics, logs, and traces. Versions prior to     9.1.8 and 8.5.14 allow one user to block another user's login attempt by registering someone else'e email     address as a username. A Grafana user's username and email address are unique fields, that means no other     user can have the same username or email address as another user. A user can have an email address as a     username. However, the login system allows users to log in with either username or email address. Since     Grafana allows a user to log in with either their username or email address, this creates an usual     behavior where `user_1` can register with one email address and `user_2` can register their username as     `user_1`'s email address. This prevents `user_1` logging into the application since `user_1`'s password     won't match with `user_2`'s email address. Versions 9.1.8 and 8.5.14 contain a patch. There are no     workarounds for this issue. (CVE-2022-39229)

  - Grafana is an open-source platform for monitoring and observability. Versions prior to 9.2.4, or 8.5.15 on     the 8.X branch, are subject to Improper Input Validation. Grafana admins can invite other members to the     organization they are an admin for. When admins add members to the organization, non existing users get an     email invite, existing members are added directly to the organization. When an invite link is sent, it     allows users to sign up with whatever username/email address the user chooses and become a member of the     organization. This introduces a vulnerability which can be used with malicious intent. This issue is     patched in version 9.2.4, and has been backported to 8.5.15. There are no known workarounds.
    (CVE-2022-39306)

  - Grafana is an open-source platform for monitoring and observability. When using the forget password on the     login page, a POST request is made to the `/api/user/password/sent-reset-email` URL. When the username or     email does not exist, a JSON response contains a user not found message. This leaks information to     unauthenticated users and introduces a security risk. This issue has been patched in 9.2.4 and backported     to 8.5.15. There are no known workarounds. (CVE-2022-39307)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 6f6c9420-6297-11ed-9ca2-6c3be5272acd advisory.

  - Grafana is an open source observability and data visualization platform. Versions of Grafana for endpoints     prior to 9.1.8 and 8.5.14 could leak authentication tokens to some destination plugins under some     conditions. The vulnerability impacts data source and plugin proxy endpoints with authentication tokens.
    The destination plugin could receive a user's Grafana authentication token. Versions 9.1.8 and 8.5.14     contain a patch for this issue. As a workaround, do not use API keys, JWT authentication, or any HTTP     Header based authentication. (CVE-2022-31130)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
185870	Oracle Linux 9 : grafana (ELSA-2023-6420)	Nessus	Oracle Linux Local Security Checks	high
185127	RHEL 9 : grafana (RHSA-2023:6420)	Nessus	Red Hat Local Security Checks	high
171431	openSUSE 15 Security Update : SUSE Manager Client Tools (SUSE-SU-2023:0353-1)	Nessus	SuSE Local Security Checks	high
171401	SUSE SLED15 / SLES15 / openSUSE 15 Security Update : grafana (SUSE-SU-2023:0362-1)	Nessus	SuSE Local Security Checks	high
167324	FreeBSD : Grafana -- Data source and plugin proxy endpoints leaking authentication tokens to some destination plugins (6f6c9420-6297-11ed-9ca2-6c3be5272acd)	Nessus	FreeBSD Local Security Checks	high

Detections

Analytics

CVE-2022-31130

high

Tenable Plugins

high

high

high

high

high