Alpine: multiple grafana packages: security update to 8.5.13-r0

medium Tenable Cloud Security Plugin ID 404806

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- Grafana is an open-source platform for monitoring and observability. Versions prior to 9.1.6 and 8.5.13
are vulnerable to an escalation from admin to server admin when auth proxy is used, allowing an admin to
take over the server admin account and gain full control of the grafana instance. All installations should
be upgraded as soon as possible. As a workaround deactivate auth proxy following the instructions at:
https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/auth-
proxy/ (CVE-2022-35957)

- Grafana is an open-source platform for monitoring and observability. In versions prior to 8.5.13, 9.0.9,
and 9.1.6, Grafana is subject to Improper Preservation of Permissions resulting in privilege escalation on
some folders where Admin is the only used permission. The vulnerability impacts Grafana instances where
RBAC was disabled and enabled afterwards, as the migrations which are translating legacy folder
permissions to RBAC permissions do not account for the scenario where the only user permission in the
folder is Admin, as a result RBAC adds permissions for Editors and Viewers which allow them to edit and
view folders accordingly. This issue has been patched in versions 8.5.13, 9.0.9, and 9.1.6. A workaround
when the impacted folder/dashboard is known is to remove the additional permissions manually.
(CVE-2022-36062)

See Also

https://security.alpinelinux.org/vuln/CVE-2022-35957

https://security.alpinelinux.org/vuln/CVE-2022-36062

Plugin Details

Severity: Medium

ID: 404806

Version: Revision 1.34

Type: Local

Published: 10/31/2023

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.58

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:N/AC:H/Au:M/C:C/I:C/A:C

CVSS Score Source: CVE-2022-35957

CVSS v3

Risk Factor: Medium

Base Score: 6.6

Temporal Score: 5.8

Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 9/20/2022

Reference Information

CVE: CVE-2022-35957, CVE-2022-36062