![]() ![]() We believe that this vulnerability is rated at CVSS 4.9 After further analysis the vulnerability impacts data sourceĪnd plugin proxy endpoints with authentication tokens but under some conditions. On June 26 a security researcher contacted Grafana Labs to discloseĪ vulnerability with the GitLab data source plugin that could leak the API key CVE-2022-31123 Grafana - Data source and plugin proxy endpoints leaking authentication tokens to some destination plugins grafana 7.0.0 8.5.14 9.0.0 9.1.8 grafana7 7.0.0 grafana8 8.0.0 8.5.14 grafana9 9.0.0 9.1.8 We believe that this vulnerability is rated at CVSS 6.1 On July 4th as a result of an internal security audit we have discoveredĪ bypass in the plugin signature verification by exploiting a versioning flaw. It is possible that a call protected by a privileged middleware receives instead The authentication/authorization middlewares of another call. HTTP context creation could make a HTTP request being assigned Which allowed an unauthenticated user to query an arbitrary endpoint in Grafana. Internal security audit identified a race condition in the Grafana codebase, The CVSS score for this vulnerability is 6.4 Moderate CVE-2022-39306 Grafana - Privilege escalation grafana 9.2.0 9.2.4 grafana9 9.2.0 9.2.4 Username/email address the user chooses and become a member of the organization. When an invite link is sent, it allows users to sign up with whatever Get an email invite, existing members are added directly to the organization. When admins add members to the organization, non existing users Grafana admins can invite other members to the organization they areĪn admin for. Or email does not exist, a JSON response contains a “user not found” message. To the /api/user/password/sent-reset-email URL. When using the forget password on the login page, a POST request is made ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |