CVE-2022-35957

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2022-35957
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-35957.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-35957
Aliases
Downstream
Related
Published
2022-09-20T00:00:00Z
Modified
2026-04-10T04:49:11.076903Z
Severity
  • 6.6 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Authentication Bypass in Grafana via auth proxy allowing escalation from admin to server admin
Details

Grafana is an open-source platform for monitoring and observability. Versions prior to 9.1.6 and 8.5.13 are vulnerable to an escalation from admin to server admin when auth proxy is used, allowing an admin to take over the server admin account and gain full control of the grafana instance. All installations should be upgraded as soon as possible. As a workaround deactivate auth proxy following the instructions at: https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/auth-proxy/

Database specific 
{
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/35xxx/CVE-2022-35957.json",
    "cwe_ids": [
        "CWE-290"
    ]
}
References

Affected packages

Git / github.com/grafana/grafana

Affected ranges

Type
GIT
Repo
https://github.com/grafana/grafana
Events
Introduced
b5c56f63710e09f37b8557ddd8b99ae3fc583169
Fixed
92461d8d1e7eb414f5b562b0e1ecef37bc844021
Database specific 
{
    "versions": [
        {
            "introduced": "9.0.0"
        },
        {
            "fixed": "9.1.6"
        }
    ]
}
Type
GIT
Repo
https://github.com/grafana/grafana
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
38d274060d2dd6c4240edfdcc30d122e8120545d
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "8.5.13"
        }
    ]
}

Affected versions

v1.*
v1.0.1
v1.0.2
v1.0.3
v1.0.4
v1.1.0
v1.2.0
v1.3.0
v1.4.0
v1.5.0
v1.5.1
v1.5.2
v1.5.3
v1.5.4
v1.6.0
v1.6.1
v1.7.0-rc1
v1.9.0
v1.9.0-rc1
v1.9.1
v2.*
v2.0.0-beta1
v2.0.0-beta3
v2.0.1
v2.0.2
v2.5.0
v2.6.0
v2.6.0-beta1
v3.*
v3.0.0-beta6
v3.0.0-beta7
v3.0.1
v3.0.2
v3.1.0-beta1
v4.*
v4.4.0
v4.5.0
v4.5.0-beta1
v4.6.0-beta1
v5.*
v5.,2.4
v5.0.0
v5.0.0-beta1
v5.0.0-beta2
v5.0.0-beta3
v5.0.0-beta4
v5.0.0-beta5
v6.*
v6.0.0-beta1
v6.5
v8.*
v8.3.3
v8.4.0-beta1

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-35957.json"