CVE-2022-39201

See a problem?
Source
https://nvd.nist.gov/vuln/detail/CVE-2022-39201
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-39201.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-39201
Aliases
Related
Published
2022-10-13T23:15:10Z
Modified
2024-08-01T06:54:35.593263Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
[none]
Details

Grafana is an open source observability and data visualization platform. Starting with version 5.0.0-beta1 and prior to versions 8.5.14 and 9.1.8, Grafana could leak the authentication cookie of users to plugins. The vulnerability impacts data source and plugin proxy endpoints under certain conditions. The destination plugin could receive a user's Grafana authentication cookie. Versions 9.1.8 and 8.5.14 contain a patch for this issue. There are no known workarounds.

References

Affected packages

Git / github.com/grafana/grafana

Affected ranges

Type
GIT
Repo
https://github.com/grafana/grafana
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
b571acc1dc130a33f24742c1f93b93216da6cf57
Fixed
c658816f5229d17f877579250c07799d3bbaebc9

Affected versions

v1.*

v1.0
v1.0.1
v1.0.2
v1.0.3
v1.0.4
v1.1.0
v1.2.0
v1.3.0
v1.4.0
v1.5.0
v1.5.1
v1.5.2
v1.5.3
v1.5.4
v1.6.0
v1.6.1
v1.7.0
v1.7.0-rc1
v1.8.0
v1.8.0-rc1
v1.8.1
v1.9.0
v1.9.0-rc1
v1.9.1

v2.*

v2.0.0-beta1
v2.0.0-beta3
v2.0.1
v2.0.2
v2.1.0
v2.1.1
v2.1.2
v2.5.0
v2.6.0
v2.6.0-beta1

v3.*

v3.0-beta1
v3.0-beta2
v3.0-beta3
v3.0-beta4
v3.0-beta5
v3.0.0-beta6
v3.0.0-beta7
v3.0.1
v3.0.2
v3.0.3
v3.0.4
v3.1.0
v3.1.0-beta1
v3.1.1

v4.*

v4.0.0
v4.0.0-beta1
v4.0.0-beta2
v4.0.1
v4.0.2
v4.1.0-beta1
v4.2.0-beta1
v4.3.0
v4.3.0-beta1
v4.3.1
v4.3.2
v4.4.0
v4.4.1
v4.4.2
v4.4.3
v4.5.0
v4.5.0-beta1
v4.5.1
v4.6.0-beta1

v5.*

v5.,2.4
v5.0.0
v5.0.0-beta1
v5.0.0-beta2
v5.0.0-beta3
v5.0.0-beta4
v5.0.0-beta5

v6.*

v6.0.0-beta1
v6.5

v8.*

v8.3.3
v8.4.0-beta1