Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2022-36062

Good to know:

icon

Date: September 22, 2022

Grafana is an open-source platform for monitoring and observability. In versions prior to 8.5.13, 9.0.9, and 9.1.6, Grafana is subject to Improper Preservation of Permissions resulting in privilege escalation on some folders where Admin is the only used permission. The vulnerability impacts Grafana instances where RBAC was disabled and enabled afterwards, as the migrations which are translating legacy folder permissions to RBAC permissions do not account for the scenario where the only user permission in the folder is Admin, as a result RBAC adds permissions for Editors and Viewers which allow them to edit and view folders accordingly. This issue has been patched in versions 8.5.13, 9.0.9, and 9.1.6. A workaround when the impacted folder/dashboard is known is to remove the additional permissions manually.

Language: TYPE_SCRIPT

Severity Score

Related Resources (5)

https://github.com/grafana/grafana/security/advisories/GHSA-p978-56hq-r492
https://security.netapp.com/advisory/ntap-20221215-0001/
https://people.canonical.com/~ubuntu-security/cve/CVE-2022-36062
https://nvd.nist.gov/vuln/detail/CVE-2022-36062
https://www.mend.io/vulnerability-database/CVE-2022-36062

Severity Score

Weakness Type (CWE)

Improper Preservation of Permissions

CWE-281

Top Fix

icon

Upgrade Version

Upgrade to version Grafana - 8.5.13,9.0.9,9.1.6

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): HIGH
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): LOW
Integrity (I): LOW
Availability (A): NONE

Do you need more information?

Contact Us