CVE-2022-21702 : Grafana is an open-source platform for monitoring and observability. In affected

Grafana is an open-source platform for monitoring and observability. In affected versions an attacker could serve HTML content thru the Grafana datasource or plugin proxy and trick a user to visit this HTML page using a specially crafted link and execute a Cross-site Scripting (XSS) attack. The attacker could either compromise an existing datasource for a specific Grafana instance or either set up its own public service and instruct anyone to set it up in their Grafana instance. To be impacted, all of the following must be applicable. For the data source proxy: A Grafana HTTP-based datasource configured with Server as Access Mode and a URL set, the attacker has to be in control of the HTTP server serving the URL of above datasource, and a specially crafted link pointing at the attacker controlled data source must be clicked on by an authenticated user. For the plugin proxy: A Grafana HTTP-based app plugin configured and enabled with a URL set, the attacker has to be in control of the HTTP server serving the URL of above app, and a specially crafted link pointing at the attacker controlled plugin must be clocked on by an authenticated user. For the backend plugin resource: An attacker must be able to navigate an authenticated user to a compromised plugin through a crafted link. Users are advised to update to a patched version. There are no known workarounds for this vulnerability.

Published 2022-02-08 20:15:09

Updated 2022-09-10 02:41:08

Source GitHub, Inc.

View at NVD, CVE.org

Vulnerability category: Cross site scripting (XSS)

Products affected by CVE-2022-21702

Fedoraproject » Fedora » Version: 34
cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 35
cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 36
cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*
Matching versions
Netapp » E-series Performance Analyzer
Versions before (<) 3.0
cpe:2.3:a:netapp:e-series_performance_analyzer:*:*:*:*:*:*:*:*
Matching versions
Grafana » Grafana
Versions from including (>=) 8.0.0 and before (<) 8.3.5
cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*
Matching versions
Grafana » Grafana
Versions from including (>=) 2.0.1 and before (<) 7.5.15
cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*
Matching versions
Grafana » Grafana » Version: 2.0.0 Update Beta1
cpe:2.3:a:grafana:grafana:2.0.0:beta1:*:*:*:*:*:*
Matching versions
Grafana » Grafana » Version: 2.0.0 Update Beta3
cpe:2.3:a:grafana:grafana:2.0.0:beta3:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2022-21702

EPSS FAQ

0.89%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 74 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2022-21702

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
2.1	LOW	AV:N/AC:H/Au:S/C:N/I:P/A:N	3.9	2.9	NIST
Access Vector: Network Access Complexity: High Authentication: Single Confidentiality Impact: None Integrity Impact: Partial Availability Impact: None
5.4	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	2.3	2.7	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: Required Scope: Changed Confidentiality: Low Integrity: Low Availability: None
6.5	MEDIUM	CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N	1.3	4.7	GitHub, Inc.
Attack Vector: Network Attack Complexity: High Privileges Required: Low User Interaction: Required Scope: Changed Confidentiality: High Integrity: Low Availability: None

CWE ids for CVE-2022-21702

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Assigned by:
- nvd@nist.gov (Primary)
- security-advisories@github.com (Secondary)

References for CVE-2022-21702

https://github.com/grafana/grafana/security/advisories/GHSA-xc3p-28hw-q24g

CVE-2022-21702: Grafana proxy XSS · Advisory · grafana/grafana · GitHub
Exploit;Mitigation;Release Notes;Third Party Advisory
https://grafana.com/blog/2022/02/08/grafana-7.5.15-and-8.3.5-released-with-moderate-severity-security-fixes/

Grafana 7.5.15 and 8.3.5 released with moderate severity security fixes | Grafana Labs
Release Notes;Vendor Advisory

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2PFW6Q2LXXWTFRTMTRN4ZGADFRQPKJ3D/

[SECURITY] Fedora 35 Update: grafana-7.5.15-2.fc35 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/36GUEPA5TPSC57DZTPYPBL6T7UPQ2FRH/

[SECURITY] Fedora 36 Update: grafana-7.5.15-2.fc36 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory

CVEs referencing this url
https://security.netapp.com/advisory/ntap-20220303-0005/

February 2022 Grafana Vulnerabilities in NetApp Products | NetApp Product Security
Third Party Advisory

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HLAQRRGNSO5MYCPAXGPH2OCSHOGHSQMQ/

[SECURITY] Fedora 34 Update: grafana-7.5.15-2.fc34 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory

CVEs referencing this url
https://github.com/grafana/grafana/commit/27726868b3d7c613844b55cd209ca93645c99b85

[v7.5.x] Fix for CVE-2022-21702 (#226) · grafana/grafana@2772686 · GitHub
Patch;Third Party Advisory

Jump to

Vulnerability Details : CVE-2022-21702

Products affected by CVE-2022-21702

Exploit prediction scoring system (EPSS) score for CVE-2022-21702

CVSS scores for CVE-2022-21702

CWE ids for CVE-2022-21702

References for CVE-2022-21702