CVE-2022-31097: Grafana Stored Cross-site Scripting in Unified Alerting
(updated )
On June 19 a security researcher contacted Grafana Labs to disclose a XSS vulnerability in the Unified Alerting feature of Grafana. After analysis, this stored XSS could be used to elevate privileges from Editor to Admin.
We believe that this vulnerability is rated at CVSS 7.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N).
References
- github.com/advisories/GHSA-vw7q-p2qg-4m5f
- github.com/grafana/grafana
- github.com/grafana/grafana/security/advisories/GHSA-vw7q-p2qg-4m5f
- grafana.com/docs/grafana/latest/release-notes/release-notes-8-5-9
- grafana.com/docs/grafana/latest/release-notes/release-notes-9-0-3
- grafana.com/docs/grafana/next/release-notes/release-notes-8-4-10
- nvd.nist.gov/vuln/detail/CVE-2022-31097
- security.netapp.com/advisory/ntap-20220901-0010
Code Behaviors & Features
Detect and mitigate CVE-2022-31097 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →