CVE-2022-31107: Grafana account takeover via OAuth vulnerability
(updated )
On June 27 the HTTPVoid team contacted Grafana Labs to disclose a Grafana account takeover via an OAuth vulnerability.
We believe that this vulnerability is rated at CVSS 7.1 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L).
References
- github.com/advisories/GHSA-mx47-6497-3fv2
- github.com/grafana/grafana
- github.com/grafana/grafana/security/advisories/GHSA-mx47-6497-3fv2
- grafana.com/docs/grafana/next/release-notes/release-notes-8-4-10
- grafana.com/docs/grafana/next/release-notes/release-notes-8-5-9
- grafana.com/docs/grafana/next/release-notes/release-notes-9-0-3
- nvd.nist.gov/vuln/detail/CVE-2022-31107
- security.netapp.com/advisory/ntap-20220901-0010
Code Behaviors & Features
Detect and mitigate CVE-2022-31107 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →