CVE-2022-36062: Grafana folders admin only permission privilege escalation

On August 29 we have received a bug report for Grafana role-based access control (RBAC) and confirmed a vulnerability in the Grafana. This vulnerability impacts folders/dashboards with Admin only permissions and where RBAC was ever enabled at least once.

When RBAC is enabled, Grafana runs migrations which translate legacy access control permissions into RBAC permissions. The migrations contain a bug, which grants additional access to folders/dashboards which only had Admin role grant, resulting in a privilege escalation where Editors can edit and Viewers can view the folder/dashboard which they should not have access to.

The CVSS score for this vulnerability is 6.4 Moderate (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L).