CVE-2022-39201: Grafana Data source and plugin proxy endpoints could leak the authentication cookie to some destination plugins
(updated )
On September 7th as a result of an internal security audit we have discovered that Grafana could leak the authentication cookie of users to plugins. After further analysis the vulnerability impacts data source and plugin proxy endpoints under certain conditions.
We believe that this vulnerability is rated at CVSS 6.8 (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H)
References
- github.com/advisories/GHSA-x744-mm8v-vpgr
- github.com/grafana/grafana
- github.com/grafana/grafana/commit/b571acc1dc130a33f24742c1f93b93216da6cf57
- github.com/grafana/grafana/commit/c658816f5229d17f877579250c07799d3bbaebc9
- github.com/grafana/grafana/releases/tag/v9.1.8
- github.com/grafana/grafana/security/advisories/GHSA-x744-mm8v-vpgr
- nvd.nist.gov/vuln/detail/CVE-2022-39201
Detect and mitigate CVE-2022-39201 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →