FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

Grafana -- Data source and plugin proxy endpoints leaking authentication tokens to some destination plugins

Affected packages
5.0.0 <= grafana < 8.5.14
9.0.0 <= grafana < 9.1.8
7.0.0 <= grafana7
8.0.0 <= grafana8 < 8.5.14
9.0.0 <= grafana9 < 9.1.8

Details

VuXML ID 6877e164-6296-11ed-9ca2-6c3be5272acd
Discovery 2022-09-07
Entry 2022-11-12

Grafana Labs reports:

On September 7th as a result of an internal security audit we have discovered that Grafana could leak the authentication cookie of users to plugins. After further analysis the vulnerability impacts data source and plugin proxy endpoints under certain conditions.

We believe that this vulnerability is rated at CVSS 6.8 (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H)

References

CVE Name CVE-2022-39201
URL https://github.com/grafana/grafana/security/advisories/GHSA-x744-mm8v-vpgr