Bug 2138014 (CVE-2022-39306) - CVE-2022-39306 grafana: email addresses and usernames cannot be trusted
Summary: CVE-2022-39306 grafana: email addresses and usernames cannot be trusted
Keywords:
Status: NEW
Alias: CVE-2022-39306
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2138031 2138032 2138033 2138068 2138069 2138264 2141184
Blocks: 2137894
TreeView+ depends on / blocked
 
Reported: 2022-10-26 21:20 UTC by Nick Tait
Modified: 2025-03-17 23:45 UTC (History)
42 users (show)

Fixed In Version: grafana 9.2.4 grafana 8.5.15
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:3642 0 None None None 2023-06-15 16:01:18 UTC
Red Hat Product Errata RHSA-2023:6420 0 None None None 2023-11-07 08:16:21 UTC

Description Nick Tait 2022-10-26 21:20:54 UTC
Grafana organization admins can invite other members. The invite link which is sent out allows new users to sign up with whatever username/email address they want, which can be exploited in a social engineering attack.

Affected Versions: 
Grafana <=8.x, Grafana <=9.x

Comment 1 Sage McTaggart 2022-10-27 00:01:12 UTC
Deptopia refers to version 5.2.3-4.el7cp for ceph 3 (which matches with a manual search of the most recent release's source code), thus affected and OOOS, and uses Grafana container for Ceph 4 and 5.  

Grafana container:  
Ceph 4.x uses golang:1.11.4 as the base to get grafana from. This was released significantly prior to the bugs in 9.2.0 and 9.2.1, but 5.x<=8.x to affected and trackers filed. 

Ceph 5.3 (RC and thus the only potentially affected version) uses Grafana 8.3.5, and all the potential bug fixes are from prior to the http://tracker.ceph.com/issues/48*, which is when the affected timeline begins. 

Ceph 5.2 (most recent published verison) uses Grafana 8.3.5 and https://pkg.go.dev/github.com/grafana/grafana (from golang olang:1.17.6-alpine3.15), in the grafana container, published in 2019.
Thus, affected as 8.3.5 <= 8.x

In the case of gluster. Last release was in Feb. I also dug into the source code for gluster, we're running 5.2.4 as Deptopia verifies. 5.x<=8.x, so marked as affected and trackers filed.

Comment 6 Avinash Hanwate 2022-11-09 04:45:04 UTC
Created grafana tracking bugs for this issue:

Affects: fedora-all [bug 2141184]

Comment 22 errata-xmlrpc 2023-06-15 16:01:14 UTC
This issue has been addressed in the following products:

  Red Hat Ceph Storage 6.1

Via RHSA-2023:3642 https://access.redhat.com/errata/RHSA-2023:3642

Comment 24 errata-xmlrpc 2023-11-07 08:16:19 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6420 https://access.redhat.com/errata/RHSA-2023:6420


Note You need to log in before you can comment on or make changes to this bug.