[FREEBSD:6877E164-6296-11ED-9CA2-6C3BE5272ACD] Grafana -- Data source and plugin proxy endpoints leaking authentication tokens to some destination plugins

Severity High

Affected Packages 4

CVEs 1

Grafana Labs reports:

  On September 7th as a result of an internal security audit we have discovered
  that Grafana could leak the authentication cookie of users to plugins. After
  further analysis the vulnerability impacts data source and plugin proxy
  endpoints under certain conditions.
  We believe that this vulnerability is rated at CVSS 6.8
  (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H)

Package	Affected Version
pkg:freebsd/grafana9	< 9.1.8
pkg:freebsd/grafana8	< 8.5.14
pkg:freebsd/grafana7
pkg:freebsd/grafana	< 8.5.14

ID

FREEBSD:6877E164-6296-11ED-9CA2-6C3BE5272ACD

Severity

high

Severity from

CVE-2022-39201

URL

http://vuxml.freebsd.org/freebsd/6877e164-6296-11ed-9ca2-6c3be5272acd.html

Published

2022-09-07T00:00:00
(2 years ago)

Modified

2022-11-12T00:00:00
(22 months ago)

Rights

FreeBSD VuXML Security Team

Other Advisories

Source	# ID	Name	URL
FreeBSD VuXML			https://github.com/grafana/grafana/security/advisories/GHSA-x744-mm8v-vpgr

Type	Package URL	Name / Product	Version
Affected	pkg:freebsd/grafana9	grafana9	< 9.1.8
Affected	pkg:freebsd/grafana8	grafana8	< 8.5.14
Affected	pkg:freebsd/grafana7	grafana7
Affected	pkg:freebsd/grafana	grafana	< 8.5.14

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date