CVE-2022-32275

high

Description

Grafana 8.4.3 allows reading files via (for example) a /dashboard/snapshot/%7B%7Bconstructor.constructor'/.. /.. /.. /.. /.. /.. /.. /.. /etc/passwd URI. NOTE: the vendor's position is that there is no vulnerability; this request yields a benign error page, not /etc/passwd content

References

https://security.netapp.com/advisory/ntap-20220715-0008/

https://grafana.com

https://github.com/grafana/grafana/issues/50341#issuecomment-1155252393

https://github.com/grafana/grafana/issues/50336

https://github.com/BrotherOfJhonny/grafana/blob/main/README.md

https://github.com/BrotherOfJhonny/grafana

Details

Source: Mitre, NVD

Published: 2022-06-06

Updated: 2024-08-03

Risk Information

CVSS v2

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Severity: Medium

CVSS v3

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Severity: High