Grafana is an open source data visualization platform for metrics, logs, and traces. Versions prior to 9.1.8 and 8.5.14 allow one user to block another user's login attempt by registering someone else'e email address as a username. A Grafana user’s username and email address are unique fields, that means no other user can have the same username or email address as another user. A user can have an email address as a username. However, the login system allows users to log in with either username or email address. Since Grafana allows a user to log in with either their username or email address, this creates an usual behavior where `user_1` can register with one email address and `user_2` can register their username as `user_1`’s email address. This prevents `user_1` logging into the application since `user_1`'s password won’t match with `user_2`'s email address. Versions 9.1.8 and 8.5.14 contain a patch. There are no workarounds for this issue.

The remote CentOS Linux 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the grafana-9.0.9-2.el9 build changelog.

  - Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including     unparsable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy     forwards a parameter with an unparsable value. After fix, ReverseProxy sanitizes the query parameters in     the forwarded query when the outbound request's Form field is set after the ReverseProxy. Director     function returns, indicating that the proxy has parsed the query parameters. Proxies which do not parse     query parameters continue to forward the original query parameters unchanged. (CVE-2022-2880)

  - Using email as a username can prevent other users from signing in (CVE-2022-39229)

  - various flaws (CVE-2022-41715)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the ELSA-2023-2784 advisory.

    - resolve CVE-2022-39229 grafana: using email as a username can block other users from signing in
    - resolve CVE-2022-27664 golang: net/http: handle server errors after sending GOAWAY
    - resolve CVE-2022-41715 golang: regexp/syntax: limit memory used by parsing regexps
    - resolve CVE-2022-2880 golang: net/http/httputil: ReverseProxy should not forward unparseable query     parameters

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote AlmaLinux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the ALSA-2023:2784 advisory.

  - In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because     an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error. (CVE-2022-27664)

  - Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including     unparseable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy     forwards a parameter with an unparseable value. After fix, ReverseProxy sanitizes the query parameters in     the forwarded query when the outbound request's Form field is set after the ReverseProxy. Director     function returns, indicating that the proxy has parsed the query parameters. Proxies which do not parse     query parameters continue to forward the original query parameters unchanged. (CVE-2022-2880)

  - Grafana is an open source data visualization platform for metrics, logs, and traces. Versions prior to     9.1.8 and 8.5.14 allow one user to block another user's login attempt by registering someone else'e email     address as a username. A Grafana user's username and email address are unique fields, that means no other     user can have the same username or email address as another user. A user can have an email address as a     username. However, the login system allows users to log in with either username or email address. Since     Grafana allows a user to log in with either their username or email address, this creates an usual     behavior where `user_1` can register with one email address and `user_2` can register their username as     `user_1`'s email address. This prevents `user_1` logging into the application since `user_1`'s password     won't match with `user_2`'s email address. Versions 9.1.8 and 8.5.14 contain a patch. There are no     workarounds for this issue. (CVE-2022-39229)

  - Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion     or denial of service. The parsed regexp representation is linear in the size of the input, but in some     cases the constant factor can be as high as 40,000, making relatively small regexps consume much larger     amounts of memory. After fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular     expressions whose representation would use more space than that are rejected. Normal use of regular     expressions is unaffected. (CVE-2022-41715)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2023:2784 advisory.

    Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB &     OpenTSDB.

    Security Fix(es):

    * golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters (CVE-2022-2880)

    * golang: net/http: handle server errors after sending GOAWAY (CVE-2022-27664)

    * grafana: using email as a username can block other users from signing in (CVE-2022-39229)

    * golang: regexp/syntax: limit memory used by parsing regexps (CVE-2022-41715)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

    Additional Changes:

    For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.8 Release Notes     linked from the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote CentOS Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the CESA-2023:2784 advisory.

  - In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because     an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error. (CVE-2022-27664)

  - Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including     unparsable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy     forwards a parameter with an unparsable value. After fix, ReverseProxy sanitizes the query parameters in     the forwarded query when the outbound request's Form field is set after the ReverseProxy. Director     function returns, indicating that the proxy has parsed the query parameters. Proxies which do not parse     query parameters continue to forward the original query parameters unchanged. (CVE-2022-2880)

  - Grafana is an open source data visualization platform for metrics, logs, and traces. Versions prior to     9.1.8 and 8.5.14 allow one user to block another user's login attempt by registering someone else'e email     address as a username. A Grafana user's username and email address are unique fields, that means no other     user can have the same username or email address as another user. A user can have an email address as a     username. However, the login system allows users to log in with either username or email address. Since     Grafana allows a user to log in with either their username or email address, this creates an usual     behavior where `user_1` can register with one email address and `user_2` can register their username as     `user_1`'s email address. This prevents `user_1` logging into the application since `user_1`'s password     won't match with `user_2`'s email address. Versions 9.1.8 and 8.5.14 contain a patch. There are no     workarounds for this issue. (CVE-2022-39229)

  - Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion     or denial of service. The parsed regexp representation is linear in the size of the input, but in some     cases the constant factor can be as high as 40,000, making relatively small regexps consume much larger     amounts of memory. After fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular     expressions whose representation would use more space than that are rejected. Normal use of regular     expressions is unaffected. (CVE-2022-41715)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the ELSA-2023-2167 advisory.

    - resolve CVE-2022-39229 grafana: Using email as a username can prevent other users from signing in
    - resolve CVE-2022-2880 CVE-2022-41715 grafana: various flaws
    - resolve CVE-2022-35957 grafana: Escalation from admin to server admin when auth proxy is used     (rhbz#2125530)

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote AlmaLinux 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the ALSA-2023:2167 advisory.

  - In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because     an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error. (CVE-2022-27664)

  - Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including     unparseable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy     forwards a parameter with an unparseable value. After fix, ReverseProxy sanitizes the query parameters in     the forwarded query when the outbound request's Form field is set after the ReverseProxy. Director     function returns, indicating that the proxy has parsed the query parameters. Proxies which do not parse     query parameters continue to forward the original query parameters unchanged. (CVE-2022-2880)

  - Grafana is an open-source platform for monitoring and observability. Versions prior to 9.1.6 and 8.5.13     are vulnerable to an escalation from admin to server admin when auth proxy is used, allowing an admin to     take over the server admin account and gain full control of the grafana instance. All installations should     be upgraded as soon as possible. As a workaround deactivate auth proxy following the instructions at:
    https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/auth-     proxy/ (CVE-2022-35957)

  - Grafana is an open source data visualization platform for metrics, logs, and traces. Versions prior to     9.1.8 and 8.5.14 allow one user to block another user's login attempt by registering someone else'e email     address as a username. A Grafana user's username and email address are unique fields, that means no other     user can have the same username or email address as another user. A user can have an email address as a     username. However, the login system allows users to log in with either username or email address. Since     Grafana allows a user to log in with either their username or email address, this creates an usual     behavior where `user_1` can register with one email address and `user_2` can register their username as     `user_1`'s email address. This prevents `user_1` logging into the application since `user_1`'s password     won't match with `user_2`'s email address. Versions 9.1.8 and 8.5.14 contain a patch. There are no     workarounds for this issue. (CVE-2022-39229)

  - Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion     or denial of service. The parsed regexp representation is linear in the size of the input, but in some     cases the constant factor can be as high as 40,000, making relatively small regexps consume much larger     amounts of memory. After fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular     expressions whose representation would use more space than that are rejected. Normal use of regular     expressions is unaffected. (CVE-2022-41715)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2023:2167 advisory.

    Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB &     OpenTSDB.

    Security Fix(es):

    * golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters (CVE-2022-2880)

    * golang: net/http: handle server errors after sending GOAWAY (CVE-2022-27664)

    * grafana: Escalation from admin to server admin when auth proxy is used (CVE-2022-35957)

    * grafana: using email as a username can block other users from signing in (CVE-2022-39229)

    * golang: regexp/syntax: limit memory used by parsing regexps (CVE-2022-41715)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

    Additional Changes:

    For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.2 Release Notes     linked from the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:0353-1 advisory.

  - Grafana is an open source observability and data visualization platform. Versions prior to 9.1.8 and     8.5.14 are vulnerable to a bypass in the plugin signature verification. An attacker can convince a server     admin to download and successfully run a malicious plugin even though unsigned plugins are not allowed.
    Versions 9.1.8 and 8.5.14 contain a patch for this issue. As a workaround, do not install plugins     downloaded from untrusted sources. (CVE-2022-31123)

  - Grafana is an open source observability and data visualization platform. Versions of Grafana for endpoints     prior to 9.1.8 and 8.5.14 could leak authentication tokens to some destination plugins under some     conditions. The vulnerability impacts data source and plugin proxy endpoints with authentication tokens.
    The destination plugin could receive a user's Grafana authentication token. Versions 9.1.8 and 8.5.14     contain a patch for this issue. As a workaround, do not use API keys, JWT authentication, or any HTTP     Header based authentication. (CVE-2022-31130)

  - Grafana is an open source observability and data visualization platform. Starting with version 5.0.0-beta1     and prior to versions 8.5.14 and 9.1.8, Grafana could leak the authentication cookie of users to plugins.
    The vulnerability impacts data source and plugin proxy endpoints under certain conditions. The destination     plugin could receive a user's Grafana authentication cookie. Versions 9.1.8 and 8.5.14 contain a patch for     this issue. There are no known workarounds. (CVE-2022-39201)

  - Grafana is an open source data visualization platform for metrics, logs, and traces. Versions prior to     9.1.8 and 8.5.14 allow one user to block another user's login attempt by registering someone else'e email     address as a username. A Grafana user's username and email address are unique fields, that means no other     user can have the same username or email address as another user. A user can have an email address as a     username. However, the login system allows users to log in with either username or email address. Since     Grafana allows a user to log in with either their username or email address, this creates an usual     behavior where `user_1` can register with one email address and `user_2` can register their username as     `user_1`'s email address. This prevents `user_1` logging into the application since `user_1`'s password     won't match with `user_2`'s email address. Versions 9.1.8 and 8.5.14 contain a patch. There are no     workarounds for this issue. (CVE-2022-39229)

  - Grafana is an open-source platform for monitoring and observability. Versions prior to 9.2.4, or 8.5.15 on     the 8.X branch, are subject to Improper Input Validation. Grafana admins can invite other members to the     organization they are an admin for. When admins add members to the organization, non existing users get an     email invite, existing members are added directly to the organization. When an invite link is sent, it     allows users to sign up with whatever username/email address the user chooses and become a member of the     organization. This introduces a vulnerability which can be used with malicious intent. This issue is     patched in version 9.2.4, and has been backported to 8.5.15. There are no known workarounds.
    (CVE-2022-39306)

  - Grafana is an open-source platform for monitoring and observability. When using the forget password on the     login page, a POST request is made to the `/api/user/password/sent-reset-email` URL. When the username or     email does not exist, a JSON response contains a user not found message. This leaks information to     unauthenticated users and introduces a security risk. This issue has been patched in 9.2.4 and backported     to 8.5.15. There are no known workarounds. (CVE-2022-39307)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:0362-1 advisory.

  - Grafana is an open source observability and data visualization platform. Versions prior to 9.1.8 and     8.5.14 are vulnerable to a bypass in the plugin signature verification. An attacker can convince a server     admin to download and successfully run a malicious plugin even though unsigned plugins are not allowed.
    Versions 9.1.8 and 8.5.14 contain a patch for this issue. As a workaround, do not install plugins     downloaded from untrusted sources. (CVE-2022-31123)

  - Grafana is an open source observability and data visualization platform. Versions of Grafana for endpoints     prior to 9.1.8 and 8.5.14 could leak authentication tokens to some destination plugins under some     conditions. The vulnerability impacts data source and plugin proxy endpoints with authentication tokens.
    The destination plugin could receive a user's Grafana authentication token. Versions 9.1.8 and 8.5.14     contain a patch for this issue. As a workaround, do not use API keys, JWT authentication, or any HTTP     Header based authentication. (CVE-2022-31130)

  - Grafana is an open source observability and data visualization platform. Starting with version 5.0.0-beta1     and prior to versions 8.5.14 and 9.1.8, Grafana could leak the authentication cookie of users to plugins.
    The vulnerability impacts data source and plugin proxy endpoints under certain conditions. The destination     plugin could receive a user's Grafana authentication cookie. Versions 9.1.8 and 8.5.14 contain a patch for     this issue. There are no known workarounds. (CVE-2022-39201)

  - Grafana is an open source data visualization platform for metrics, logs, and traces. Versions prior to     9.1.8 and 8.5.14 allow one user to block another user's login attempt by registering someone else'e email     address as a username. A Grafana user's username and email address are unique fields, that means no other     user can have the same username or email address as another user. A user can have an email address as a     username. However, the login system allows users to log in with either username or email address. Since     Grafana allows a user to log in with either their username or email address, this creates an usual     behavior where `user_1` can register with one email address and `user_2` can register their username as     `user_1`'s email address. This prevents `user_1` logging into the application since `user_1`'s password     won't match with `user_2`'s email address. Versions 9.1.8 and 8.5.14 contain a patch. There are no     workarounds for this issue. (CVE-2022-39229)

  - Grafana is an open-source platform for monitoring and observability. Versions prior to 9.2.4, or 8.5.15 on     the 8.X branch, are subject to Improper Input Validation. Grafana admins can invite other members to the     organization they are an admin for. When admins add members to the organization, non existing users get an     email invite, existing members are added directly to the organization. When an invite link is sent, it     allows users to sign up with whatever username/email address the user chooses and become a member of the     organization. This introduces a vulnerability which can be used with malicious intent. This issue is     patched in version 9.2.4, and has been backported to 8.5.15. There are no known workarounds.
    (CVE-2022-39306)

  - Grafana is an open-source platform for monitoring and observability. When using the forget password on the     login page, a POST request is made to the `/api/user/password/sent-reset-email` URL. When the username or     email does not exist, a JSON response contains a user not found message. This leaks information to     unauthenticated users and introduces a security risk. This issue has been patched in 9.2.4 and backported     to 8.5.15. There are no known workarounds. (CVE-2022-39307)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 909a80ba-6294-11ed-9ca2-6c3be5272acd advisory.

  - Grafana is an open source data visualization platform for metrics, logs, and traces. Versions prior to     9.1.8 and 8.5.14 allow one user to block another user's login attempt by registering someone else'e email     address as a username. A Grafana user's username and email address are unique fields, that means no other     user can have the same username or email address as another user. A user can have an email address as a     username. However, the login system allows users to log in with either username or email address. Since     Grafana allows a user to log in with either their username or email address, this creates an usual     behavior where `user_1` can register with one email address and `user_2` can register their username as     `user_1`'s email address. This prevents `user_1` logging into the application since `user_1`'s password     won't match with `user_2`'s email address. Versions 9.1.8 and 8.5.14 contain a patch. There are no     workarounds for this issue. (CVE-2022-39229)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
191219	CentOS 9 : grafana-9.0.9-2.el9	Nessus	CentOS Local Security Checks	high
176294	Oracle Linux 8 : grafana (ELSA-2023-2784)	Nessus	Oracle Linux Local Security Checks	high
176182	AlmaLinux 8 : grafana (ALSA-2023:2784)	Nessus	Alma Linux Local Security Checks	high
175872	RHEL 8 : grafana (RHSA-2023:2784)	Nessus	Red Hat Local Security Checks	high
175848	CentOS 8 : grafana (CESA-2023:2784)	Nessus	CentOS Local Security Checks	high
175686	Oracle Linux 9 : grafana (ELSA-2023-2167)	Nessus	Oracle Linux Local Security Checks	high
175646	AlmaLinux 9 : grafana (ALSA-2023:2167)	Nessus	Alma Linux Local Security Checks	high
175483	RHEL 9 : grafana (RHSA-2023:2167)	Nessus	Red Hat Local Security Checks	high
171431	openSUSE 15 Security Update : SUSE Manager Client Tools (SUSE-SU-2023:0353-1)	Nessus	SuSE Local Security Checks	high
171401	SUSE SLED15 / SLES15 / openSUSE 15 Security Update : grafana (SUSE-SU-2023:0362-1)	Nessus	SuSE Local Security Checks	high
167322	FreeBSD : Grafana -- Improper authentication (909a80ba-6294-11ed-9ca2-6c3be5272acd)	Nessus	FreeBSD Local Security Checks	medium

Detections

Analytics

CVE-2022-39229

medium

Tenable Plugins

high

high

high

high

high

high

high

high

high

high

medium