CVE & CISA-KEV Catalog

CVE-2022-36062

HIGH
7.6
CVSS v3
NVD

Description

Grafana is an open-source platform for monitoring and observability. In versions prior to 8.5.13, 9.0.9, and 9.1.6, Grafana is subject to Improper Preservation of Permissions resulting in privilege escalation on some folders where Admin is the only used permission. The vulnerability impacts Grafana instances where RBAC was disabled and enabled afterwards, as the migrations which are translating legacy folder permissions to RBAC permissions do not account for the scenario where the only user permission in the folder is Admin, as a result RBAC adds permissions for Editors and Viewers which allow them to edit and view folders accordingly. This issue has been patched in versions 8.5.13, 9.0.9, and 9.1.6. A workaround when the impacted folder/dashboard is known is to remove the additional permissions manually.

How to fix

Remediation Available
GrafanaEnterpriseWindows application
Affected:8.5.13Fixed in:8.5.13Grafana Labs
Affected:9.1.0 9.1.6Fixed in:9.1.6Grafana Labs
Affected:9.0.0 9.0.9Fixed in:9.0.9Grafana Labs
GrafanaOSSWindows application
Affected:9.1.0 9.1.6Fixed in:9.1.6Grafana Labs
Affected:8.5.13Fixed in:8.5.13Grafana Labs
Affected:9.0.0 9.0.9Fixed in:9.0.9Grafana Labs

Remediation is compiled from vendor and distribution security advisories. Always confirm against the linked source for your exact version and platform.

CVSS v3 Vector

Exploitability

Attack VectorNetwork
Attack ComplexityLow
Privileges RequiredLow
User InteractionNone
ScopeUnchanged

Impact

ConfidentialityHigh
IntegrityLow
AvailabilityLow

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L

Exploit Intelligence

0.61%probability of exploitation in 30 days
45thpercentile

Moderate risk: more likely to be exploited than 45% of all known CVEs.

References

Third-Party Advisory1

Related Vulnerabilities

Other CWE-281 vulnerabilities, ordered by exploit likelihood. View all

CVESeverityCVSSEPSSExploitedFix
CVE-2017-8543Critical9.874%KEV-
CVE-2019-0233High7.569%--
CVE-2017-8589Critical9.826%--
CVE-2021-33990Critical9.812%--
CVE-2017-8563High8.17.2%--
CVE-2017-8578High7.86.5%--
Embed a live status badge for CVE-2022-36062
CVE-2022-36062 severity badge

Markdown

[![CVE-2022-36062](https://tridentstack.com/cve/badge/CVE-2022-36062.svg)](https://tridentstack.com/cve/CVE-2022-36062)

HTML

<a href="https://tridentstack.com/cve/CVE-2022-36062"><img src="https://tridentstack.com/cve/badge/CVE-2022-36062.svg" alt="CVE-2022-36062"></a>

Find and fix vulnerabilities across your fleet

TridentStack Control continuously scans your Windows, macOS, and Linux fleet for known vulnerabilities, prioritizes them by severity and active exploitation, and patches them automatically.

Start free

This product uses NVD data but is not endorsed or certified by the NVD. EPSS scores courtesy of FIRST.org (https://www.first.org/epss). Source: CISA KEV Catalog. Data as of 2024-11-21.