{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "Grafana 8.4.3 allows reading files via (for example) a /dashboard/snapshot/%7B%7Bconstructor.constructor'/.. /.. /.. /.. /.. /.. /.. /.. /etc/passwd URI. NOTE: the vendor's position is that there is no vulnerability; this request yields a benign error page, not /etc/passwd content"}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-09-08T16:59:28", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://grafana.com"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/BrotherOfJhonny/grafana/blob/main/README.md"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/grafana/grafana/issues/50336"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/BrotherOfJhonny/grafana"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://security.netapp.com/advisory/ntap-20220715-0008/"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/grafana/grafana/issues/50341#issuecomment-1155252393"}], "tags": ["disputed"], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2022-32275", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "** DISPUTED ** Grafana 8.4.3 allows reading files via (for example) a /dashboard/snapshot/%7B%7Bconstructor.constructor'/.. /.. /.. /.. /.. /.. /.. /.. /etc/passwd URI. NOTE: the vendor's position is that there is no vulnerability; this request yields a benign error page, not /etc/passwd content."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://grafana.com", "refsource": "MISC", "url": "https://grafana.com"}, {"name": "https://github.com/BrotherOfJhonny/grafana/blob/main/README.md", "refsource": "MISC", "url": "https://github.com/BrotherOfJhonny/grafana/blob/main/README.md"}, {"name": "https://github.com/grafana/grafana/issues/50336", "refsource": "MISC", "url": "https://github.com/grafana/grafana/issues/50336"}, {"name": "https://github.com/BrotherOfJhonny/grafana", "refsource": "MISC", "url": "https://github.com/BrotherOfJhonny/grafana"}, {"name": "https://security.netapp.com/advisory/ntap-20220715-0008/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20220715-0008/"}, {"name": "https://github.com/grafana/grafana/issues/50341#issuecomment-1155252393", "refsource": "MISC", "url": "https://github.com/grafana/grafana/issues/50341#issuecomment-1155252393"}]}}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2022-32275", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-01T15:19:11.619001Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:grafana:grafana:-:*:*:*:enterprise:*:*:*"], "vendor": "grafana", "product": "grafana", "versions": [{"status": "affected", "version": "8.4.3"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:16:24.215Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T07:39:50.900Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://grafana.com"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/BrotherOfJhonny/grafana/blob/main/README.md"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/grafana/grafana/issues/50336"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/BrotherOfJhonny/grafana"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://security.netapp.com/advisory/ntap-20220715-0008/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/grafana/grafana/issues/50341#issuecomment-1155252393"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2022-32275", "datePublished": "2022-06-06T18:29:07", "dateReserved": "2022-06-03T00:00:00", "dateUpdated": "2024-08-03T07:39:50.900Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://grafana.com", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/BrotherOfJhonny/grafana/blob/main/README.md", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/grafana/grafana/issues/50336", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/BrotherOfJhonny/grafana", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20220715-0008/", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/grafana/grafana/issues/50341#issuecomment-1155252393", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T07:39:50.900Z"}}, {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2022-32275", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-01T15:19:11.619001Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:grafana:grafana:-:*:*:*:enterprise:*:*:*"], "vendor": "grafana", "product": "grafana", "versions": [{"status": "affected", "version": "8.4.3"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-01T15:19:16.196Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"tags": ["disputed"], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://grafana.com", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/BrotherOfJhonny/grafana/blob/main/README.md", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/grafana/grafana/issues/50336", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/BrotherOfJhonny/grafana", "tags": ["x_refsource_MISC"]}, {"url": "https://security.netapp.com/advisory/ntap-20220715-0008/", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/grafana/grafana/issues/50341#issuecomment-1155252393", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Grafana 8.4.3 allows reading files via (for example) a /dashboard/snapshot/%7B%7Bconstructor.constructor'/.. /.. /.. /.. /.. /.. /.. /.. /etc/passwd URI. NOTE: the vendor's position is that there is no vulnerability; this request yields a benign error page, not /etc/passwd content"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2022-09-08T16:59:28"}, "x_legacyV4Record": {"affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "n/a"}]}, "product_name": "n/a"}]}, "vendor_name": "n/a"}]}}, "data_type": "CVE", "references": {"reference_data": [{"url": "https://grafana.com", "name": "https://grafana.com", "refsource": "MISC"}, {"url": "https://github.com/BrotherOfJhonny/grafana/blob/main/README.md", "name": "https://github.com/BrotherOfJhonny/grafana/blob/main/README.md", "refsource": "MISC"}, {"url": "https://github.com/grafana/grafana/issues/50336", "name": "https://github.com/grafana/grafana/issues/50336", "refsource": "MISC"}, {"url": "https://github.com/BrotherOfJhonny/grafana", "name": "https://github.com/BrotherOfJhonny/grafana", "refsource": "MISC"}, {"url": "https://security.netapp.com/advisory/ntap-20220715-0008/", "name": "https://security.netapp.com/advisory/ntap-20220715-0008/", "refsource": "CONFIRM"}, {"url": "https://github.com/grafana/grafana/issues/50341#issuecomment-1155252393", "name": "https://github.com/grafana/grafana/issues/50341#issuecomment-1155252393", "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "eng", "value": "** DISPUTED ** Grafana 8.4.3 allows reading files via (for example) a /dashboard/snapshot/%7B%7Bconstructor.constructor'/.. /.. /.. /.. /.. /.. /.. /.. /etc/passwd URI. NOTE: the vendor's position is that there is no vulnerability; this request yields a benign error page, not /etc/passwd content."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2022-32275", "STATE": "PUBLIC", "ASSIGNER": "cve@mitre.org"}}}}, "cveMetadata": {"cveId": "CVE-2022-32275", "state": "PUBLISHED", "dateUpdated": "2024-08-03T07:39:50.900Z", "dateReserved": "2022-06-03T00:00:00", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2022-06-06T18:29:07", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:grafana:grafana:8.4.3:*:*:*:*:*:*:*", "matchCriteriaId": "F217504A-4756-40F0-8589-417B85664F95", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [{"sourceIdentifier": "cve@mitre.org", "tags": ["disputed"]}], "descriptions": [{"lang": "en", "value": "Grafana 8.4.3 allows reading files via (for example) a /dashboard/snapshot/%7B%7Bconstructor.constructor'/.. /.. /.. /.. /.. /.. /.. /.. /etc/passwd URI. NOTE: the vendor's position is that there is no vulnerability; this request yields a benign error page, not /etc/passwd content"}, {"lang": "es", "value": "** EN DISPUTA ** Grafana versi\u00f3n 8.4.3, permite leer archivos por medio de (por ejemplo) un /dashboard/snapshot/%7B%7Bconstructor.constructor\"/. /.. /.. /.. /.. /.. /.. /.. /etc/passwd URI. NOTA: la posici\u00f3n del proveedor es que no hay ninguna vulnerabilidad; esta petici\u00f3n produce una p\u00e1gina de error benigna, no el contenido de /etc/passwd."}], "id": "CVE-2022-32275", "lastModified": "2024-08-03T08:15:33.903", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2022-06-06T19:15:09.813", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/BrotherOfJhonny/grafana"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/BrotherOfJhonny/grafana/blob/main/README.md"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://github.com/grafana/grafana/issues/50336"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/grafana/grafana/issues/50341#issuecomment-1155252393"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://grafana.com"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20220715-0008/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-22"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "grafana: session control failure may lead to information disclosure", "id": "2102254", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2102254"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-22", "details": ["Grafana 8.4.3 allows reading files via (for example) a /dashboard/snapshot/%7B%7Bconstructor.constructor'/.. /.. /.. /.. /.. /.. /.. /.. /etc/passwd URI. NOTE: the vendor's position is that there is no vulnerability; this request yields a benign error page, not /etc/passwd content", "A flaw was found in grafana. This vulnerability occurs when the traversal path is explored, and the authentication system redirects to an internal system page that authenticated users should only access."], "name": "CVE-2022-32275", "package_state": [{"cpe": "cpe:/a:redhat:ceph_storage:3", "fix_state": "Out of support scope", "package_name": "grafana", "product_name": "Red Hat Ceph Storage 3"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Will not fix", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Will not fix", "package_name": "grafana", "product_name": "Red Hat Storage 3"}], "public_date": "2022-06-06T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-32275\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-32275\nhttps://grafana.com/blog/2022/06/07/cve-2022-32276-and-cve-2022-32275-no-current-evidence-of-security-impact/"], "threat_severity": "Low"}