CVE-2022-32275
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
Grafana 8.4.3 allows reading files via (for example) a /dashboard/snapshot/%7B%7Bconstructor.constructor'/.. /.. /.. /.. /.. /.. /.. /.. /etc/passwd URI. NOTE: the vendor's position is that there is no vulnerability; this request yields a benign error page, not /etc/passwd content
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| n/a | n/a | n/a | affected |
Weaknesses
- n/a
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: yes
- Technical Impact: partial
CVE Program Container
Additional References
- https://grafana.com
- https://github.com/BrotherOfJhonny/grafana/blob/main/README.md
- https://github.com/grafana/grafana/issues/50336
- https://github.com/BrotherOfJhonny/grafana
- https://security.netapp.com/advisory/ntap-20220715-0008/
- https://github.com/grafana/grafana/issues/50341#issuecomment-1155252393
References
- https://grafana.com
- https://github.com/BrotherOfJhonny/grafana/blob/main/README.md
- https://github.com/grafana/grafana/issues/50336
- https://github.com/BrotherOfJhonny/grafana
- https://security.netapp.com/advisory/ntap-20220715-0008/
- https://github.com/grafana/grafana/issues/50341#issuecomment-1155252393
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.