CVE-2022-44643
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
Summary
A vulnerability in the label-based access control of Grafana Labs Grafana Enterprise Metrics allows an attacker more access than intended. If an access policy which has label selector restrictions also has been granted access to all tenants in the system, the label selector restrictions will not be applied when using this policy with the affected versions of the software. This issue affects: Grafana Labs Grafana Enterprise Metrics GEM 1.X versions prior to 1.7.1 on AMD64; GEM 2.X versions prior to 2.3.1 on AMD64.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| n/a | n/a | n/a | affected |
Weaknesses
- n/a
Workarounds
If upgrading is not possible, discontinue use of access policies with label selector restrictions.
ADP Enrichment
CVE Program Container
Additional References
- https://grafana.com/docs/enterprise-metrics/v2.4.x/downloads/#v171—-november-14th-2022
- https://grafana.com/docs/enterprise-metrics/v2.4.x/downloads/#v231—-november-14th-2022
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://grafana.com/docs/enterprise-metrics/v2.4.x/downloads/#v171—-november-14th-2022
- https://grafana.com/docs/enterprise-metrics/v2.4.x/downloads/#v231—-november-14th-2022
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.