Nixpkgs Security Tracker

Untriaged

Permalink CVE-2022-39324

6.7 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): HIGH
Privileges required (PR): LOW
User interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): LOW

created 2 months ago

Grafana vulnerable to spoofing originalUrl of snapshots

Grafana is an open-source platform for monitoring and observability. Prior to versions 8.5.16 and 9.2.8, malicious user can create a snapshot and arbitrarily choose the `originalUrl` parameter by editing the query, thanks to a web proxy. When another user opens the URL of the snapshot, they will be presented with the regular web interface delivered by the trusted Grafana server. The `Open original dashboard` button no longer points to the to the real original dashboard but to the attacker’s injected URL. This issue is fixed in versions 8.5.16 and 9.2.8.

References

https://github.com/grafana/grafana/security/advisories/GHSA-4724-7jwc-3fpw x_refsource_CONFIRM
https://github.com/grafana/grafana/pull/60232 x_refsource_MISC
https://github.com/grafana/grafana/pull/60256 x_refsource_MISC
https://github.com/grafana/grafana/commit/239888f22983010576bb3a9135a7294e88c0c74a x_refsource_MISC
https://github.com/grafana/grafana/commit/d7dcea71ea763780dc286792a0afd560bff2985c x_refsource_MISC
https://security.netapp.com/advisory/ntap-20230309-0010/
https://github.com/grafana/grafana/security/advisories/GHSA-4724-7jwc-3fpw x_refsource_CONFIRM
https://github.com/grafana/grafana/pull/60232 x_refsource_MISC
https://github.com/grafana/grafana/pull/60256 x_refsource_MISC
https://github.com/grafana/grafana/commit/239888f22983010576bb3a9135a7294e88c0c74a x_refsource_MISC
https://github.com/grafana/grafana/commit/d7dcea71ea763780dc286792a0afd560bff2985c x_refsource_MISC
https://security.netapp.com/advisory/ntap-20230309-0010/
https://github.com/grafana/grafana/security/advisories/GHSA-4724-7jwc-3fpw x_refsource_CONFIRM
https://github.com/grafana/grafana/pull/60232 x_refsource_MISC
https://github.com/grafana/grafana/pull/60256 x_refsource_MISC
https://github.com/grafana/grafana/commit/239888f22983010576bb3a9135a7294e88c0c74a x_refsource_MISC
https://github.com/grafana/grafana/commit/d7dcea71ea763780dc286792a0afd560bff2985c x_refsource_MISC
https://security.netapp.com/advisory/ntap-20230309-0010/
https://github.com/grafana/grafana/security/advisories/GHSA-4724-7jwc-3fpw x_refsource_CONFIRM x_transferred
https://github.com/grafana/grafana/pull/60232 x_refsource_MISC x_transferred
https://github.com/grafana/grafana/pull/60256 x_refsource_MISC x_transferred
https://github.com/grafana/grafana/commit/239888f22983010576bb3a9135a7294e88c0c74a x_refsource_MISC x_transferred
https://github.com/grafana/grafana/commit/d7dcea71ea763780dc286792a0afd560bff2985c x_refsource_MISC x_transferred
https://github.com/grafana/grafana/security/advisories/GHSA-4724-7jwc-3fpw x_refsource_CONFIRM
https://github.com/grafana/grafana/pull/60232 x_refsource_MISC
https://github.com/grafana/grafana/pull/60256 x_refsource_MISC
https://github.com/grafana/grafana/commit/239888f22983010576bb3a9135a7294e88c0c74a x_refsource_MISC
https://github.com/grafana/grafana/commit/d7dcea71ea763780dc286792a0afd560bff2985c x_refsource_MISC
https://security.netapp.com/advisory/ntap-20230309-0010/
https://github.com/grafana/grafana/security/advisories/GHSA-4724-7jwc-3fpw x_refsource_CONFIRM x_transferred
https://github.com/grafana/grafana/pull/60232 x_refsource_MISC x_transferred
https://github.com/grafana/grafana/pull/60256 x_refsource_MISC x_transferred
https://github.com/grafana/grafana/commit/239888f22983010576bb3a9135a7294e88c0c74a x_refsource_MISC x_transferred
https://github.com/grafana/grafana/commit/d7dcea71ea763780dc286792a0afd560bff2985c x_refsource_MISC x_transferred
https://github.com/grafana/grafana/security/advisories/GHSA-4724-7jwc-3fpw x_refsource_CONFIRM
https://github.com/grafana/grafana/pull/60232 x_refsource_MISC
https://github.com/grafana/grafana/pull/60256 x_refsource_MISC
https://github.com/grafana/grafana/commit/239888f22983010576bb3a9135a7294e88c0c74a x_refsource_MISC
https://github.com/grafana/grafana/commit/d7dcea71ea763780dc286792a0afd560bff2985c x_refsource_MISC
https://security.netapp.com/advisory/ntap-20230309-0010/
https://github.com/grafana/grafana/security/advisories/GHSA-4724-7jwc-3fpw x_refsource_CONFIRM x_transferred
https://github.com/grafana/grafana/pull/60232 x_refsource_MISC x_transferred
https://github.com/grafana/grafana/pull/60256 x_refsource_MISC x_transferred
https://github.com/grafana/grafana/commit/239888f22983010576bb3a9135a7294e88c0c74a x_refsource_MISC x_transferred
https://github.com/grafana/grafana/commit/d7dcea71ea763780dc286792a0afd560bff2985c x_refsource_MISC x_transferred

Affected products

grafana

==>= 9.0.0, < 9.2.8
==< 8.5.16

Matching in nixpkgs

pkgs.grafana

Gorgeous metric viz, dashboards & editors for Graphite, InfluxDB & OpenTSDB

nixos-unstable 12.3.0
- nixpkgs-unstable 12.3.0
- nixos-unstable-small 12.3.0

pkgs.grafanactl

Tool designed to simplify interaction with Grafana instances

nixos-unstable 0.1.7
- nixpkgs-unstable 0.1.7
- nixos-unstable-small 0.1.7

pkgs.mcp-grafana

MCP server for Grafana

nixos-unstable 0.7.9
- nixpkgs-unstable 0.7.9
- nixos-unstable-small 0.7.9

pkgs.grafana-loki

Like Prometheus, but for logs

nixos-unstable 3.5.8
- nixpkgs-unstable 3.5.8
- nixos-unstable-small 3.5.8

pkgs.grafana-alloy

Open source OpenTelemetry Collector distribution with built-in Prometheus pipelines and support for metrics, logs, traces, and profiles

nixos-unstable 1.11.3
- nixpkgs-unstable 1.11.3
- nixos-unstable-small 1.11.3

pkgs.grafana-kiosk

Kiosk Utility for Grafana

nixos-unstable 1.0.10
- nixpkgs-unstable 1.0.10
- nixos-unstable-small 1.0.10

pkgs.grafana-to-ntfy

Grafana-to-ntfy (ntfy.sh) alerts channel

nixos-unstable 0-unstable-2025-01-25
- nixpkgs-unstable 0-unstable-2025-01-25
- nixos-unstable-small 0-unstable-2025-01-25

pkgs.grafana-dash-n-grab

Grafana Dash-n-Grab (gdg) -- backup and restore Grafana dashboards, datasources, and other entities

nixos-unstable 0.8.1
- nixpkgs-unstable 0.8.1
- nixos-unstable-small 0.8.1

pkgs.grafana-image-renderer

Grafana backend plugin that handles rendering of panels & dashboards to PNGs using headless browser (Chromium/Chrome)

nixos-unstable 5.0.10
- nixpkgs-unstable 5.0.10
- nixos-unstable-small 5.0.10

pkgs.dhallPackages.dhall-grafana

None

nixos-unstable 49a3ee4801cf64f479e3f0bad839a5dd8e5b4932
- nixpkgs-unstable 49a3ee4801cf64f479e3f0bad839a5dd8e5b4932
- nixos-unstable-small 49a3ee4801cf64f479e3f0bad839a5dd8e5b4932

pkgs.terraform-providers.grafana

None

pkgs.python312Packages.grafanalib

Library for building Grafana dashboards

nixos-unstable 0.7.1
- nixpkgs-unstable 0.7.1
- nixos-unstable-small 0.7.1

pkgs.python313Packages.grafanalib

Library for building Grafana dashboards

nixos-unstable 0.7.1
- nixpkgs-unstable 0.7.1
- nixos-unstable-small 0.7.1

pkgs.haskellPackages.amazonka-grafana

Amazon Managed Grafana SDK

nixos-unstable 2.0-unstable-2025-04-16
- nixpkgs-unstable 2.0-unstable-2025-04-16
- nixos-unstable-small 2.0-unstable-2025-04-16

pkgs.grafanaPlugins.grafana-oncall-app

Developer-friendly incident response for Grafana

nixos-unstable 1.16.6
- nixpkgs-unstable 1.16.6
- nixos-unstable-small 1.16.6

pkgs.grafanaPlugins.grafana-clock-panel

Clock panel for Grafana

nixos-unstable 2.1.9
- nixpkgs-unstable 2.1.9
- nixos-unstable-small 2.1.9

pkgs.terraform-providers.grafana_grafana

None

nixos-unstable 4.17.0
- nixpkgs-unstable 4.17.0
- nixos-unstable-small 4.17.0

pkgs.grafanaPlugins.grafana-pyroscope-app

Integrate seamlessly with Pyroscope, the open-source continuous profiling platform, providing a smooth, query-less experience for browsing and analyzing profiling data