CVE-2022-26148

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Grafana versions through 7.3.4

Description An issue was discovered in Grafana when integrated with Zabbix, allowing the Zabbix password to be found in the "api jsonrpc.php" HTML source code. When a user logs in and is allowed to register, one can right-click to view the source code and use Ctrl-F to search for the password in "api jsonrpc.php" to discover the Zabbix account password and URL address.

Recommendations For versions through 7.3.4, consider restricting access to the "api jsonrpc.php" file to minimize the risk of exploitation. As a temporary workaround, restrict the ability for users to view the source code of "api jsonrpc.php" until a patch is available.

Exploit

Fix

Cleartext Storage of Sensitive Information

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-312

Related Identifiers

ALT-PU-2021-1180

ALT-PU-2022-1177

ALT-PU-2022-1249

BIT-GRAFANA-2022-26148

CVE-2022-26148

Affected Products

Alt Linux

Grafana

Zabbix

CVE-2022-26148

Weakness Enumeration

Related Identifiers

Affected Products

References · 30