CVE-2022-36062

CVSS v3.1

7.6

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L

Name of the Vulnerable Software and Affected Versions Grafana versions prior to 8.5.13 Grafana versions prior to 9.0.9 Grafana versions prior to 9.1.6

Description The issue is related to Improper Preservation of Permissions, resulting in privilege escalation on some folders where Admin is the only used permission. This occurs when RBAC was disabled and then enabled, as the migrations translating legacy folder permissions to RBAC permissions do not account for the scenario where the only user permission in the folder is Admin. As a result, RBAC adds permissions for Editors and Viewers, allowing them to edit and view folders.

Recommendations For versions prior to 8.5.13, update to version 8.5.13 or later. For versions prior to 9.0.9, update to version 9.0.9 or later. For versions prior to 9.1.6, update to version 9.1.6 or later. As a temporary workaround when the impacted folder/dashboard is known, consider removing the additional permissions manually.

Exploit

Fix

Improper Preservation of Permissions

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-281

Related Identifiers

ALSA-2025_16880

ALT-PU-2022-3295

ALT-PU-2023-1161

ALT-PU-2023-4133

ALT-PU-2023-4346

ALT-PU-2023-4567

BIT-GRAFANA-2022-36062

CVE-2022-36062

GHSA-P978-56HQ-R492

GO-2024-2854

OESA-2025-1186

OESA-2025-1187

OESA-2025-1188

OESA-2025-1189

OPENSUSE-SU-2022_4428-1

OPENSUSE-SU-2022_4437-1

OPENSUSE-SU-2024:12366-1

SUSE-SU-2022:3676-1

SUSE-SU-2022:4428-1

SUSE-SU-2022:4437-1

SUSE-SU-2022:4439-1

SUSE-SU-2023:2575-1

SUSE-SU-2023:2578-1

SUSE-SU-2023:2579-1

SUSE-SU-2024:0191-1

SUSE-SU-2024:0196-1

Affected Products

Alt Linux

Grafana

Red Os

Suse

CVE-2022-36062

Weakness Enumeration

Related Identifiers

Affected Products

References · 191