PT-2022-7105 · Grafana · Grafana Enterprise Metrics
Published
2022-12-20
·
Updated
2022-12-29
·
CVE-2022-44643
CVSS v2.0
9.0
High
| Vector | AV:N/AC:L/Au:S/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
Grafana Enterprise Metrics versions prior to 1.7.1
Grafana Enterprise Metrics versions prior to 2.3.1
Description
The issue is related to the label-based access control in Grafana Enterprise Metrics, allowing an attacker to have more access than intended. If an access policy with label selector restrictions is granted access to all tenants, the label selector restrictions will not be applied. This can impact the confidentiality, integrity, and availability of protected information.
Recommendations
For versions prior to 1.7.1, update to version 1.7.1 or later to resolve the issue.
For versions prior to 2.3.1, update to version 2.3.1 or later to resolve the issue.
As a temporary workaround, consider reviewing and restricting access policies to ensure that label selector restrictions are properly applied.
Fix
Improper Access Control
Incorrect Privilege Assignment
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Grafana Enterprise Metrics