Moderate severityNVD Advisory· Published Feb 8, 2022· Updated Apr 23, 2025
Cross Site Request Forgery in Grafana
CVE-2022-21703
Description
Grafana is an open-source platform for monitoring and observability. Affected versions are subject to a cross site request forgery vulnerability which allows attackers to elevate their privileges by mounting cross-origin attacks against authenticated high-privilege Grafana users (for example, Editors or Admins). An attacker can exploit this vulnerability for privilege escalation by tricking an authenticated user into inviting the attacker as a new user with high privileges. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/grafana/grafana/pkg/webGo | >= 3.0-beta1, < 7.5.15 | 7.5.15 |
github.com/grafana/grafana/pkg/webGo | >= 8.0.0, < 8.3.5 | 8.3.5 |
Affected products
80- osv-coords79 versionspkg:bitnami/grafanapkg:golang/github.com/grafana/grafana/pkg/webpkg:rpm/almalinux/grafanapkg:rpm/opensuse/grafana&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/grafana&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/grafana&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/prometheus-postgres_exporter&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/rhnlib&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/spacecmd&distro=openSUSE%20Leap%2015.3pkg:rpm/suse/golang-github-boynux-squid_exporter&distro=SUSE%20Manager%20Client%20Tools%2012-BETApkg:rpm/suse/golang-github-lusitaniae-apache_exporter&distro=SUSE%20Manager%20Client%20Tools%2012-BETApkg:rpm/suse/golang-github-prometheus-alertmanager&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/golang-github-prometheus-alertmanager&distro=SUSE%20Manager%20Client%20Tools%2012-BETApkg:rpm/suse/golang-github-prometheus-node_exporter&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/golang-github-prometheus-node_exporter&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-BCLpkg:rpm/suse/golang-github-prometheus-node_exporter&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-LTSSpkg:rpm/suse/golang-github-prometheus-node_exporter&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-LTSSpkg:rpm/suse/golang-github-prometheus-node_exporter&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/golang-github-prometheus-node_exporter&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/golang-github-prometheus-node_exporter&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/golang-github-prometheus-node_exporter&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/golang-github-prometheus-node_exporter&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/golang-github-prometheus-node_exporter&distro=SUSE%20Manager%20Client%20Tools%2012-BETApkg:rpm/suse/golang-github-prometheus-node_exporter&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/golang-github-prometheus-node_exporter&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/golang-github-prometheus-node_exporter&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/golang-github-prometheus-node_exporter&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/golang-github-prometheus-prometheus&distro=SUSE%20Manager%20Client%20Tools%2012-BETApkg:rpm/suse/golang-github-prometheus-promu&distro=SUSE%20Manager%20Client%20Tools%2012-BETApkg:rpm/suse/golang-github-QubitProducts-exporter_exporter&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/golang-github-QubitProducts-exporter_exporter&distro=SUSE%20Manager%20Client%20Tools%2012-BETApkg:rpm/suse/grafana&distro=SUSE%20Enterprise%20Storage%206pkg:rpm/suse/grafana&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP4pkg:rpm/suse/grafana&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/grafana&distro=SUSE%20Manager%20Client%20Tools%2012-BETApkg:rpm/suse/grafana&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/kiwi-desc-saltboot&distro=SUSE%20Manager%20Client%20Tools%2012-BETApkg:rpm/suse/mgr-cfg&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/mgr-cfg&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/mgr-custom-info&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/mgr-daemon&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/mgr-osad&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/mgr-osad&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/mgr-push&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/mgr-push&distro=SUSE%20Manager%20Client%20Tools%2012-BETApkg:rpm/suse/mgr-push&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/mgr-virtualization&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/mgr-virtualization&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/prometheus-blackbox_exporter&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/prometheus-blackbox_exporter&distro=SUSE%20Manager%20Client%20Tools%2012-BETApkg:rpm/suse/prometheus-postgres_exporter&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/prometheus-postgres_exporter&distro=SUSE%20Manager%20Client%20Tools%2012-BETApkg:rpm/suse/prometheus-postgres_exporter&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/prometheus-postgres_exporter&distro=SUSE%20Manager%20Server%20Module%204.2pkg:rpm/suse/python-hwdata&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/python-hwdata&distro=SUSE%20Manager%20Client%20Tools%2012-BETApkg:rpm/suse/rhnlib&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/rhnlib&distro=SUSE%20Manager%20Client%20Tools%2012-BETApkg:rpm/suse/rhnlib&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/spacecmd&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/spacecmd&distro=SUSE%20Manager%20Client%20Tools%2012-BETApkg:rpm/suse/spacecmd&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/spacewalk-client-tools&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/spacewalk-client-tools&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/spacewalk-koan&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/spacewalk-koan&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/spacewalk-oscap&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/spacewalk-oscap&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/spacewalk-remote-utils&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/supportutils-plugin-salt&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/supportutils-plugin-salt&distro=SUSE%20Manager%20Client%20Tools%2012-BETApkg:rpm/suse/supportutils-plugin-susemanager-client&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/supportutils-plugin-susemanager-client&distro=SUSE%20Manager%20Client%20Tools%2012-BETApkg:rpm/suse/suseRegisterInfo&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/suseRegisterInfo&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/system-user-grafana&distro=SUSE%20Manager%20Client%20Tools%2012-BETApkg:rpm/suse/system-user-prometheus&distro=SUSE%20Manager%20Client%20Tools%2012-BETApkg:rpm/suse/uyuni-common-libs&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/uyuni-common-libs&distro=SUSE%20Manager%20Client%20Tools%2012-BETA
>= 3.0.1, < 7.5.15+ 78 more
- (no CPE)range: >= 3.0.1, < 7.5.15
- (no CPE)range: >= 3.0-beta1, < 7.5.15
- (no CPE)range: < 7.5.15-3.el8
- (no CPE)range: < 8.3.5-150200.3.21.1
- (no CPE)range: < 8.3.5-150200.3.21.1
- (no CPE)range: < 8.3.5-1.1
- (no CPE)range: < 0.10.0-150000.1.3.1
- (no CPE)range: < 4.2.6-150000.3.34.1
- (no CPE)range: < 4.2.16-150000.3.77.1
- (no CPE)range: < 1.6-4.9.2
- (no CPE)range: < 1.0.0-4.12.4
- (no CPE)range: < 0.23.0-1.12.3
- (no CPE)range: < 0.26.0-4.12.4
- (no CPE)range: < 1.3.0-1.15.3
- (no CPE)range: < 1.3.0-1.15.3
- (no CPE)range: < 1.3.0-1.15.3
- (no CPE)range: < 1.3.0-1.15.3
- (no CPE)range: < 1.3.0-1.15.3
- (no CPE)range: < 1.3.0-1.15.3
- (no CPE)range: < 1.3.0-1.15.3
- (no CPE)range: < 1.3.0-1.15.3
- (no CPE)range: < 1.3.0-1.15.3
- (no CPE)range: < 1.5.0-4.15.4
- (no CPE)range: < 1.3.0-1.15.3
- (no CPE)range: < 1.3.0-1.15.3
- (no CPE)range: < 1.3.0-1.15.3
- (no CPE)range: < 1.3.0-1.15.3
- (no CPE)range: < 2.45.0-4.33.3
- (no CPE)range: < 0.14.0-4.12.2
- (no CPE)range: < 0.4.0-1.6.1
- (no CPE)range: < 0.4.0-4.6.2
- (no CPE)range: < 8.5.13-150100.3.12.1
- (no CPE)range: < 8.3.10-150200.3.26.1
- (no CPE)range: < 8.3.5-1.30.3
- (no CPE)range: < 9.5.8-4.21.2
- (no CPE)range: < 8.3.5-150000.1.30.1
- (no CPE)range: < 0.1.1687520761.cefb248-4.15.2
- (no CPE)range: < 4.3.6-1.27.4
- (no CPE)range: < 4.2.8-150000.1.24.1
- (no CPE)range: < 4.3.3-1.18.1
- (no CPE)range: < 4.3.4-1.32.3
- (no CPE)range: < 4.3.6-1.39.4
- (no CPE)range: < 4.2.8-150000.1.36.1
- (no CPE)range: < 4.3.4-1.21.4
- (no CPE)range: < 5.0.1-4.21.4
- (no CPE)range: < 4.2.5-150000.1.18.2
- (no CPE)range: < 4.3.5-1.29.3
- (no CPE)range: < 4.2.4-150000.1.26.1
- (no CPE)range: < 0.19.0-1.8.2
- (no CPE)range: < 0.24.0-3.6.3
- (no CPE)range: < 0.10.0-1.8.2
- (no CPE)range: < 0.10.1-3.6.4
- (no CPE)range: < 0.10.0-150000.1.3.1
- (no CPE)range: < 0.10.0-150000.1.3.1
- (no CPE)range: < 2.3.5-12.9.1
- (no CPE)range: < 2.3.5-15.12.2
- (no CPE)range: < 4.3.4-21.43.3
- (no CPE)range: < 5.0.1-24.30.3
- (no CPE)range: < 4.2.6-150000.3.34.1
- (no CPE)range: < 4.3.11-38.103.3
- (no CPE)range: < 5.0.1-41.42.3
- (no CPE)range: < 4.2.16-150000.3.77.1
- (no CPE)range: < 4.3.9-52.71.3
- (no CPE)range: < 4.2.18-150000.3.59.1
- (no CPE)range: < 4.3.5-24.33.3
- (no CPE)range: < 4.2.6-150000.3.27.1
- (no CPE)range: < 4.3.5-19.27.1
- (no CPE)range: < 4.2.4-150000.3.18.1
- (no CPE)range: < 4.3.3-24.24.3
- (no CPE)range: < 1.2.0-6.16.1
- (no CPE)range: < 1.2.2-9.9.2
- (no CPE)range: < 4.3.2-6.24.1
- (no CPE)range: < 5.0.1-9.15.2
- (no CPE)range: < 4.3.3-25.27.3
- (no CPE)range: < 4.2.6-150000.3.21.1
- (no CPE)range: < 1.0.0-3.7.2
- (no CPE)range: < 1.0.0-3.7.2
- (no CPE)range: < 4.3.4-1.21.3
- (no CPE)range: < 5.0.1-3.33.3
Patches
Vulnerability mechanics
References
14- github.com/advisories/GHSA-cmf4-h3xc-jw8wghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2PFW6Q2LXXWTFRTMTRN4ZGADFRQPKJ3D/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/36GUEPA5TPSC57DZTPYPBL6T7UPQ2FRH/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HLAQRRGNSO5MYCPAXGPH2OCSHOGHSQMQ/mitrevendor-advisoryx_refsource_FEDORA
- nvd.nist.gov/vuln/detail/CVE-2022-21703ghsaADVISORY
- github.com/grafana/grafana/pull/45083ghsax_refsource_MISCWEB
- github.com/grafana/grafana/security/advisories/GHSA-cmf4-h3xc-jw8wghsax_refsource_CONFIRMWEB
- grafana.com/blog/2022/02/08/grafana-7.5.15-and-8.3.5-released-with-moderate-severity-security-fixesghsaWEB
- grafana.com/blog/2022/02/08/grafana-7.5.15-and-8.3.5-released-with-moderate-severity-security-fixes/mitrex_refsource_MISC
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2PFW6Q2LXXWTFRTMTRN4ZGADFRQPKJ3DghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/36GUEPA5TPSC57DZTPYPBL6T7UPQ2FRHghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HLAQRRGNSO5MYCPAXGPH2OCSHOGHSQMQghsaWEB
- security.netapp.com/advisory/ntap-20220303-0005ghsaWEB
- security.netapp.com/advisory/ntap-20220303-0005/mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.