{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-24T18:52:25.288","vulnerabilities":[{"cve":{"id":"CVE-2022-21673","sourceIdentifier":"security-advisories@github.com","published":"2022-01-18T22:15:07.873","lastModified":"2024-11-21T06:45:12.247","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"Grafana is an open-source platform for monitoring and observability. In affected versions when a data source has the Forward OAuth Identity feature enabled, sending a query to that datasource with an API token (and no other user credentials) will forward the OAuth Identity of the most recently logged-in user. This can allow API token holders to retrieve data for which they may not have intended access. This attack relies on the Grafana instance having data sources that support the Forward OAuth Identity feature, the Grafana instance having a data source with the Forward OAuth Identity feature toggled on, the Grafana instance having OAuth enabled, and the Grafana instance having usable API keys. This issue has been patched in versions 7.5.13 and 8.3.4."},{"lang":"es","value":"Grafana es una plataforma de código abierto para la monitorización y la observabilidad. En las versiones afectadas, cuando una fuente de datos tiene habilitada la funcionalidad Forward OAuth Identity, el envío de una consulta a esa fuente de datos con un token de API (y sin otras credenciales de usuario) reenviará la OAuth Identity del usuario que haya iniciado sesión más recientemente. Esto puede permitir a poseedores de tokens de API recuperar datos a los que no presentan acceso previsto. Este ataque depende de que la instancia de Grafana tenga fuentes de datos que soporten la funcionalidad Forward OAuth Identity, de que la instancia de Grafana tenga una fuente de datos con la función Forward OAuth Identity activada, de que la instancia de Grafana tenga OAuth habilitado y de que la instancia de Grafana tenga claves de API usables. Este problema ha sido corregido en las versiones 7.5.13 y 8.3.4"}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":1.4},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":1.4}],"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:M/Au:S/C:P/I:N/A:N","baseScore":3.5,"accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"SINGLE","confidentialityImpact":"PARTIAL","integrityImpact":"NONE","availabilityImpact":"NONE"},"baseSeverity":"LOW","exploitabilityScore":6.8,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-200"}]},{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-Other"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*","versionStartIncluding":"7.2.0","versionEndExcluding":"7.5.13","matchCriteriaId":"DB832562-836C-4E18-8086-1260790CD2EE"},{"vulnerable":true,"criteria":"cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*","versionStartIncluding":"8.0.0","versionEndExcluding":"8.3.4","matchCriteriaId":"4FE88214-73A3-43A6-9858-F8CDE027D1FA"}]}]},{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*","matchCriteriaId":"A930E247-0B43-43CB-98FF-6CE7B8189835"},{"vulnerable":true,"criteria":"cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*","matchCriteriaId":"80E516C0-98A4-4ADE-B69F-66A772E2BAAA"},{"vulnerable":true,"criteria":"cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*","matchCriteriaId":"5C675112-476C-4D7C-BCB9-A2FB2D0BC9FD"}]}]}],"references":[{"url":"https://github.com/grafana/grafana/releases/tag/v7.5.13","source":"security-advisories@github.com","tags":["Release Notes","Third Party Advisory"]},{"url":"https://github.com/grafana/grafana/releases/tag/v8.3.4","source":"security-advisories@github.com","tags":["Release Notes","Third Party Advisory"]},{"url":"https://github.com/grafana/grafana/security/advisories/GHSA-8wjh-59cw-9xh4","source":"security-advisories@github.com","tags":["Third Party Advisory"]},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2PFW6Q2LXXWTFRTMTRN4ZGADFRQPKJ3D/","source":"security-advisories@github.com"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/36GUEPA5TPSC57DZTPYPBL6T7UPQ2FRH/","source":"security-advisories@github.com"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HLAQRRGNSO5MYCPAXGPH2OCSHOGHSQMQ/","source":"security-advisories@github.com"},{"url":"https://security.netapp.com/advisory/ntap-20220303-0004/","source":"security-advisories@github.com","tags":["Third Party Advisory"]},{"url":"https://github.com/grafana/grafana/releases/tag/v7.5.13","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Release Notes","Third Party Advisory"]},{"url":"https://github.com/grafana/grafana/releases/tag/v8.3.4","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Release Notes","Third Party Advisory"]},{"url":"https://github.com/grafana/grafana/security/advisories/GHSA-8wjh-59cw-9xh4","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"]},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2PFW6Q2LXXWTFRTMTRN4ZGADFRQPKJ3D/","source":"af854a3a-2127-422b-91ae-364da2661108"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/36GUEPA5TPSC57DZTPYPBL6T7UPQ2FRH/","source":"af854a3a-2127-422b-91ae-364da2661108"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HLAQRRGNSO5MYCPAXGPH2OCSHOGHSQMQ/","source":"af854a3a-2127-422b-91ae-364da2661108"},{"url":"https://security.netapp.com/advisory/ntap-20220303-0004/","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"]}]}}]}