Test ID:	1.3.6.1.4.1.25623.1.0.148743
Category:	Web application abuses
Title:	Grafana Privilege Escalation Vulnerability (GHSA-ff5c-938w-8c9q)
Summary:	Grafana is prone to a privilege escalation vulnerability.
Description:	Summary: Grafana is prone to a privilege escalation vulnerability. Vulnerability Insight: Grafana allows an escalation from Admin privileges to Server Admin when Auth proxy authentication is used. Auth proxy allows to authenticate a user by only providing the username (or email) in a X-WEBAUTH-USER HTTP header: the trust assumption is that a front proxy will take care of authentication and that Grafana server is publicly reachable only with this front proxy. Datasource proxy breaks this assumption: - it is possible to configure a fake datasource pointing to a localhost Grafana install with a X-WEBAUTH-USER HTTP header containing admin username. - This fake datasource can be called publicly via this proxying feature. Affected Software/OS: Grafana prior to version 8.5.13, version 9.0.x through 9.0.8 and 9.1.x through 9.1.5 if the Auth Proxy is used. Solution: Update to version 8.5.13, 9.0.9, 9.1.6 or later. CVSS Score: 6.8 CVSS Vector: AV:N/AC:H/Au:M/C:C/I:C/A:C
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2022-35957 https://github.com/grafana/grafana/security/advisories/GHSA-ff5c-938w-8c9q https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WYU5C2RITLHVZSTCWNGQWA6KSPYNXM2H/
Copyright	Copyright (C) 2022 Greenbone Networks GmbH

This is only one of 146377 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below.