Data Exposure Vulnerability in Grafana with Zabbix Integration
CVE-2022-26148

9.8CRITICAL

Key Information:

Vendor: Grafana
Status: Grafana
Vendor: CVE Published:; 21 March 2022

Summary

A vulnerability in Grafana, when integrated with Zabbix, allows sensitive information to be exposed. The Zabbix password can be found embedded in the source code of api_jsonrpc.php. This can occur when a user logs in and enables user registration. By right-clicking to view the page source, malicious actors may search for the password, leading to unauthorized access to the Zabbix account and its associated URL. This highlights the importance of secure coding practices to prevent leaking sensitive data.

References

https://2k8.org/post-319.html

x_refsource_MISC

https://security.netapp.com/advisory/ntap-20220425-0005/

x_refsource_CONFIRM

EPSS Score

41% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 21, 2022
Vulnerability Reserved
Feb 26, 2022