CVE-2022-36062

一、漏洞信息
漏洞编号：CVE-2022-36062
漏洞归属组件：grafana
漏洞归属的版本：10.2.6,6.7.4,7.5.11,7.5.15
CVSS V3.0分值：
BaseScore：3.8 Low
Vector：CVSS：3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
漏洞简述：
Grafana is an open-source platform for monitoring and observability. In versions prior to 8.5.13, 9.0.9, and 9.1.6, Grafana is subject to Improper Preservation of Permissions resulting in privilege escalation on some folders where Admin is the only used permission. The vulnerability impacts Grafana instances where RBAC was disabled and enabled afterwards, as the migrations which are translating legacy folder permissions to RBAC permissions do not account for the scenario where the only user permission in the folder is Admin, as a result RBAC adds permissions for Editors and Viewers which allow them to edit and view folders accordingly. This issue has been patched in versions 8.5.13, 9.0.9, and 9.1.6. A workaround when the impacted folder/dashboard is known is to remove the additional permissions manually.
漏洞公开时间：2022-09-23 02:15:10
漏洞创建时间：2022-09-21 15:00:05
漏洞详情参考链接：
https://nvd.nist.gov/vuln/detail/CVE-2022-36062

更多参考(点击展开)

参考来源	参考链接	来源链接
security-advisories.github.com	https://github.com/grafana/grafana/security/advisories/GHSA-p978-56hq-r492
security-advisories.github.com	https://security.netapp.com/advisory/ntap-20221215-0001/
suse_bugzilla	https://bugzilla.redhat.com/show_bug.cgi?id=2125521	https://bugzilla.suse.com/show_bug.cgi?id=1203596
suse_bugzilla	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-36062	https://bugzilla.suse.com/show_bug.cgi?id=1203596
redhat_bugzilla	https://access.redhat.com/security/cve/cve-2022-36062	https://bugzilla.redhat.com/show_bug.cgi?id=2125521
ubuntu	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36062	https://ubuntu.com/security/CVE-2022-36062
ubuntu	https://github.com/grafana/grafana/security/advisories/GHSA-p978-56hq-r492	https://ubuntu.com/security/CVE-2022-36062
ubuntu	https://nvd.nist.gov/vuln/detail/CVE-2022-36062	https://ubuntu.com/security/CVE-2022-36062
ubuntu	https://launchpad.net/bugs/cve/CVE-2022-36062	https://ubuntu.com/security/CVE-2022-36062
ubuntu	https://security-tracker.debian.org/tracker/CVE-2022-36062	https://ubuntu.com/security/CVE-2022-36062
debian		https://security-tracker.debian.org/tracker/CVE-2022-36062
anolis		https://anas.openanolis.cn/cves/detail/CVE-2022-36062
cve_search		https://github.com/grafana/grafana/security/advisories/GHSA-p978-56hq-r492
github_advisory	https://security.netapp.com/advisory/ntap-20221215-0001/	https://github.com/advisories/GHSA-p978-56hq-r492
github_advisory	https://nvd.nist.gov/vuln/detail/CVE-2022-36062	https://github.com/advisories/GHSA-p978-56hq-r492
github_advisory	https://github.com/grafana/grafana/security/advisories/GHSA-p978-56hq-r492	https://github.com/advisories/GHSA-p978-56hq-r492
grafana		https://github.com/grafana/grafana/security/advisories/GHSA-p978-56hq-r492
go	https://github.com/grafana/grafana/security/advisories/GHSA-p978-56hq-r492	https://github.com/golang/vulndb/blob/master/reports/GO-2024-2854.yaml
go	https://nvd.nist.gov/vuln/detail/CVE-2022-36062	https://github.com/golang/vulndb/blob/master/reports/GO-2024-2854.yaml
go	https://security.netapp.com/advisory/ntap-20221215-0001	https://github.com/golang/vulndb/blob/master/reports/GO-2024-2854.yaml
osv	https://github.com/grafana/grafana/security/advisories/GHSA-p978-56hq-r492	https://osv.dev/vulnerability/CVE-2022-36062
osv	https://security.netapp.com/advisory/ntap-20221215-0001/	https://osv.dev/vulnerability/CVE-2022-36062

漏洞分析指导链接：
https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md
漏洞数据来源:
openBrain开源漏洞感知系统
漏洞补丁信息：

详情(点击展开)

影响的包	修复版本	修复补丁	问题引入补丁	来源
		https://github.com/grafana/grafana/security/advisories/GHSA-p978-56hq-r492		nvd
		https://security.netapp.com/advisory/ntap-20221215-0001/		nvd

二、漏洞分析结构反馈
影响性分析说明：
Grafana is an open-source platform for monitoring and observability. In versions prior to 8.5.13, 9.0.9, and 9.1.6, Grafana is subject to Improper Preservation of Permissions resulting in privilege escalation on some folders where Admin is the only used permission. The vulnerability impacts Grafana instances where RBAC was disabled and enabled afterwards, as the migrations which are translating legacy folder permissions to RBAC permissions do not account for the scenario where the only user permission in the folder is Admin, as a result RBAC adds permissions for Editors and Viewers which allow them to edit and view folders accordingly. This issue has been patched in versions 8.5.13, 9.0.9, and 9.1.6. A workaround when the impacted folder/dashboard is known is to remove the additional permissions manually.
openEuler评分：
3.8
Vector：CVSS：3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
受影响版本排查(受影响/不受影响)：
1.openEuler-20.03-LTS-SP4(7.5.15):受影响
2.openEuler-22.03-LTS-SP3(7.5.15):受影响
3.openEuler-22.03-LTS-SP4(7.5.15):受影响
4.openEuler-24.03-LTS(7.5.15):受影响
5.openEuler-24.03-LTS-Next(7.5.15):受影响
6.openEuler-24.03-LTS-SP1(7.5.15):受影响
7.master(10.2.6):不受影响

修复是否涉及abi变化(是/否)：
1.master(10.2.6):否
2.openEuler-20.03-LTS-SP4(7.5.15):否
3.openEuler-22.03-LTS-SP3(7.5.15):否
4.openEuler-22.03-LTS-SP4(7.5.15):否
5.openEuler-24.03-LTS(7.5.15):否
6.openEuler-24.03-LTS-Next(7.5.15):否
7.openEuler-24.03-LTS-SP1(7.5.15):否

原因说明：
1.openEuler-22.03-LTS-SP3(7.5.15):正常修复
2.openEuler-22.03-LTS-SP4(7.5.15):正常修复
3.openEuler-24.03-LTS(7.5.15):正常修复
4.openEuler-24.03-LTS-Next(7.5.15):正常修复
5.openEuler-24.03-LTS-SP1(7.5.15):正常修复
6.openEuler-20.03-LTS-SP4(7.5.15):暂不修复-待升级版本修复
7.master(10.2.6):不受影响-漏洞代码不能被攻击者触发

三、漏洞修复
安全公告链接：https://www.openeuler.org/zh/security/safety-bulletin/detail/?id=openEuler-SA-2025-1189

参考网址	关联pr	状态	补丁链接
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2022-36062
https://www.opencve.io/cve/CVE-2022-36062
https://nvd.nist.gov/vuln/detail/CVE-2022-36062
https://security-tracker.debian.org/tracker/CVE-2022-36062
https://ubuntu.com/security/CVE-2022-36062
http://www.cnnvd.org.cn/web/vulnerability/queryLds.tag?qcvCnnvdid=CVE-2022-36062

说明：抱歉，当前工具暂未找到推荐补丁，请人工查找或者之后评论'/find-patch'尝试再次查找。
若人工查找到补丁，烦请在此issue下评论 '/report-patch 参考网址补丁链接1,补丁链接2' 便于我们不断优化工具，不胜感激。
如 /report-patch https://security-tracker.debian.org/tracker/CVE-2021-3997 https://github.com/systemd/systemd/commit/5b1cf7a9be37e20133c0208005274ce4a5b5c6a1

影响性分析说明:
根据https://nvd.nist.gov/vuln/detail/CVE-2022-36062 如果要修复这个补丁，目前的版本为7.3.6，7.5.15, 就要升级到8.5.13版本，版本跨度太大，建议挂起
openEuler评分: (评分和向量)
3.8 Low
受影响版本排查(受影响/不受影响):
1.openEuler-20.03-LTS-SP1(7.3.6):受影响
2.openEuler-20.03-LTS-SP3(7.3.6):受影响
3.openEuler-22.03-LTS(7.5.15):受影响
4.openEuler-22.09(7.5.15):受影响

修复是否涉及abi变化(是/否)：
1.openEuler-20.03-LTS-SP1(7.3.6):否
2.openEuler-20.03-LTS-SP3(7.3.6):否
3.openEuler-22.03-LTS(7.5.15):否
4.openEuler-22.09(7.5.15):否

影响性分析说明：
Grafana is an open-source platform for monitoring and observability. In versions prior to 8.5.13, 9.0.9, and 9.1.6, Grafana is subject to Improper Preservation of Permissions resulting in privilege escalation on some folders where Admin is the only used permission. The vulnerability impacts Grafana instances where RBAC was disabled and enabled afterwards, as the migrations which are translating legacy folder permissions to RBAC permissions do not account for the scenario where the only user permission in the folder is Admin, as a result RBAC adds permissions for Editors and Viewers which allow them to edit and view folders accordingly. This issue has been patched in versions 8.5.13, 9.0.9, and 9.1.6. A workaround when the impacted folder/dashboard is known is to remove the additional permissions manually.

openEuler评分：
3.8
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N

受影响版本排查(受影响/不受影响)：
1.master(10.2.6): 不受影响
2.openEuler-20.03-LTS-SP4(7.5.15): 受影响
3.openEuler-22.03-LTS-SP3(7.5.15): 受影响
4.openEuler-22.03-LTS-SP4(7.5.15): 受影响
5.openEuler-24.03-LTS(7.5.15): 受影响
6.openEuler-24.03-LTS-Next(7.5.15): 受影响
7.openEuler-24.03-LTS-SP1(7.5.15): 受影响

修复是否涉及abi变化(是/否)：
1.master(10.2.6): 否
2.openEuler-20.03-LTS-SP4(7.5.15): 否
3.openEuler-22.03-LTS-SP3(7.5.15): 否
4.openEuler-22.03-LTS-SP4(7.5.15): 否
5.openEuler-24.03-LTS(7.5.15): 否
6.openEuler-24.03-LTS-Next(7.5.15): 否
7.openEuler-24.03-LTS-SP1(7.5.15): 否

原因说明：
1.master(10.2.6): 不受影响-漏洞代码不能被攻击者触发
2.openEuler-20.03-LTS-SP4(7.5.15): 暂不修复-待升级版本修复
3.openEuler-22.03-LTS-SP3(7.5.15): 正常修复
4.openEuler-22.03-LTS-SP4(7.5.15): 正常修复
5.openEuler-24.03-LTS(7.5.15): 正常修复
6.openEuler-24.03-LTS-Next(7.5.15): 正常修复
7.openEuler-24.03-LTS-SP1(7.5.15): 正常修复

@AlexZ11 经过 cve-manager 解析, 已分析的内容如下表所示:
| 状态  | 分析项目 | 内容 |
|:--:|:--:|---------|
|已分析|1.影响性分析说明|Grafana is an open-source platform for monitoring and observability. In versions prior to 8.5.13, 9.0.9, and 9.1.6, Grafana is subject to Improper Preservation of Permissions resulting in privilege escalation on some folders where Admin is the only used permission. The vulnerability impacts Grafana instances where RBAC was disabled and enabled afterwards, as the migrations which are translating legacy folder permissions to RBAC permissions do not account for the scenario where the only user permission in the folder is Admin, as a result RBAC adds permissions for Editors and Viewers which allow them to edit and view folders accordingly. This issue has been patched in versions 8.5.13, 9.0.9, and 9.1.6. A workaround when the impacted folder/dashboard is known is to remove the additional permissions manually.|
|已分析|2.openEulerScore|3.8|
|已分析|3.openEulerVector|AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N|
|已分析|4.受影响版本排查|openEuler-20.03-LTS-SP4:受影响,openEuler-22.03-LTS-SP3:受影响,openEuler-22.03-LTS-SP4:受影响,openEuler-24.03-LTS:受影响,openEuler-24.03-LTS-Next:受影响,openEuler-24.03-LTS-SP1:受影响,master:不受影响|
|已分析|5.是否涉及abi变化|master:否,openEuler-20.03-LTS-SP4:否,openEuler-22.03-LTS-SP3:否,openEuler-22.03-LTS-SP4:否,openEuler-24.03-LTS:否,openEuler-24.03-LTS-Next:否,openEuler-24.03-LTS-SP1:否|
|已分析|6.原因说明|openEuler-22.03-LTS-SP3:正常修复,openEuler-22.03-LTS-SP4:正常修复,openEuler-24.03-LTS:正常修复,openEuler-24.03-LTS-Next:正常修复,openEuler-24.03-LTS-SP1:正常修复,openEuler-20.03-LTS-SP4:暂不修复-待升级版本修复,master:不受影响-漏洞代码不能被攻击者触发|

**请确认分析内容的准确性, 确认无误后, 您可以进行后续步骤, 否则您可以继续分析.**

当前20.03-LTS-SP4分支golang为1.15.7版本，依赖版本不满足，暂不修复。

src-openEuler/grafana

内容风险标识

评论 (8)

src-openEuler/grafana .gitee-modal { width: 500px !important; }

内容风险标识

CVE-2022-36062

评论 (8)

搜索帮助

src-openEuler/grafana