CVE-2022-32275

Description

Grafana 8.4.3 allows reading files via (for example) a /dashboard/snapshot/%7B%7Bconstructor.constructor'/.. /.. /.. /.. /.. /.. /.. /.. /etc/passwd URI. NOTE: the vendor's position is that there is no vulnerability; this request yields a benign error page, not /etc/passwd content

How to fix CVE-2022-32275

To remediate CVE-2022-32275, upgrade the affected package to a fixed version below.

Bitnami/grafana—upgrade to 8.4.4 or later

Is CVE-2022-32275 being exploited?

Likely — EPSS is 67.4%, placing CVE-2022-32275 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (1)

>= 8.4.3, < 8.4.4

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References (7)

WEBgithub.com/BrotherOfJhonny/grafana
WEBgithub.com/BrotherOfJhonny/grafana/blob/main/README.md
WEBgithub.com/grafana/grafana/issues/50336
WEBgithub.com/grafana/grafana/issues/50341#issuecomment-1155252393
WEB