Login Sign Up

CVE-2022-23498

7.1 HIGH

📋 TL;DR

Grafana's datasource query caching feature inadvertently caches session headers, allowing authenticated users to potentially acquire other users' sessions when querying cached datasources. This affects all Grafana instances with datasource query caching enabled. The vulnerability enables session hijacking within the monitoring platform.

💻 Affected Systems

Products:
  • Grafana
Versions: All versions before 9.2.10 and 9.3.x before 9.3.4
Operating Systems: All platforms running Grafana
Default Config Vulnerable: ✅ No
Notes: Only vulnerable when datasource query caching is explicitly enabled; not enabled by default.

📦 What is this software?

Grafana by Grafana

View all CVEs affecting Grafana →

Grafana by Grafana

View all CVEs affecting Grafana →

Grafana by Grafana

View all CVEs affecting Grafana →

Grafana by Grafana

View all CVEs affecting Grafana →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain administrative access to Grafana, potentially compromising monitoring data, creating backdoors, or pivoting to other systems.

🟠

Likely Case

Authenticated users escalate privileges or access other users' dashboards and data without authorization.

🟢

If Mitigated

Minimal impact with proper patching or caching disabled; session isolation remains intact.

🌐 Internet-Facing: HIGH if caching enabled and Grafana exposed to internet, as authenticated users could exploit.
🏢 Internal Only: MEDIUM to HIGH depending on internal user trust levels and caching configuration.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated access to Grafana and caching enabled; trivial for authenticated attackers to query cached datasources.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 9.2.10 or 9.3.4

Vendor Advisory: https://github.com/grafana/grafana/security/advisories/GHSA-2j8f-6whh-frc8

Restart Required: Yes

Instructions:

1. Backup Grafana configuration and data. 2. Upgrade to Grafana 9.2.10 (for 9.2.x) or 9.3.4 (for 9.3.x). 3. Restart Grafana service. 4. Verify version with 'grafana-server -v'.

🔧 Temporary Workarounds

Disable datasource query caching

all

Disable caching for all datasources to prevent session header caching.

Edit Grafana configuration file (grafana.ini) and set [datasource] cache_enabled = false
Restart Grafana: systemctl restart grafana-server

🧯 If You Can't Patch

  • Disable datasource query caching immediately via configuration.
  • Restrict user access to only trusted personnel and monitor for unusual query patterns.

🔍 How to Verify

Check if Vulnerable:

Check Grafana version with 'grafana-server -v' or web interface; if version <9.2.10 or 9.3.x <9.3.4, and caching enabled, vulnerable.

Check Version:

grafana-server -v

Verify Fix Applied:

Confirm version is 9.2.10+ or 9.3.4+ and caching can remain enabled safely.

📡 Detection & Monitoring

Log Indicators:

  • Unusual session activity from same IP/user
  • Multiple session creations for single user

Network Indicators:

  • Repeated queries to cached datasources from unexpected users

SIEM Query:

source="grafana" AND (event="query" OR event="session") | stats count by user, datasource

📊 Metadata

CVE ID: CVE-2022-23498
CVSS v3 Score: 7.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L
CWE: CWE-200
Published: February 3, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-23498, you might also want to check these:

CVE-2025-61481 10.0

MikroTik RouterOS and SwOS expose their WebFig management interface over unencrypted HTTP by default...

Same vulnerability type (CWE-200)
CVE-2025-53624 10.0

The Docusaurus gists plugin versions before 4.0.0 expose GitHub Personal Access Tokens in client-sid...

Same vulnerability type (CWE-200)
CVE-2023-49103 10.0

This vulnerability in ownCloud's graphapi app exposes PHP configuration details (phpinfo) via a thir...

Same vulnerability type (CWE-200)