CVE-2022-26148

An issue was discovered in Grafana through 7.3.4, when integrated with Zabbix. The Zabbix password can be found in the api_jsonrpc.php HTML source code. When the user logs in and allows the user to register, one can right click to view the source code and use Ctrl-F to search for password in api_jsonrpc.php to discover the Zabbix account password and URL address.

Published: Mar 21, 2022
Updated: Apr 14, 2023
CVE: CVE-2022-26148
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: High
Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P

CWEs:

CWE-312

OWASP TOP 10:

A3 - Sensitive Data Exposure

Affected Software
References

Software	From	Fixed in
grafana / grafana	-	7.3.4.x
redhat / ceph_storage	3.0	3.0.x
redhat / storage	3.0	3.0.x
redhat / ceph_storage	4.0	4.0.x
redhat / ceph_storage	5.0	5.0.x

https://2k8.org/post-319.html
https://security.netapp.com/advisory/ntap-20220425-0005/

Vulnerability Database

289,598

CVE-2022-26148