Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:golang/github.com/grafana/grafana/pkg/web@8.3.5
Typegolang
Namespacegithub.com/grafana/grafana/pkg
Nameweb
Version8.3.5
Qualifiers
Subpath
Is_vulnerablefalse
Next_non_vulnerable_versionnull
Latest_non_vulnerable_versionnull
Affected_by_vulnerabilities
Fixing_vulnerabilities
0
url VCID-g45u-nf13-euee
vulnerability_id VCID-g45u-nf13-euee
summary 
Grafana Cross Site Request Forgery (CSRF)
Today we are releasing Grafana 8.3.5 and 7.5.15. This patch release includes MEDIUM severity security fix for Cross Site Request Forgery for Grafana.

Release v.8.3.5, only containing security fixes:

- [Download Grafana 8.3.5](https://grafana.com/grafana/download/8.3.5)
- [Release notes](https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-3-5/)

Release v.7.5.15, only containing security fixes:

- [Download Grafana 7.5.15](https://grafana.com/grafana/download/7.5.15)
- [Release notes](https://grafana.com/docs/grafana/latest/release-notes/release-notes-7-5-15/)

## CSRF ([CVE-2022-21703](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21703))

### Summary
On Jan. 18, security researchers [jub0bs](https://twitter.com/jub0bs) and [abrahack](https://twitter.com/theabrahack) contacted Grafana to disclose a CSRF vulnerability which allows anonymous attackers to elevate their privileges by mounting cross-origin attacks against authenticated high-privilege Grafana users (for example, Editors or Admins). 

We believe that this vulnerability is rated at CVSS 6.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N). 

### Impact
An attacker can exploit this vulnerability for privilege escalation by tricking an authenticated user into inviting the attacker as a new user with high privileges. 

### Affected versions with MEDIUM severity 
All Grafana >=3.0-beta1 versions are affected by this vulnerability.

### Solutions and mitigations

All installations after Grafana v3.0-beta1 should be upgraded as soon as possible.

Note that if you are running Grafana behind any reverse proxy, you need to make sure that you are passing the original Host and Origin headers from the client request to Grafana.

In the case of Apache Server, you need to add `ProxyPreserveHost on` in your proxy [configuration](https://httpd.apache.org/docs/2.4/mod/mod_proxy.html). In case of NGINX, you can need to add `proxy_set_header Host $http_host;` in your [configuration](http://nginx.org/en/docs/http/ngx_http_proxy_module.html).

Appropriate patches have been applied to [Grafana Cloud](https://grafana.com/cloud) and as always, we closely coordinated with all cloud providers licensed to offer Grafana Pro. They have received early notification under embargo and confirmed that their offerings are secure at the time of this announcement. This is applicable to Amazon Managed Grafana.

### Timeline and postmortem

Here is a detailed timeline starting from when we originally learned of the issue. All times in UTC.
- 2022-01-18 03:00 Issue submitted by external researchers
- 2022-01-18 17:25 Vulnerability confirmed reproducible 
- 2022-01-19 07:40 CVSS score confirmed 6.8 at maximum and MEDIUM impact
- 2022-01-19 07:40 Begin mitigation for Grafana Cloud
- 2022-01-19 17:00 CVE requested 
- 2022-01-19 19:50 GitHub issues CVE-2022-21703
- 2022-01-21 10:50 PR with fix opened
- 2022-01-21 14:13 Private release planned for 2022-01-25, and public release planned for 2022-02-01.
- 2022-01-25 12:00 Private release
- 2022-02-01 12:00 During the public release process, we realized that private 7.x release was incomplete. Abort public release, send second private release to customers using 7.x
- 2022-02-08 12:00 Public release

### Acknowledgement

We would like to thank [jub0bs](https://twitter.com/jub0bs) and [abrahack](https://twitter.com/theabrahack) for responsibly disclosing the vulnerability.

### Reporting security issues

If you think you have found a security vulnerability, please send a report to security@grafana.com. This address can be used for all of Grafana Labs' open source and commercial products (including, but not limited to Grafana, Grafana Cloud, Grafana Enterprise, and grafana.com). We can accept only vulnerability reports at this address. We would prefer that you encrypt your message to us by using our PGP key. The key fingerprint is

F988 7BEA 027A 049F AE8E 5CAA D125 8932 BE24 C5CA

The key is available from keyserver.ubuntu.com.

### Security announcements

We maintain a [security category](https://community.grafana.com/c/support/security-announcements) on our blog, where we will always post a summary, remediation, and mitigation details for any patch containing security fixes.

You can also subscribe to our [RSS feed](https://grafana.com/tags/security/index.xml).
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-21703.json
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-21703.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-21703
reference_id
reference_type
scores
0
value 0.01422
scoring_system epss
scoring_elements 0.80662
published_at 2026-04-24T12:55:00Z
1
value 0.01422
scoring_system epss
scoring_elements 0.80637
published_at 2026-04-21T12:55:00Z
2
value 0.01869
scoring_system epss
scoring_elements 0.83103
published_at 2026-04-11T12:55:00Z
3
value 0.01869
scoring_system epss
scoring_elements 0.83131
published_at 2026-04-18T12:55:00Z
4
value 0.01869
scoring_system epss
scoring_elements 0.83087
published_at 2026-04-09T12:55:00Z
5
value 0.01869
scoring_system epss
scoring_elements 0.8308
published_at 2026-04-08T12:55:00Z
6
value 0.01869
scoring_system epss
scoring_elements 0.83055
published_at 2026-04-07T12:55:00Z
7
value 0.01869
scoring_system epss
scoring_elements 0.83057
published_at 2026-04-04T12:55:00Z
8
value 0.01869
scoring_system epss
scoring_elements 0.83044
published_at 2026-04-02T12:55:00Z
9
value 0.01869
scoring_system epss
scoring_elements 0.83092
published_at 2026-04-13T12:55:00Z
10
value 0.01869
scoring_system epss
scoring_elements 0.83097
published_at 2026-04-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-21703
2
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
3
reference_url https://github.com/grafana/grafana/pull/45083
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N
1
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:11:04Z/
url https://github.com/grafana/grafana/pull/45083
4
reference_url https://github.com/grafana/grafana/security/advisories/GHSA-cmf4-h3xc-jw8w
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N
1
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:11:04Z/
url https://github.com/grafana/grafana/security/advisories/GHSA-cmf4-h3xc-jw8w
5
reference_url https://grafana.com/blog/2022/02/08/grafana-7.5.15-and-8.3.5-released-with-moderate-severity-security-fixes
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://grafana.com/blog/2022/02/08/grafana-7.5.15-and-8.3.5-released-with-moderate-severity-security-fixes
6
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2PFW6Q2LXXWTFRTMTRN4ZGADFRQPKJ3D
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2PFW6Q2LXXWTFRTMTRN4ZGADFRQPKJ3D
7
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/36GUEPA5TPSC57DZTPYPBL6T7UPQ2FRH
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/36GUEPA5TPSC57DZTPYPBL6T7UPQ2FRH
8
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HLAQRRGNSO5MYCPAXGPH2OCSHOGHSQMQ
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HLAQRRGNSO5MYCPAXGPH2OCSHOGHSQMQ
9
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-21703
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2022-21703
10
reference_url https://security.netapp.com/advisory/ntap-20220303-0005
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20220303-0005
11
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2050742
reference_id 2050742
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2050742
12
reference_url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2PFW6Q2LXXWTFRTMTRN4ZGADFRQPKJ3D/
reference_id 2PFW6Q2LXXWTFRTMTRN4ZGADFRQPKJ3D
reference_type
scores
0
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:11:04Z/
url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2PFW6Q2LXXWTFRTMTRN4ZGADFRQPKJ3D/
13
reference_url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/36GUEPA5TPSC57DZTPYPBL6T7UPQ2FRH/
reference_id 36GUEPA5TPSC57DZTPYPBL6T7UPQ2FRH
reference_type
scores
0
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:11:04Z/
url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/36GUEPA5TPSC57DZTPYPBL6T7UPQ2FRH/
14
reference_url https://grafana.com/blog/2022/02/08/grafana-7.5.15-and-8.3.5-released-with-moderate-severity-security-fixes/
reference_id grafana-7.5.15-and-8.3.5-released-with-moderate-severity-security-fixes
reference_type
scores
0
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:11:04Z/
url https://grafana.com/blog/2022/02/08/grafana-7.5.15-and-8.3.5-released-with-moderate-severity-security-fixes/
15
reference_url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HLAQRRGNSO5MYCPAXGPH2OCSHOGHSQMQ/
reference_id HLAQRRGNSO5MYCPAXGPH2OCSHOGHSQMQ
reference_type
scores
0
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:11:04Z/
url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HLAQRRGNSO5MYCPAXGPH2OCSHOGHSQMQ/
16
reference_url https://security.netapp.com/advisory/ntap-20220303-0005/
reference_id ntap-20220303-0005
reference_type
scores
0
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:11:04Z/
url https://security.netapp.com/advisory/ntap-20220303-0005/
17
reference_url https://access.redhat.com/errata/RHSA-2022:7519
reference_id RHSA-2022:7519
reference_type
scores
url https://access.redhat.com/errata/RHSA-2022:7519
18
reference_url https://access.redhat.com/errata/RHSA-2022:8057
reference_id RHSA-2022:8057
reference_type
scores
url https://access.redhat.com/errata/RHSA-2022:8057
fixed_packages
0
url pkg:golang/github.com/grafana/grafana/pkg/web@7.5.15
purl pkg:golang/github.com/grafana/grafana/pkg/web@7.5.15
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:golang/github.com/grafana/grafana/pkg/web@7.5.15
1
url pkg:golang/github.com/grafana/grafana/pkg/web@8.3.5
purl pkg:golang/github.com/grafana/grafana/pkg/web@8.3.5
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:golang/github.com/grafana/grafana/pkg/web@8.3.5
aliases CVE-2022-21703, GHSA-cmf4-h3xc-jw8w
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-g45u-nf13-euee
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:golang/github.com/grafana/grafana/pkg/web@8.3.5