Django REST framework

Vulnerability Instance

Lookup for vulnerabilities affecting packages.

Vulnerability_idVCID-48yx-mkmv-g7bu
Summary
Grafana Email addresses and usernames can not be trusted
Today we are releasing Grafana 9.2.4. Alongside other bug fixes, this patch release includes moderate severity security fixes for CVE-2022-39306.

We are also releasing security patches for Grafana 8.5.15 to fix these issues.

Release 9.2.4, latest patch, also containing security fix:

- [Download Grafana 9.2.4](https://grafana.com/grafana/download/9.2.4)

Release 8.5.15, only containing security fix:

- [Download Grafana 8.5.15](https://grafana.com/grafana/download/8.5.15)

Appropriate patches have been applied to [Grafana Cloud](https://grafana.com/cloud) and as always, we closely coordinated with all cloud providers licensed to offer Grafana Pro. They have received early notification under embargo and confirmed that their offerings are secure at the time of this announcement. This is applicable to Amazon Managed Grafana and Azure Managed Grafana as a service offering.

## Privilege escalation 

### Summary 

Grafana admins can invite other members to the organization they are an admin for. When admins add members to the organization, non existing users get an email invite, existing members are added directly to the organization. 
When an invite link is sent, it allows users to sign up with whatever username/email address the user chooses and become a member of the organization. 
The CVSS score for this vulnerability is [6.4 Moderate](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N&version=3.1)

### Impact

Vulnerability makes it possible to use the invitation link to sign up with an arbitrary username/email with a malicious intent.

### Impacted versions

All installations for Grafana versions Grafana <=9.x, <8.x

### Solutions and mitigations

To fully address CVE-2022-39306, please upgrade your Grafana instances. 
Appropriate patches have been applied to [Grafana Cloud](https://grafana.com/cloud).

## Reporting security issues

If you think you have found a security vulnerability, please send a report to security@grafana.com. This address can be used for all of Grafana Labs' open source and commercial products (including, but not limited to Grafana, Grafana Cloud, Grafana Enterprise, and grafana.com). We can accept only vulnerability reports at this address. We would prefer that you encrypt your message to us by using our PGP key. The key fingerprint is

F988 7BEA 027A 049F AE8E 5CAA D125 8932 BE24 C5CA

The key is available from keyserver.ubuntu.com.

## Security announcements

We maintain a [security category](https://community.grafana.com/c/support/security-announcements) on our blog, where we will always post a summary, remediation, and mitigation details for any patch containing security fixes.

You can also subscribe to our [RSS feed](https://grafana.com/tags/security/index.xml).
Aliases
0
alias CVE-2022-39306
1
alias GHSA-2x6g-h2hg-rq84
Fixed_packages
Affected_packages
0
url pkg:rpm/redhat/grafana@9.2.10-7?arch=el9_3
purl pkg:rpm/redhat/grafana@9.2.10-7?arch=el9_3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-48yx-mkmv-g7bu
1
vulnerability VCID-4ufj-v5z1-huec
2
vulnerability VCID-5kkq-5jpf-fqev
3
vulnerability VCID-assu-2cry-hqcg
4
vulnerability VCID-fvta-uqdk-37fd
5
vulnerability VCID-jgdy-pgdk-pyhb
6
vulnerability VCID-n4bf-cm4s-ayew
7
vulnerability VCID-nhp5-mapc-6qc1
8
vulnerability VCID-nm7f-bj7m-zybt
resource_url http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/grafana@9.2.10-7%3Farch=el9_3
References
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-39306.json
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-39306.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-39306
reference_id
reference_type
scores
0
value 0.00367
scoring_system epss
scoring_elements 0.58653
published_at 2026-04-08T12:55:00Z
1
value 0.00367
scoring_system epss
scoring_elements 0.58658
published_at 2026-04-12T12:55:00Z
2
value 0.00367
scoring_system epss
scoring_elements 0.58677
published_at 2026-04-11T12:55:00Z
3
value 0.00367
scoring_system epss
scoring_elements 0.58659
published_at 2026-04-09T12:55:00Z
4
value 0.00367
scoring_system epss
scoring_elements 0.5867
published_at 2026-04-16T12:55:00Z
5
value 0.00367
scoring_system epss
scoring_elements 0.58638
published_at 2026-04-13T12:55:00Z
6
value 0.00415
scoring_system epss
scoring_elements 0.61685
published_at 2026-04-21T12:55:00Z
7
value 0.00415
scoring_system epss
scoring_elements 0.61701
published_at 2026-04-18T12:55:00Z
8
value 0.00415
scoring_system epss
scoring_elements 0.61678
published_at 2026-04-24T12:55:00Z
9
value 0.00492
scoring_system epss
scoring_elements 0.65621
published_at 2026-04-02T12:55:00Z
10
value 0.00492
scoring_system epss
scoring_elements 0.6565
published_at 2026-04-04T12:55:00Z
11
value 0.00492
scoring_system epss
scoring_elements 0.65616
published_at 2026-04-07T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-39306
2
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 6.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
3
reference_url https://github.com/grafana/grafana
reference_id
reference_type
scores
0
value 6.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N
1
value 7.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/grafana/grafana
4
reference_url https://github.com/grafana/grafana/security/advisories/GHSA-2x6g-h2hg-rq84
reference_id
reference_type
scores
0
value 6.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N
1
value 7.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:47:04Z/
url https://github.com/grafana/grafana/security/advisories/GHSA-2x6g-h2hg-rq84
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-39306
reference_id
reference_type
scores
0
value 6.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N
1
value 7.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2022-39306
6
reference_url https://security.netapp.com/advisory/ntap-20221215-0004
reference_id
reference_type
scores
0
value 6.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N
1
value 7.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20221215-0004
7
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2138014
reference_id 2138014
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2138014
8
reference_url https://security.netapp.com/advisory/ntap-20221215-0004/
reference_id ntap-20221215-0004
reference_type
scores
0
value 6.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:47:04Z/
url https://security.netapp.com/advisory/ntap-20221215-0004/
9
reference_url https://access.redhat.com/errata/RHSA-2023:3642
reference_id RHSA-2023:3642
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:3642
10
reference_url https://access.redhat.com/errata/RHSA-2023:6420
reference_id RHSA-2023:6420
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:6420
Weaknesses
0
cwe_id 20
name Improper Input Validation
description The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
1
cwe_id 303
name Incorrect Implementation of Authentication Algorithm
description The requirements for the product dictate the use of an established authentication algorithm, but the implementation of the algorithm is incorrect.
Exploits
Severity_range_score6.4 - 8.9
Exploitability0.5
Weighted_severity8.0
Risk_score4.0
Resource_urlhttp://public2.vulnerablecode.io/vulnerabilities/VCID-48yx-mkmv-g7bu