7.6

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2022-36062

GHSA ID

GHSA-p978-56hq-r492

EPSS Score

0.31568%

CWE

CWE-281

Published

5/14/2024

Updated

8/7/2024

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-36062

CVE-2022-36062: Grafana folders admin only permission privilege escalation

Today we are releasing Grafana 9.1.6, 9.0.9, 8.5.13. This patch release includes a Moderate severity security fix for CVE-2022-36062 that affects Grafana instances which are using Grafana role-based access control (RBAC).

Release 9.1.6, latest patch, also containing security fix:

Release 9.0.9, only containing security fix:

Release 8.5.13, only containing security fix:

Appropriate patches have been applied to Grafana Cloud and as always, we closely coordinated with all cloud providers licensed to offer Grafana Pro. They have received early notification under embargo and confirmed that their offerings are secure at the time of this announcement. This is applicable to Amazon Managed Grafana and Azure's Grafana as a service offering.

Privilege escalation (CVE-2022-36062)

Summary

On August 29 we have received a bug report for Grafana role-based access control (RBAC) and confirmed a vulnerability in the Grafana. This vulnerability impacts folders/dashboards with Admin only permissions and where RBAC was ever enabled at least once.

When RBAC is enabled, Grafana runs migrations which translate legacy access control permissions into RBAC permissions. The migrations contain a bug, which grants additional access to folders/dashboards which only had Admin role grant, resulting in a privilege escalation where Editors can edit and Viewers can view the folder/dashboard which they should not have access to.

The CVSS score for this vulnerability is 6.4 Moderate (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L).

Miggo Vulnerability Database

→

CVE-2022-36062

CVE-2022-36062:

7.6

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2022-36062

GHSA ID

GHSA-p978-56hq-r492

EPSS Score

0.31568%

CWE

CWE-281

Published

5/14/2024

Updated

8/7/2024

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/grafana/grafana	go	>= 8.5.0, < 8.5.13	8.5.13
github.com/grafana/grafana	go	>= 9.0.0, < 9.0.9	9.0.9
github.com/grafana/grafana	go	>= 9.1.0, < 9.1.6	9.1.6

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from flawed RBAC migration logic that improperly translated legacy permissions. The advisory specifically mentions that 'migrations contain a bug which grants additional access' when only Admin permissions existed. While exact function names aren't disclosed, Grafana's architecture places RBAC migrations in the sqlstore service, and the CWE-281 (Improper Preservation of Permissions) directly points to permission translation logic as the vulnerable component. The high confidence comes from the direct correlation between described vulnerability behavior and standard Grafana RBAC migration implementation patterns.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

7.6

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2022-36062: Grafana folders admin only permission privilege escalation

Privilege escalation (CVE-2022-36062)

Summary

CVE-2022-36062:

7.6

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Vulnerability IntelligenceMiggo AI

Technical Details

Basic Information

Basic Information

7.6

7.6

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

CVE-2022-36062: Grafana folders admin only permission privilege escalation

Privilege escalation (CVE-2022-36062)

Summary

Reasoning

Impacted versions

Solutions and mitigations

Timeline

Reporting security issues

Security announcements

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI