Security release: New versions of Grafana with critical and moderate fixes for CVE-2022-39328, CVE-2022-39307, and CVE-2022-39306

Company

Grafana Labs

Date Published

Nov. 8, 2022

Author

Grafana Labs Team

Word count

638

Language

English

Hacker News points

None

URL

grafana.com/blog/2022/11/08/security-release-new-versions-of-grafana-with-critical-and-moderate-fixes-for-cve-2022-39328-cve-2022-39307-and-cve-2022-39306

Summary

Grafana Labs has released new versions 9.2.4 and 8.5.15 to address critical and moderate security vulnerabilities identified as CVE-2022-39328, CVE-2022-39307, and CVE-2022-39306. These updates resolve issues such as privilege escalation due to a race condition in HTTP context creation, vulnerability from using invitation links to sign up with arbitrary usernames or email addresses, and a username enumeration risk during password reset processes. Users are urged to upgrade their Grafana installations to protect against these vulnerabilities, with appropriate patches already applied to Grafana Cloud and coordinated with cloud providers like Amazon and Azure. Grafana Labs encourages users to report any security vulnerabilities via their dedicated security email and offers security announcements and updates through their blog and RSS feed.