{"api_version":"1","generated_at":"2026-04-23T00:42:09+00:00","cve":"CVE-2022-21713","urls":{"html":"https://cve.report/CVE-2022-21713","api":"https://cve.report/api/cve/CVE-2022-21713.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2022-21713","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2022-21713"},"summary":{"title":"CVE-2022-21713","description":"Grafana is an open-source platform for monitoring and observability. Affected versions of Grafana expose multiple API endpoints which do not properly handle user authorization. `/teams/:teamId` will allow an authenticated attacker to view unintended data by querying for the specific team ID, `/teams/:search` will allow an authenticated attacker to search for teams and see the total number of available teams, including for those teams that the user does not have access to, and `/teams/:teamId/members` when editors_can_admin flag is enabled, an authenticated attacker can see unintended data by querying for the specific team ID. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue.","state":"PUBLIC","assigner":"security-advisories@github.com","published_at":"2022-02-08 21:15:00","updated_at":"2023-11-07 03:43:00"},"problem_types":["CWE-639"],"metrics":[],"references":[{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2PFW6Q2LXXWTFRTMTRN4ZGADFRQPKJ3D/","name":"FEDORA-2022-9dd03cab55","refsource":"","tags":[],"title":"[SECURITY] Fedora 35 Update: grafana-7.5.15-2.fc35 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://grafana.com/blog/2022/02/08/grafana-7.5.15-and-8.3.5-released-with-moderate-severity-security-fixes/","name":"https://grafana.com/blog/2022/02/08/grafana-7.5.15-and-8.3.5-released-with-moderate-severity-security-fixes/","refsource":"MISC","tags":[],"title":"Grafana 7.5.15 and 8.3.5 released with moderate severity security fixes | Grafana Labs","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/grafana/grafana/security/advisories/GHSA-63g3-9jq3-mccv","name":"https://github.com/grafana/grafana/security/advisories/GHSA-63g3-9jq3-mccv","refsource":"CONFIRM","tags":[],"title":"CVE-2022-21713: Grafana Teams API IDOR · Advisory · grafana/grafana · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://security.netapp.com/advisory/ntap-20220303-0005/","name":"https://security.netapp.com/advisory/ntap-20220303-0005/","refsource":"CONFIRM","tags":[],"title":"February 2022 Grafana Vulnerabilities in NetApp Products | NetApp Product Security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/36GUEPA5TPSC57DZTPYPBL6T7UPQ2FRH/","name":"FEDORA-2022-c5383675d9","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 36 Update: grafana-7.5.15-2.fc36 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HLAQRRGNSO5MYCPAXGPH2OCSHOGHSQMQ/","name":"FEDORA-2022-83405f9d5b","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 34 Update: grafana-7.5.15-2.fc34 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/36GUEPA5TPSC57DZTPYPBL6T7UPQ2FRH/","name":"FEDORA-2022-c5383675d9","refsource":"","tags":[],"title":"[SECURITY] Fedora 36 Update: grafana-7.5.15-2.fc36 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HLAQRRGNSO5MYCPAXGPH2OCSHOGHSQMQ/","name":"FEDORA-2022-83405f9d5b","refsource":"","tags":[],"title":"[SECURITY] Fedora 34 Update: grafana-7.5.15-2.fc34 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2PFW6Q2LXXWTFRTMTRN4ZGADFRQPKJ3D/","name":"FEDORA-2022-9dd03cab55","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 35 Update: grafana-7.5.15-2.fc35 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/grafana/grafana/pull/45083","name":"https://github.com/grafana/grafana/pull/45083","refsource":"MISC","tags":[],"title":"Security: Sync security changes on main by dsotirakis · Pull Request #45083 · grafana/grafana · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-21713","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-21713","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2022","cve_id":"21713","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"34","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"21713","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"35","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"21713","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"36","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"21713","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"grafana","cpe5":"grafana","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"21713","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"grafana","cpe5":"grafana","cpe6":"5.0.0","cpe7":"beta1","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"21713","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"grafana","cpe5":"grafana","cpe6":"5.0.0","cpe7":"beta2","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"21713","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"grafana","cpe5":"grafana","cpe6":"5.0.0","cpe7":"beta3","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"21713","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"grafana","cpe5":"grafana","cpe6":"5.0.0","cpe7":"beta4","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"21713","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"grafana","cpe5":"grafana","cpe6":"5.0.0","cpe7":"beta5","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"21713","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"netapp","cpe5":"e-series_performance_analyzer","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2022-21713","qid":"160238","title":"Oracle Enterprise Linux Security Update for grafana (ELSA-2022-7519)"},{"cve":"CVE-2022-21713","qid":"160278","title":"Oracle Enterprise Linux Security Update for grafana (ELSA-2022-8057)"},{"cve":"CVE-2022-21713","qid":"240850","title":"Red Hat Update for grafana security (RHSA-2022:7519)"},{"cve":"CVE-2022-21713","qid":"240902","title":"Red Hat Update for grafana security (RHSA-2022:8057)"},{"cve":"CVE-2022-21713","qid":"282601","title":"Fedora Security Update for grafana (FEDORA-2022-83405f9d5b)"},{"cve":"CVE-2022-21713","qid":"282602","title":"Fedora Security Update for grafana (FEDORA-2022-9dd03cab55)"},{"cve":"CVE-2022-21713","qid":"502305","title":"Alpine Linux Security Update for grafana"},{"cve":"CVE-2022-21713","qid":"690803","title":"Free Berkeley Software Distribution (FreeBSD) Security Update for grafana (d71d154a-8b83-11ec-b369-6c3be5272acd)"},{"cve":"CVE-2022-21713","qid":"730423","title":"Grafana Multiple Security Vulnerabilities"},{"cve":"CVE-2022-21713","qid":"752251","title":"SUSE Enterprise Linux Security Update for SUSE Manager Client Tools (SUSE-SU-2022:2134-1)"},{"cve":"CVE-2022-21713","qid":"753255","title":"SUSE Enterprise Linux Security Update for grafana (SUSE-SU-2022:3765-1)"},{"cve":"CVE-2022-21713","qid":"940770","title":"AlmaLinux Security Update for grafana (ALSA-2022:7519)"},{"cve":"CVE-2022-21713","qid":"940826","title":"AlmaLinux Security Update for grafana (ALSA-2022:8057)"},{"cve":"CVE-2022-21713","qid":"960182","title":"Rocky Linux Security Update for grafana (RLSA-2022:7519)"},{"cve":"CVE-2022-21713","qid":"960528","title":"Rocky Linux Security Update for grafana (RLSA-2022:8057)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"security-advisories@github.com","ID":"CVE-2022-21713","STATE":"PUBLIC","TITLE":"Exposure of Sensitive Information in Grafana"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"grafana","version":{"version_data":[{"version_value":">= 5.0.0-beta1, < 7.5.15"},{"version_value":">= 8.0.0, < 8.3.5"}]}}]},"vendor_name":"grafana"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Grafana is an open-source platform for monitoring and observability. Affected versions of Grafana expose multiple API endpoints which do not properly handle user authorization. `/teams/:teamId` will allow an authenticated attacker to view unintended data by querying for the specific team ID, `/teams/:search` will allow an authenticated attacker to search for teams and see the total number of available teams, including for those teams that the user does not have access to, and `/teams/:teamId/members` when editors_can_admin flag is enabled, an authenticated attacker can see unintended data by querying for the specific team ID. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue."}]},"impact":{"cvss":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":4.3,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","integrityImpact":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","version":"3.1"}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-863: Incorrect Authorization"}]}]},"references":{"reference_data":[{"name":"https://grafana.com/blog/2022/02/08/grafana-7.5.15-and-8.3.5-released-with-moderate-severity-security-fixes/","refsource":"MISC","url":"https://grafana.com/blog/2022/02/08/grafana-7.5.15-and-8.3.5-released-with-moderate-severity-security-fixes/"},{"name":"https://github.com/grafana/grafana/pull/45083","refsource":"MISC","url":"https://github.com/grafana/grafana/pull/45083"},{"name":"https://github.com/grafana/grafana/security/advisories/GHSA-63g3-9jq3-mccv","refsource":"CONFIRM","url":"https://github.com/grafana/grafana/security/advisories/GHSA-63g3-9jq3-mccv"},{"refsource":"CONFIRM","name":"https://security.netapp.com/advisory/ntap-20220303-0005/","url":"https://security.netapp.com/advisory/ntap-20220303-0005/"},{"refsource":"FEDORA","name":"FEDORA-2022-83405f9d5b","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HLAQRRGNSO5MYCPAXGPH2OCSHOGHSQMQ/"},{"refsource":"FEDORA","name":"FEDORA-2022-9dd03cab55","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2PFW6Q2LXXWTFRTMTRN4ZGADFRQPKJ3D/"},{"refsource":"FEDORA","name":"FEDORA-2022-c5383675d9","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/36GUEPA5TPSC57DZTPYPBL6T7UPQ2FRH/"}]},"source":{"advisory":"GHSA-63g3-9jq3-mccv","discovery":"UNKNOWN"}},"nvd":{"publishedDate":"2022-02-08 21:15:00","lastModifiedDate":"2023-11-07 03:43:00","problem_types":["CWE-639"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":4.3,"baseSeverity":"MEDIUM"},"exploitabilityScore":2.8,"impactScore":1.4},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:S/C:P/I:N/A:N","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"SINGLE","confidentialityImpact":"PARTIAL","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":3.5},"severity":"LOW","exploitabilityScore":6.8,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*","versionStartIncluding":"8.0.0","versionEndExcluding":"8.3.5","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*","versionStartIncluding":"5.0.0","versionEndExcluding":"7.5.15","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:grafana:grafana:5.0.0:beta1:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:grafana:grafana:5.0.0:beta2:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:grafana:grafana:5.0.0:beta3:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:grafana:grafana:5.0.0:beta4:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:grafana:grafana:5.0.0:beta5:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:netapp:e-series_performance_analyzer:*:*:*:*:*:*:*:*","versionEndExcluding":"3.0","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2022","CveId":"21713","Ordinal":"221402","Title":"CVE-2022-21713","CVE":"CVE-2022-21713","Year":"2022"},"notes":[{"CveYear":"2022","CveId":"21713","Ordinal":"1","NoteData":"Grafana is an open-source platform for monitoring and observability. Affected versions of Grafana expose multiple API endpoints which do not properly handle user authorization. `/teams/:teamId` will allow an authenticated attacker to view unintended data by querying for the specific team ID, `/teams/:search` will allow an authenticated attacker to search for teams and see the total number of available teams, including for those teams that the user does not have access to, and `/teams/:teamId/members` when editors_can_admin flag is enabled, an authenticated attacker can see unintended data by querying for the specific team ID. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue.","Type":"Description","Title":null},{"CveYear":"2022","CveId":"21713","Ordinal":"2","NoteData":"2022-02-08","Type":"Other","Title":"Published"},{"CveYear":"2022","CveId":"21713","Ordinal":"3","NoteData":"2022-02-08","Type":"Other","Title":"Modified"}]}}}