{"api_version":"1","generated_at":"2026-05-13T03:32:08+00:00","cve":"CVE-2022-23498","urls":{"html":"https://cve.report/CVE-2022-23498","api":"https://cve.report/api/cve/CVE-2022-23498.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2022-23498","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2022-23498"},"summary":{"title":"CVE-2022-23498","description":"Grafana is an open-source platform for monitoring and observability. When datasource query caching is enabled, Grafana caches all headers, including `grafana_session`. As a result, any user that queries a datasource where the caching is enabled can acquire another user’s session. To mitigate the vulnerability you can disable datasource query caching for all datasources. This issue has been patched in versions 9.2.10 and 9.3.4.","state":"PUBLIC","assigner":"security-advisories@github.com","published_at":"2023-02-03 22:15:00","updated_at":"2023-11-07 03:44:00"},"problem_types":["NVD-CWE-Other"],"metrics":[],"references":[{"url":"https://github.com/grafana/grafana/security/advisories/GHSA-2j8f-6whh-frc8","name":"https://github.com/grafana/grafana/security/advisories/GHSA-2j8f-6whh-frc8","refsource":"MISC","tags":[],"title":"Use of Cache Containing Sensitive Information · Advisory · grafana/grafana · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-23498","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-23498","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2022","cve_id":"23498","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"grafana","cpe5":"grafana","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"23498","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"grafana","cpe5":"grafana","cpe6":"8.3.0","cpe7":"beta1","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"23498","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"grafana","cpe5":"grafana","cpe6":"8.3.0","cpe7":"beta2","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2022-23498","qid":"150650","title":"Grafana Sensitive Information Disclosure Vulnerability (CVE-2022-23498)"},{"cve":"CVE-2022-23498","qid":"730756","title":"Grafana Multiple Stored Cross-Site Scripting (XSS) Vulnerabilities"}]},"source_records":{"cve_program":{"data_version":"4.0","data_type":"CVE","data_format":"MITRE","CVE_data_meta":{"ID":"CVE-2022-23498","ASSIGNER":"security-advisories@github.com","STATE":"PUBLIC"},"description":{"description_data":[{"lang":"eng","value":"Grafana is an open-source platform for monitoring and observability. When datasource query caching is enabled, Grafana caches all headers, including `grafana_session`. As a result, any user that queries a datasource where the caching is enabled can acquire another user’s session. To mitigate the vulnerability you can disable datasource query caching for all datasources. This issue has been patched in versions 9.2.10 and 9.3.4."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor","cweId":"CWE-200"}]}]},"affects":{"vendor":{"vendor_data":[{"vendor_name":"grafana","product":{"product_data":[{"product_name":"grafana","version":{"version_data":[{"version_value":">= 8.3.0-beta1, < 9.2.10","version_affected":"="}]}}]}}]}},"references":{"reference_data":[{"url":"https://github.com/grafana/grafana/security/advisories/GHSA-2j8f-6whh-frc8","refsource":"MISC","name":"https://github.com/grafana/grafana/security/advisories/GHSA-2j8f-6whh-frc8"}]},"source":{"advisory":"GHSA-2j8f-6whh-frc8","discovery":"UNKNOWN"},"impact":{"cvss":[{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"LOW","baseScore":7.1,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L","version":"3.1"}]}},"nvd":{"publishedDate":"2023-02-03 22:15:00","lastModifiedDate":"2023-11-07 03:44:00","problem_types":["NVD-CWE-Other"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*","versionStartIncluding":"9.3.0","versionEndExcluding":"9.3.4","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:grafana:grafana:*:*:*:*:*:*:*:*","versionStartIncluding":"8.3.1","versionEndExcluding":"9.2.10","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:grafana:grafana:8.3.0:beta1:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:grafana:grafana:8.3.0:beta2:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2022","CveId":"23498","Ordinal":"226416","Title":"CVE-2022-23498","CVE":"CVE-2022-23498","Year":"2022"},"notes":[{"CveYear":"2022","CveId":"23498","Ordinal":"1","NoteData":"** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.","Type":"Description","Title":null}]}}}