Data source and plugin proxy endpoints could leak the authentication cookie to some destination plugins | Grafana Labs

Products Open source Solutions Learn Company

Downloads Contact us Sign in

Create free account Contact us

Products

Core LGTM Stack

Logs

powered by Grafana Loki

Grafana

for visualization

Traces

powered by Grafana Tempo

Metrics

powered by Grafana Mimir and Prometheus

Expand The Stack

Plugins

Connect Grafana to data sources, apps, and more

Incident Response & Management

with Grafana Alerting, Grafana Incident, and Grafana OnCall

Performance testing

powered by Grafana k6

Deploy The Stack

Grafana Cloud

Fully managed

Grafana Enterprise

Self-managed

Pricing

Hint: It starts at FREE

Open Source

Grafana Loki

Multi-tenant log aggregation system

Grafana

Query, visualize, and alert on data

Grafana Tempo

High-scale distributed tracing backend

Grafana Mimir

Scalable and performant metrics backend

Grafana OnCall

On-call management

Grafana Phlare

Scalable continuous profiling backend

Grafana Faro

Frontend application observability web SDK

Grafana Agent

Batteries-included telemetry collector

Grafana k6

Load testing for engineering teams

Prometheus

Monitor Kubernetes and cloud native

OpenTelemetry

Instrument and collect telemetry data

Graphite

Scalable monitoring for time series data

Community resources

Dashboard templates

Try out and share prebuilt visualizations

Prometheus exporters

Get your metrics into Prometheus quickly

Featured Solutions

Learn

Stay up to date

Observability Survey 2023

Key findings and results

New

ObservabilityCON on the Road 2023

Open source observability conference

Blog

News, releases, cool stories, and more

Events

Upcoming in-person and virtual events

Success stories

By use case, product, and industry

Technical learning

Documentation

All the docs

Webinars and videos

Demos, webinars, and feature tours

Tutorials

Step-by-step guides

Workshops

Free, in-person or online

Writers' Toolkit

Contribute to technical documentation provided by Grafana Labs

Join the community

Community forums

Ask the community for help

Community Slack

Real-time engagement

Company

Careers We're hiring

Products

Logs

powered by Grafana Loki

Grafana

for visualization

Traces

powered by Grafana Tempo

Metrics

powered by Grafana Mimir and Prometheus

Plugins

Connect Grafana to data sources, apps, and more

Incident Response & Management

with Grafana Alerting, Grafana Incident, and Grafana OnCall

Performance testing

powered by Grafana k6

Grafana Cloud

Fully managed

Grafana Enterprise

Self-managed

Pricing

Hint: It starts at FREE

Open source Grafana Grafana Loki Grafana Mimir Grafana OnCall Grafana Tempo Grafana Agent Grafana k6 Prometheus Grafana Faro Grafana Phlare OpenTelemetry OSS Graphite

Learn

Observability Survey 2023

Key findings and results

New

ObservabilityCON on the Road 2023

Open source observability conference

Blog

News, releases, cool stories, and more

Events

Upcoming in-person and virtual events

Success stories

By use case, product, and industry

Documentation

All the docs

Webinars and videos

Demos, webinars, and feature tours

Tutorials

Step-by-step guides

Workshops

Free, in-person or online

Writers' Toolkit

Contribute to technical documentation provided by Grafana Labs

Community forums

Ask the community for help

Community Slack

Real-time engagement

Company Our team Careers Events Partnerships Newsroom Contact us Merch

Core LGTM Stack

Logs

powered by Grafana Loki

Grafana

for visualization

Traces

powered by Grafana Tempo

Metrics

powered by Grafana Mimir and Prometheus

Expand The Stack

Plugins

Connect Grafana to data sources, apps, and more

Incident Response & Management

with Grafana Alerting, Grafana Incident, and Grafana OnCall

Performance testing

powered by Grafana k6

Deploy The Stack

Grafana Cloud

Fully managed

Grafana Enterprise

Self-managed

Pricing

Hint: It starts at FREE

Get Started

Free Forever plan:

10,000 series metrics
14-day retention
50 GB of logs
50 GB of traces
500 VUh of k6 testing
3 team members
Grafana, of course

Create free account

Grafana Loki

Multi-tenant log aggregation system

Grafana

Query, visualize, and alert on data

Grafana Tempo

High-scale distributed tracing backend

Grafana Mimir

Scalable and performant metrics backend

Grafana OnCall

On-call management

Grafana Phlare

Scalable continuous profiling backend

Grafana Faro

Frontend application observability web SDK

Grafana Agent

Batteries-included telemetry collector

Grafana k6

Load testing for engineering teams

Prometheus

Monitor Kubernetes and cloud native

OpenTelemetry

Instrument and collect telemetry data

Graphite

Scalable monitoring for time series data

Community resources

Dashboard templates

Try out and share prebuilt visualizations

Prometheus exporters

Get your metrics into Prometheus quickly

Featured Solutions

Stay up to date

Observability Survey 2023

Key findings and results

New

ObservabilityCON on the Road 2023

Open source observability conference

Blog

News, releases, cool stories, and more

Events

Upcoming in-person and virtual events

Success stories

By use case, product, and industry

Technical learning

Documentation

All the docs

Webinars and videos

Demos, webinars, and feature tours

Tutorials

Step-by-step guides

Workshops

Free, in-person or online

Writers' Toolkit

Contribute to technical documentation provided by Grafana Labs

Join the community

Community forums

Ask the community for help

Community Slack

Real-time engagement

Featured

Grafana 9.0 demo video

We’ll demo all the highlights of the major release: new and updated visualizations and themes, data source improvements, and Enterprise features.

Careers We're hiring

CVE ID: CVE-2022-39201

Date Published: 2022-10-12

Description:

Grafana is an open source observability and data visualization platform. Starting with version 5.0.0-beta1 and prior to versions 8.5.14 and 9.1.8, Grafana could leak the authentication cookie of users to plugins. The vulnerability impacts data source and plugin proxy endpoints under certain conditions. The destination plugin could receive a user’s Grafana authentication cookie. Versions 9.1.8 and 8.5.14 contain a patch for this issue. There are no known workarounds.