{ "document": { "aggregate_severity": { "text": "Low" }, "category": "csaf_vex", "csaf_version": "2.0", "distribution": { "text": "TuxCare License Agreement", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "publisher": { "category": "vendor", "contact_details": "https://tuxcare.com/contact/", "name": "TuxCare", "namespace": "https://tuxcare.com/" }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://security.tuxcare.com/csaf/v2/els_os/almalinux9.2esu/vex/2022/cve-2022-39324-els_os-almalinux9_2esu.json" } ], "title": "Security update on CVE-2022-39324", "tracking": { "current_release_date": "2026-01-19T22:22:42Z", "generator": { "date": "2026-01-19T22:22:42Z", "engine": { "name": "pyCSAF" } }, "id": "CVE-2022-39324-ELS_OS-ALMALINUX9.2ESU", "initial_release_date": "2022-01-01T00:00:00Z", "revision_history": [ { "date": "2022-01-01T00:00:00Z", "number": "1", "summary": "Initial version" }, { "date": "2025-10-08T17:34:29Z", "number": "2", "summary": "Official Publication" }, { "date": "2025-10-30T09:26:46Z", "number": "3", "summary": "Update document" }, { "date": "2025-11-29T11:27:37Z", "number": "4", "summary": "Update document" }, { "date": "2025-12-23T19:08:30Z", "number": "5", "summary": "Update document" }, { "date": "2026-01-19T22:22:42Z", "number": "6", "summary": "Update document" } ], "status": "final", "version": "6" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "AlmaLinux 9.2", "product": { "name": "AlmaLinux 9.2", "product_id": "AlmaLinux-9.2", "product_identification_helper": { "cpe": "cpe:2.3:o:almalinux:almalinux:9.2:*:*:*:*:*:*:*" } } } ], "category": "product_family", "name": "AlmaLinux" } ], "category": "vendor", "name": "AlmaLinux OS Foundation" }, { "branches": [ { "branches": [ { "category": "product_version", "name": "grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els2.x86_64", "product": { "name": "grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els2.x86_64", "product_id": "grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els2.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/grafana@9.0.9-4.el9_2.alma.1.tuxcare.els2?arch=x86_64" } } }, { "category": "product_version", "name": "grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els10.x86_64", "product": { "name": "grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els10.x86_64", "product_id": "grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els10.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/grafana@9.0.9-4.el9_2.alma.1.tuxcare.els10?arch=x86_64" } } }, { "category": "product_version", "name": "grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els9.x86_64", "product": { "name": "grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els9.x86_64", "product_id": "grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els9.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/grafana@9.0.9-4.el9_2.alma.1.tuxcare.els9?arch=x86_64" } } }, { "category": "product_version", "name": "grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els6.x86_64", "product": { "name": "grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els6.x86_64", "product_id": "grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els6.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/grafana@9.0.9-4.el9_2.alma.1.tuxcare.els6?arch=x86_64" } } }, { "category": "product_version", "name": "grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els1.x86_64", "product": { "name": "grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els1.x86_64", "product_id": "grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/grafana@9.0.9-4.el9_2.alma.1.tuxcare.els1?arch=x86_64" } } }, { "category": "product_version", "name": "grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els3.x86_64", "product": { "name": "grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els3.x86_64", "product_id": "grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els3.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/grafana@9.0.9-4.el9_2.alma.1.tuxcare.els3?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" } ], "category": "vendor", "name": "TuxCare" }, { "branches": [ { "branches": [ { "category": "product_version", "name": "grafana-0:9.0.9-4.el9_2.alma.1.x86_64", "product": { "name": "grafana-0:9.0.9-4.el9_2.alma.1.x86_64", "product_id": "grafana-0:9.0.9-4.el9_2.alma.1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/almalinux/grafana@9.0.9-4.el9_2.alma.1?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" } ], "category": "vendor", "name": "AlmaLinux OS Foundation" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els2.x86_64 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els2.x86_64" }, "product_reference": "grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els2.x86_64", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els10.x86_64 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els10.x86_64" }, "product_reference": "grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els10.x86_64", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els9.x86_64 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els9.x86_64" }, "product_reference": "grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els9.x86_64", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els6.x86_64 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els6.x86_64" }, "product_reference": "grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els6.x86_64", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els1.x86_64 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els1.x86_64" }, "product_reference": "grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els1.x86_64", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els3.x86_64 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els3.x86_64" }, "product_reference": "grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els3.x86_64", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "grafana-0:9.0.9-4.el9_2.alma.1.x86_64 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:grafana-0:9.0.9-4.el9_2.alma.1.x86_64" }, "product_reference": "grafana-0:9.0.9-4.el9_2.alma.1.x86_64", "relates_to_product_reference": "AlmaLinux-9.2" } ] }, "vulnerabilities": [ { "cve": "CVE-2022-39324", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" }, "notes": [ { "category": "description", "text": "Grafana is an open-source platform for monitoring and observability. Prior to versions 8.5.16 and 9.2.8, malicious user can create a snapshot and arbitrarily choose the `originalUrl` parameter by editing the query, thanks to a web proxy. When another user opens the URL of the snapshot, they will be presented with the regular web interface delivered by the trusted Grafana server. The `Open original dashboard` button no longer points to the to the real original dashboard but to the attacker’s injected URL. This issue is fixed in versions 8.5.16 and 9.2.8.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "known_affected": [ "AlmaLinux-9.2:grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els1.x86_64", "AlmaLinux-9.2:grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els10.x86_64", "AlmaLinux-9.2:grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els2.x86_64", "AlmaLinux-9.2:grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els3.x86_64", "AlmaLinux-9.2:grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els6.x86_64", "AlmaLinux-9.2:grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els9.x86_64", "AlmaLinux-9.2:grafana-0:9.0.9-4.el9_2.alma.1.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2022-39324" }, { "category": "external", "summary": "https://github.com/grafana/grafana/commit/239888f22983010576bb3a9135a7294e88c0c74a", "url": "https://github.com/grafana/grafana/commit/239888f22983010576bb3a9135a7294e88c0c74a" }, { "category": "external", "summary": "https://github.com/grafana/grafana/commit/d7dcea71ea763780dc286792a0afd560bff2985c", "url": "https://github.com/grafana/grafana/commit/d7dcea71ea763780dc286792a0afd560bff2985c" }, { "category": "external", "summary": "https://github.com/grafana/grafana/pull/60232", "url": "https://github.com/grafana/grafana/pull/60232" }, { "category": "external", "summary": "https://github.com/grafana/grafana/pull/60256", "url": "https://github.com/grafana/grafana/pull/60256" }, { "category": "external", "summary": "https://github.com/grafana/grafana/security/advisories/GHSA-4724-7jwc-3fpw", "url": "https://github.com/grafana/grafana/security/advisories/GHSA-4724-7jwc-3fpw" }, { "category": "external", "summary": "https://security.netapp.com/advisory/ntap-20230309-0010/", "url": "https://security.netapp.com/advisory/ntap-20230309-0010/" } ], "release_date": "2023-01-27T23:15:00Z", "remediations": [ { "category": "no_fix_planned", "details": "Ignored due to low severity", "product_ids": [ "AlmaLinux-9.2:grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els1.x86_64", "AlmaLinux-9.2:grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els10.x86_64", "AlmaLinux-9.2:grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els2.x86_64", "AlmaLinux-9.2:grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els3.x86_64", "AlmaLinux-9.2:grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els6.x86_64", "AlmaLinux-9.2:grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els9.x86_64", "AlmaLinux-9.2:grafana-0:9.0.9-4.el9_2.alma.1.x86_64" ] }, { "category": "no_fix_planned", "details": "This issue is a UI-level open-redirect in Grafana snapshots: it requires a low‑privileged, authenticated user to craft a snapshot and a separate user to open that specific link and click “Open original dashboard,” with no code execution or server‑side data exposure. Impact is limited to potentially misleading a user to an attacker‑controlled URL; confidentiality of the Grafana instance and data shown in the snapshot remain unaffected and availability is unchanged. Given the need for prior account access and explicit user interaction, it is reasonable to deprioritize in centrally managed VM/server deployments.", "product_ids": [ "AlmaLinux-9.2:grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els1.x86_64", "AlmaLinux-9.2:grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els10.x86_64", "AlmaLinux-9.2:grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els2.x86_64", "AlmaLinux-9.2:grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els3.x86_64", "AlmaLinux-9.2:grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els6.x86_64", "AlmaLinux-9.2:grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els9.x86_64", "AlmaLinux-9.2:grafana-0:9.0.9-4.el9_2.alma.1.x86_64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N", "version": "3.1" }, "products": [ "AlmaLinux-9.2:grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els1.x86_64", "AlmaLinux-9.2:grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els10.x86_64", "AlmaLinux-9.2:grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els2.x86_64", "AlmaLinux-9.2:grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els3.x86_64", "AlmaLinux-9.2:grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els6.x86_64", "AlmaLinux-9.2:grafana-0:9.0.9-4.el9_2.alma.1.tuxcare.els9.x86_64", "AlmaLinux-9.2:grafana-0:9.0.9-4.el9_2.alma.1.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Low" } ] } ] }