CVE-2022-21703

Name: CVE-2022-21703
Creator: NVD / NIST
Published: 2022-02-08T21:15:20.15+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 8.8/10EPSS 2.28%

Last modified Jun 17, 2026

CVE-2022-21703 is a high-severity vulnerability rated 8.8/10 on the CVSS scale. Grafana is an open-source platform for monitoring and observability. Affected versions are subject to a cross site request forgery vulnerability which allows attackers to elevate their privileges by mounting cross-origin attacks against authenticated high-privilege Grafana users (for example, Editors or Admins). EPSS estimates a 2.28% chance of exploitation in the next 30 days.

Description

Grafana is an open-source platform for monitoring and observability. Affected versions are subject to a cross site request forgery vulnerability which allows attackers to elevate their privileges by mounting cross-origin attacks against authenticated high-privilege Grafana users (for example, Editors or Admins). An attacker can exploit this vulnerability for privilege escalation by tricking an authenticated user into inviting the attacker as a new user with high privileges. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue.

Metrics

CVSS 3.1

8.8/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Probability

2.28%

80.9th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions	Update
Grafana	Grafana	>= 3.0.1, < 7.5.15	—
Grafana	Grafana	>= 8.0.0, < 8.3.5	—
Grafana	Grafana	3.0.0	Beta1
Netapp	E-Series Performance Analyzer	< 3.0	—
Fedoraproject	Fedora	34	—
Fedoraproject	Fedora	35	—
Fedoraproject	Fedora	36	—

References

https://github.com/grafana/grafana/pull/45083Issue Tracking, Patch, Third Party Advisory
https://github.com/grafana/grafana/security/advisories/GHSA-cmf4-h3xc-jw8wMitigation, Release Notes, Third Party Advisory
https://grafana.com/blog/2022/02/08/grafana-7.5.15-and-8.3.5-released-with-moderate-severity-security-fixes/Mitigation, Release Notes, Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2PFW6Q2LXXWTFRTMTRN4ZGADFRQPKJ3D/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/36GUEPA5TPSC57DZTPYPBL6T7UPQ2FRH/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HLAQRRGNSO5MYCPAXGPH2OCSHOGHSQMQ/
https://security.netapp.com/advisory/ntap-20220303-0005/Third Party Advisory
https://github.com/grafana/grafana/pull/45083Issue Tracking, Patch, Third Party Advisory
https://github.com/grafana/grafana/security/advisories/GHSA-cmf4-h3xc-jw8wMitigation, Release Notes, Third Party Advisory
https://grafana.com/blog/2022/02/08/grafana-7.5.15-and-8.3.5-released-with-moderate-severity-security-fixes/Mitigation, Release Notes, Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2PFW6Q2LXXWTFRTMTRN4ZGADFRQPKJ3D/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/36GUEPA5TPSC57DZTPYPBL6T7UPQ2FRH/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HLAQRRGNSO5MYCPAXGPH2OCSHOGHSQMQ/
https://security.netapp.com/advisory/ntap-20220303-0005/Third Party Advisory

Timeline

Published: Feb 8, 2022
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2022-21703?

How severe is CVE-2022-21703?

CVE-2022-21703 has a CVSS score of 8.8/10 (HIGH severity). The EPSS model estimates a 2.28% probability of exploitation in the next 30 days.

How do I fix CVE-2022-21703?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2022-21703?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST