How severe is CVE-2022-29170?

This vulnerability has a severity rating of HIGH with a CVSS score of 8.5 out of 10.

What type of vulnerability is CVE-2022-29170?

This is classified as CWE-601, which is a common weakness in software security.

CVE-2022-29170

HIGH Year: 2022

CVSS v3 Score

8.5

High

CVSS v2 Score

4.9

Medium

Weakness Type

CWE-601

View all →

Vulnerability Description

Grafana is an open-source platform for monitoring and observability. In Grafana Enterprise, the Request security feature allows list allows to configure Grafana in a way so that the instance doesn’t call or only calls specific hosts. The vulnerability present starting with version 7.4.0-beta1 and prior to versions 7.5.16 and 8.5.3 allows someone to bypass these security configurations if a malicious datasource (running on an allowed host) returns an HTTP redirect to a forbidden host. The vulnerability only impacts Grafana Enterprise when the Request security allow list is used and there is a possibility to add a custom datasource to Grafana which returns HTTP redirects. In this scenario, Grafana would blindly follow the redirects and potentially give secure information to the clients. Grafana Cloud is not impacted by this vulnerability. Versions 7.5.16 and 8.5.3 contain a patch for this issue. There are currently no known workarounds.

CVE-2024-11274

HIGH

CVSS:8.7(High)

An issue was discovered in GitLab CE/EE affecting all versions starting from 16.1 prior to 17.4.6, starting from 17.5 prior to 17.5.4, and starting from 17.6 prior to 17.6.2, injection of NEL headers ...

CWE-6012024

CVE-2016-9078

HIGH

CVSS:8.8(High)

Redirection from an HTTP connection to a "data:" URL assigns the referring site's origin to the "data:" URL in some circumstances. This can result in same-origin violations against a domain if it load...

CWE-6012016

CVE-2017-1000117

HIGH

CVSS:8.8(High)

A malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL can result in any program that exists on the victim's machine being executed. Such...

CWE-6012017

CVE-2017-1156

HIGH

CVSS:8.8(High)

IBM WebSphere Portal 8.5 and 9.0 could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially-crafted Web site, a remote attack...

CWE-6012017

CVE-2017-11879

HIGH

CVSS:8.8(High)

ASP.NET Core 2.0 allows an attacker to steal log-in session information such as cookies or authentication tokens via a specially crafted URL aka "ASP.NET Core Elevation Of Privilege Vulnerability".

CWE-6012017

CVE-2019-10751

HIGH

CVSS:8.8(High)

All versions of the HTTPie package prior to version 1.0.3 are vulnerable to Open Redirect that allows an attacker to write an arbitrary file with supplied filename and content to the current directory...

CWE-6012019

CVE-2022-29170

Vulnerability Description

Related Vulnerabilities

CVE-2024-11274

CVE-2016-9078

CVE-2017-1000117

CVE-2017-1156

CVE-2017-11879

CVE-2019-10751