How severe is CVE-2022-36062?

This vulnerability has a severity rating of LOW with a CVSS score of 3.8 out of 10.

What type of vulnerability is CVE-2022-36062?

This is classified as CWE-281, which is a common weakness in software security.

CVE-2022-36062 - LOW Severity | CVSS 3.8

Vulnerability Description

Grafana is an open-source platform for monitoring and observability. In versions prior to 8.5.13, 9.0.9, and 9.1.6, Grafana is subject to Improper Preservation of Permissions resulting in privilege escalation on some folders where Admin is the only used permission. The vulnerability impacts Grafana instances where RBAC was disabled and enabled afterwards, as the migrations which are translating legacy folder permissions to RBAC permissions do not account for the scenario where the only user permission in the folder is Admin, as a result RBAC adds permissions for Editors and Viewers which allow them to edit and view folders accordingly. This issue has been patched in versions 8.5.13, 9.0.9, and 9.1.6. A workaround when the impacted folder/dashboard is known is to remove the additional permissions manually.

Related Vulnerabilities

CVE-2025-0914

LOW

CVSS:3.8(Low)

An improper access control issue in the VQL shell feature in Velociraptor Versions < 0.73.4 allowed authenticated users to execute the execve() plugin in deployments where this was explicitly forbidde...

CWE-2812025

CVE-2024-38361

LOW

CVSS:3.7(Low)

Spicedb is an Open Source, Google Zanzibar-inspired permissions database to enable fine-grained authorization for customer applications. Use of an exclusion under an arrow that has multiple resources ...

CWE-2812024

CVE-2024-32020

LOW

CVSS:3.9(Low)

Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, local clones may end up hardlinking files into the target repository's object database w...

CWE-2812024

CVE-2024-36062

MEDIUM

CVSS:4.0(Medium)

The com.callassistant.android (aka AI Call Assistant & Screener) application 1.174 for Android enables any installed application (with no permissions) to place phone calls without user interaction by ...

CWE-2812024

CVE-2020-13282

LOW

CVSS:3.5(Low)

For GitLab before 13.0.12, 13.1.6, 13.2.3 after a group transfer occurs, members from a parent group keep their access level on the subgroup leading to improper access.

CWE-2812020

CVE-2017-5033

MEDIUM

CVSS:4.3(Medium)

Blink in Google Chrome prior to 57.0.2987.98 for Mac, Windows, and Linux and 57.0.2987.108 for Android failed to correctly propagate CSP restrictions to local scheme pages, which allowed a remote atta...

CWE-2812017