CVE-2022-23498: 
Grafana vulnerability analysis and mitigation

CVE-2022-23498 affects Grafana, an open-source platform for monitoring and observability. The vulnerability was discovered in versions 8.3.1 through 9.2.10 and 9.3.0 through 9.3.4. When datasource query caching is enabled, Grafana caches all headers, including grafana_session. This vulnerability allows any user that queries a datasource where caching is enabled to acquire another user's session (GitHub Advisory).

The vulnerability occurs when datasource query caching is enabled and specifically involves the caching of session-related headers. When a user makes a request to an affected endpoint with a session cookie older than the rotation interval (default 10 minutes), the response includes both an x-cache:MISS header and a Set-Cookie header. Subsequent requests to this endpoint during the cache lifetime (default 5 minutes) will return the first user's new grafana session cookie. The vulnerability has received a CVSS v3.1 base score of 8.8 (HIGH) with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

Successful exploitation of this vulnerability could lead to unauthorized access to user sessions, potentially allowing attackers to impersonate legitimate users and access sensitive information. The vulnerability affects confidentiality and integrity of the system, with potential for unauthorized data access and modification (NetApp Advisory).

The vulnerability has been patched in Grafana versions 9.2.10 and 9.3.4. As a temporary workaround, administrators can disable datasource query caching for all datasources if immediate patching is not possible (GitHub Advisory).