CVE-2022-39306: 
Grafana vulnerability analysis and mitigation

A vulnerability in Grafana (CVE-2022-39306) was discovered that affects versions 8.x and 9.x prior to versions 8.5.15 and 9.2.4 respectively. The vulnerability relates to authentication bypass in the invitation system, where when an invite link is sent, it allows users to sign up with arbitrary username/email address and become a member of the organization (Grafana Advisory).

The vulnerability has a CVSS v3.1 base score of 6.4 (Moderate) with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N. The issue specifically occurs in the organization invitation system where the invitation link can be exploited to allow users to register with any username or email address of their choice (Grafana Advisory, NetApp Advisory).

The vulnerability could lead to unauthorized access and potential privilege escalation within Grafana organizations. When successfully exploited, it allows attackers to sign up with arbitrary usernames and email addresses, potentially impersonating other users or gaining unauthorized access to organizational resources (Grafana Advisory, NetApp Advisory).

The vulnerability has been patched in Grafana versions 8.5.15 and 9.2.4. Organizations are advised to upgrade their Grafana instances to these versions or later to address the security issue. The fix has also been applied to Grafana Cloud, and cloud providers licensed to offer Grafana Pro have been notified and have secured their offerings (Grafana Advisory).