Description

The querier component in Grafana Enterprise Logs 1.1.x through 1.3.x before 1.4.0 does not require authentication when X-Scope-OrgID is used. Versions 1.2.1, 1.3.1, and 1.4.0 contain the bugfix. This affects -auth.type=enterprise in microservices mode

Remediation

References

CVE-2022-28660

Related Vulnerabilities

Oracle Database Server Improper Restriction of Operations within the Bounds of a Memory Buffer Vulnerability (CVE-2007-5897)

WordPress Plugin Calendar Multiple Cross-Site Scripting Vulnerabilities (1.2.1)

MySQL Incorrect Authorization Vulnerability (CVE-2025-50085)

Jboss EAP Permissions, Privileges, and Access Controls Vulnerability (CVE-2012-1167)

WordPress Plugin WP Symposium Pro Social Network Multiple Vulnerabilities (15.12)

Severity

Critical

Classification

CVE-2022-28660 CWE-306 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities