Headline
CVE-2022-21673: Build software better, together
Grafana is an open-source platform for monitoring and observability. In affected versions when a data source has the Forward OAuth Identity feature enabled, sending a query to that datasource with an API token (and no other user credentials) will forward the OAuth Identity of the most recently logged-in user. This can allow API token holders to retrieve data for which they may not have intended access. This attack relies on the Grafana instance having data sources that support the Forward OAuth Identity feature, the Grafana instance having a data source with the Forward OAuth Identity feature toggled on, the Grafana instance having OAuth enabled, and the Grafana instance having usable API keys. This issue has been patched in versions 7.5.13 and 8.3.4.
Package
Forward OAuth Identity / OAuth Passthrough (Grafana)
Affected versions
> 7.2.0
When a data source has the Forward OAuth Identity feature enabled, sending a query to that datasource with an API token (and no other user credentials) will forward the OAuth Identity of the most recently logged-in user.
This can allow API token holders to retrieve data for which they may not have intended access.
Impact
All of the following must be true:
- The Grafana instance has data sources that support the Forward OAuth Identity feature. Graphite users, for example.
- Some data sources are not susceptible, like Prometheus, as they do not have support for this feature.
- The option being available is not sufficient enough to determine if the data source is susceptible.
- The Grafana instance has a data source with the Forward OAuth Identity feature toggled on.
- The Grafana instance has OAuth enabled.
- The Grafana instance has usable API keys.
Patches
The following Grafana versions have been patched:
v8.3.4
v7.5.13
Workarounds
Administrators of Grafana instances can limit the availability of API tokens.
Reporting security issues
If you think you have found a security vulnerability, please send a report to [email protected]. This address can be used for all of Grafana Labs’ open source and commercial products (including, but not limited to Grafana, Grafana Cloud, Grafana Enterprise, and grafana.com). We can accept only vulnerability reports at this address. We would prefer that you encrypt your message to us by using our PGP key. The key fingerprint is
F988 7BEA 027A 049F AE8E 5CAA D125 8932 BE24 C5CA
The key is available from keyserver.ubuntu.com.
Security announcements
We maintain a security category on our blog, where we will always post a summary, remediation, and mitigation details for any patch containing security fixes.
You can also subscribe to our RSS feed.
CVSS Score
4.3 Moderate
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N