Headline
GHSA-vw7q-p2qg-4m5f: Grafana Stored Cross-site Scripting in Unified Alerting
Today we are releasing Grafana 8.3.10, 8.4.10, 8.5.9 and 9.0.3. This patch release includes a HIGH severity security fix for a stored Cross Site Scripting in Grafana.
Release v.9.0.3, containing this security fix and other patches:
Release v.8.5.9, containing this security fix and other fixes:
Release v.8.4.10, containing this security fix and other fixes:
Release v.8.3.10, containing this security fix and other fixes:
Stored XSS (CVE-2022-31097)
Summary
On June 19 a security researcher contacted Grafana Labs to disclose a XSS vulnerability in the Unified Alerting feature of Grafana. After analysis, this stored XSS could be used to elevate privileges from Editor to Admin.
We believe that this vulnerability is rated at CVSS 7.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N).
Impact
An attacker can exploit this vulnerability to escalate privilege from editor to admin by tricking an authenticated admin to click on a link.
Affected versions with HIGH severity
All Grafana >=8.0 versions are affected by this vulnerability.
Solutions and mitigations
All installations after Grafana v8.0 should be upgraded as soon as possible.
As a workaround it is possible to disable alerting or use legacy alerting.
Appropriate patches have been applied to Grafana Cloud and as always, we closely coordinated with all cloud providers licensed to offer Grafana Pro. They have received early notification under embargo and confirmed that their offerings are secure at the time of this announcement. This is applicable to Amazon Managed Grafana.
Timeline
Here is a detailed timeline starting from when we originally learned of the issue. All times in UTC.
2022-06-19 10:32 - Research submission of vulnerability report 2022-06-20 14:35- Issue triaged, confirmed positive, and internal incident raised 2022-06-20 18:40 - Fix PR submitted and reviewed 2022-06-23 07:12 - All Grafana Cloud hosted Grafana instances patched 2022-07-05 07:14 - Customers informed under embargo 2022-07-14 02:00 - Public release
Acknowledgement
We would like to thank Maxim Misharin for responsibly disclosing the vulnerability.
Reporting security issues
If you think you have found a security vulnerability, please send a report to [email protected]. This address can be used for all of Grafana Labs’ open source and commercial products (including, but not limited to Grafana, Grafana Cloud, Grafana Enterprise, and grafana.com). We can accept only vulnerability reports at this address. We would prefer that you encrypt your message to us by using our PGP key. The key fingerprint is
F988 7BEA 027A 049F AE8E 5CAA D125 8932 BE24 C5CA
The key is available from keyserver.ubuntu.com.
Security announcements
We maintain a security category on our blog, where we will always post a summary, remediation, and mitigation details for any patch containing security fixes.
You can also subscribe to our RSS feed.
Today we are releasing Grafana 8.3.10, 8.4.10, 8.5.9 and 9.0.3. This patch release includes a HIGH severity security fix for a stored Cross Site Scripting in Grafana.
Release v.9.0.3, containing this security fix and other patches:
- Download Grafana 9.0.3
- Release notes
Release v.8.5.9, containing this security fix and other fixes:
- Download Grafana 8.5.9
- Release notes
Release v.8.4.10, containing this security fix and other fixes:
- Download Grafana 8.4.10
- Release notes
Release v.8.3.10, containing this security fix and other fixes:
- Download Grafana 8.3.10
Stored XSS (CVE-2022-31097)****Summary
On June 19 a security researcher contacted Grafana Labs to disclose a XSS vulnerability in the Unified Alerting feature of Grafana. After analysis, this stored XSS could be used to elevate privileges from Editor to Admin.
We believe that this vulnerability is rated at CVSS 7.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N).
Impact
An attacker can exploit this vulnerability to escalate privilege from editor to admin by tricking an authenticated admin to click on a link.
Affected versions with HIGH severity
All Grafana >=8.0 versions are affected by this vulnerability.
Solutions and mitigations
All installations after Grafana v8.0 should be upgraded as soon as possible.
As a workaround it is possible to disable alerting or use legacy alerting.
Appropriate patches have been applied to Grafana Cloud and as always, we closely coordinated with all cloud providers licensed to offer Grafana Pro. They have received early notification under embargo and confirmed that their offerings are secure at the time of this announcement. This is applicable to Amazon Managed Grafana.
Timeline
Here is a detailed timeline starting from when we originally learned of the issue. All times in UTC.
2022-06-19 10:32 - Research submission of vulnerability report
2022-06-20 14:35- Issue triaged, confirmed positive, and internal incident raised
2022-06-20 18:40 - Fix PR submitted and reviewed
2022-06-23 07:12 - All Grafana Cloud hosted Grafana instances patched
2022-07-05 07:14 - Customers informed under embargo
2022-07-14 02:00 - Public release
Acknowledgement
We would like to thank Maxim Misharin for responsibly disclosing the vulnerability.
Reporting security issues
If you think you have found a security vulnerability, please send a report to [email protected]. This address can be used for all of Grafana Labs’ open source and commercial products (including, but not limited to Grafana, Grafana Cloud, Grafana Enterprise, and grafana.com). We can accept only vulnerability reports at this address. We would prefer that you encrypt your message to us by using our PGP key. The key fingerprint is
F988 7BEA 027A 049F AE8E 5CAA D125 8932 BE24 C5CA
The key is available from keyserver.ubuntu.com.
Security announcements
We maintain a security category on our blog, where we will always post a summary, remediation, and mitigation details for any patch containing security fixes.
You can also subscribe to our RSS feed.
References
- GHSA-vw7q-p2qg-4m5f
- https://nvd.nist.gov/vuln/detail/CVE-2022-31097
- https://grafana.com/docs/grafana/latest/release-notes/release-notes-8-5-9
- https://grafana.com/docs/grafana/latest/release-notes/release-notes-9-0-3
- https://grafana.com/docs/grafana/next/release-notes/release-notes-8-4-10
- https://security.netapp.com/advisory/ntap-20220901-0010
Related news
Red Hat Security Advisory 2023-3642-01 - Red Hat Ceph Storage is a scalable, open, software-defined storage platform that combines the most stable version of the Ceph storage system with a Ceph management platform, deployment utilities, and support services. This new container image is based on Red Hat Ceph Storage 6.1 and Red Hat Enterprise Linux 9. Issues addressed include bypass, cross site scripting, denial of service, information leakage, spoofing, and traversal vulnerabilities.
A new container image for Red Hat Ceph Storage 6.1 is now available in the Red Hat Ecosystem Catalog. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-42581: A flaw was found in the Ramda NPM package that involves prototype poisoning. This flaw allows attackers to supply a crafted object, affecting the integrity or availability of the application. * CVE-2022-1650: A flaw was found in the EventSource NPM Package. The description from the source states the following messa...
Grafana is an open-source platform for monitoring and observability. In versions 5.3 until 9.0.3, 8.5.9, 8.4.10, and 8.3.10, it is possible for a malicious user who has authorization to log into a Grafana instance via a configured OAuth IdP which provides a login name to take over the account of another user in that Grafana instance. This can occur when the malicious user is authorized to log in to Grafana via OAuth, the malicious user's external user id is not already associated with an account in Grafana, the malicious user's email address is not already associated with an account in Grafana, and the malicious user knows the Grafana username of the target user. If these conditions are met, the malicious user can set their username in the OAuth provider to that of the target user, then go through the OAuth flow to log in to Grafana. Due to the way that external and internal user accounts are linked together during login, if the conditions above are all met then the malicious user will...
Grafana through 6.7.1 allows stored XSS due to insufficient input protection in the originalUrl field, which allows an attacker to inject JavaScript code that will be executed after clicking on Open Original Dashboard after visiting the snapshot.