Headline
GHSA-8wjh-59cw-9xh4: Grafana Forward OAuth Identity Token can allow users to access some data sources
When a data source has the Forward OAuth Identity feature enabled, sending a query to that datasource with an API token (and no other user credentials) will forward the OAuth Identity of the most recently logged-in user.
This can allow API token holders to retrieve data for which they may not have intended access.
Impact
All of the following must be true:
- The Grafana instance has data sources that support the Forward OAuth Identity feature. Graphite users, for example.
- Some data sources are not susceptible, like Prometheus, as they do not have support for this feature.
- The option being available is not sufficient enough to determine if the data source is susceptible.
- The Grafana instance has a data source with the Forward OAuth Identity feature toggled on.
- The Grafana instance has OAuth enabled.
- The Grafana instance has usable API keys.
Patches
The following Grafana versions have been patched:
v8.3.4v7.5.13
Workarounds
Administrators of Grafana instances can limit the availability of API tokens.
Reporting security issues
If you think you have found a security vulnerability, please send a report to [email protected]. This address can be used for all of Grafana Labs’ open source and commercial products (including, but not limited to Grafana, Grafana Cloud, Grafana Enterprise, and grafana.com). We can accept only vulnerability reports at this address. We would prefer that you encrypt your message to us by using our PGP key. The key fingerprint is
F988 7BEA 027A 049F AE8E 5CAA D125 8932 BE24 C5CA
The key is available from keyserver.ubuntu.com.
Security announcements
We maintain a security category on our blog, where we will always post a summary, remediation, and mitigation details for any patch containing security fixes.
You can also subscribe to our RSS feed.
Package
gomod github.com/grafana/grafana (Go)
Affected versions
> 7.2.0, < 7.5.13
>= 8.0.0, < 8.3.4
Patched versions
7.5.13
8.3.4
When a data source has the Forward OAuth Identity feature enabled, sending a query to that datasource with an API token (and no other user credentials) will forward the OAuth Identity of the most recently logged-in user.
This can allow API token holders to retrieve data for which they may not have intended access.
Impact
All of the following must be true:
- The Grafana instance has data sources that support the Forward OAuth Identity feature. Graphite users, for example.
- Some data sources are not susceptible, like Prometheus, as they do not have support for this feature.
- The option being available is not sufficient enough to determine if the data source is susceptible.
- The Grafana instance has a data source with the Forward OAuth Identity feature toggled on.
- The Grafana instance has OAuth enabled.
- The Grafana instance has usable API keys.
Patches
The following Grafana versions have been patched:
- v8.3.4
- v7.5.13
Workarounds
Administrators of Grafana instances can limit the availability of API tokens.
Reporting security issues
If you think you have found a security vulnerability, please send a report to [email protected]. This address can be used for all of Grafana Labs’ open source and commercial products (including, but not limited to Grafana, Grafana Cloud, Grafana Enterprise, and grafana.com). We can accept only vulnerability reports at this address. We would prefer that you encrypt your message to us by using our PGP key. The key fingerprint is
F988 7BEA 027A 049F AE8E 5CAA D125 8932 BE24 C5CA
The key is available from keyserver.ubuntu.com.
Security announcements
We maintain a security category on our blog, where we will always post a summary, remediation, and mitigation details for any patch containing security fixes.
You can also subscribe to our RSS feed.
References
- GHSA-8wjh-59cw-9xh4
- https://nvd.nist.gov/vuln/detail/CVE-2022-21673
- https://github.com/grafana/grafana/releases/tag/v7.5.13
- https://github.com/grafana/grafana/releases/tag/v8.3.4
- https://lists.fedoraproject.org/archives/list/[email protected]/message/2PFW6Q2LXXWTFRTMTRN4ZGADFRQPKJ3D
- https://lists.fedoraproject.org/archives/list/[email protected]/message/36GUEPA5TPSC57DZTPYPBL6T7UPQ2FRH
- https://lists.fedoraproject.org/archives/list/[email protected]/message/HLAQRRGNSO5MYCPAXGPH2OCSHOGHSQMQ
- https://security.netapp.com/advisory/ntap-20220303-0004
Published to the GitHub Advisory Database
May 14, 2024
Last updated
May 14, 2024
Related news
Red Hat Security Advisory 2023-0542-01 - Red Hat OpenShift Service Mesh is the Red Hat distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation. This advisory covers container images for the release. Issues addressed include denial of service and spoofing vulnerabilities.
Red Hat OpenShift Service Mesh 2.3.1 Containers Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-4238: goutils: RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as random as they should be * CVE-2022-2879: golang: archive/tar: unbounded memory consumption when reading headers * CVE-2022-2880: golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters * CVE-2022-3962: kiali: error message spoofing in kiali UI * CVE-2022-27664: golang: ...
Red Hat Security Advisory 2022-8057-01 - Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB. Issues addressed include cross site request forgery, cross site scripting, denial of service, information leakage, and privilege escalation vulnerabilities.
An update for grafana is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-23648: sanitize-url: XSS due to improper sanitization in sanitizeUrl function * CVE-2022-1705: golang: net/http: improper sanitization of Transfer-Encoding header * CVE-2022-1962: golang: go/parser: stack exhaustion in all Parse* functions * CVE-2022-21673: grafana: Forward OAuth Identity Token can allow users to access some data sources * CVE-2022-216...
An update for grafana is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-23648: sanitize-url: XSS due to improper sanitization in sanitizeUrl function * CVE-2022-1705: golang: net/http: improper sanitization of Transfer-Encoding header * CVE-2022-1962: golang: go/parser: stack exhaustion in all Parse* functions * CVE-2022-21673: grafana: Forward OAuth Identity Token can allow users to access some data sources * CVE-2022-2169...
A new container image for Red Hat Ceph Storage 5.2 is now available in the Red Hat Ecosystem Catalog. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-43813: grafana: directory traversal vulnerability * CVE-2022-21673: grafana: Forward OAuth Identity Token can allow users to access some data sources
Grafana is an open-source platform for monitoring and observability. In affected versions when a data source has the Forward OAuth Identity feature enabled, sending a query to that datasource with an API token (and no other user credentials) will forward the OAuth Identity of the most recently logged-in user. This can allow API token holders to retrieve data for which they may not have intended access. This attack relies on the Grafana instance having data sources that support the Forward OAuth Identity feature, the Grafana instance having a data source with the Forward OAuth Identity feature toggled on, the Grafana instance having OAuth enabled, and the Grafana instance having usable API keys. This issue has been patched in versions 7.5.13 and 8.3.4.