SB2022061621 - Multiple vulnerabilities in Grafana
Published: June 16, 2022
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 vulnerabilities.
1) Cross-site request forgery (CVE-ID: CVE-2022-21703)
CWE-ID: CWE-352 - Cross-Site Request Forgery (CSRF)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim into inviting the attacker as a new user with high privileges to escalate privileges.
2) Cross-site scripting (CVE-ID: CVE-2022-21702)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in Grafana. A remote attacker can trick the victim to visit a specially crafted link, execute arbitrary HTML code, and perform a Cross-site scripting (XSS) attack.
3) Authorization bypass through user-controlled key (CVE-ID: CVE-2022-21713)
CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to gain access to sensitive information.
The vulnerability exists due to an Insecure Direct Object Reference (IDOR) error in Grafana Teams APIs. A remote authenticated user can view unintended data by querying for the specific team ID or search for teams and see the total number of available teams.
Remediation
Install update from vendor's website.
References
- https://github.com/grafana/grafana/pull/45083
- https://grafana.com/blog/2022/02/08/grafana-7.5.15-and-8.3.5-released-with-moderate-severity-security-fixes/
- https://github.com/grafana/grafana/security/advisories/GHSA-cmf4-h3xc-jw8w
- https://security.netapp.com/advisory/ntap-20220303-0005/
- https://bugzilla.redhat.com/show_bug.cgi?id=2050742
- https://github.com/grafana/grafana/security/advisories/GHSA-xc3p-28hw-q24g
- https://github.com/grafana/grafana/commit/27726868b3d7c613844b55cd209ca93645c99b85
- https://bugzilla.redhat.com/show_bug.cgi?id=2050648
- https://github.com/grafana/grafana/security/advisories/GHSA-63g3-9jq3-mccv
- https://bugzilla.redhat.com/show_bug.cgi?id=2050743