#VU71566 Spoofing attack in Grafana


Published: 2023-01-26

Vulnerability identifier: #VU71566

Vulnerability risk: Low

CVSSv3.1: 2.9 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:U/RC:C]

CVE-ID: CVE-2022-39324

CWE-ID: CWE-451

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Grafana
Web applications / Other software

Vendor: Grafana Labs

Description

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to usage of a hidden originalUrl parameter in the shared dashboard. A remote attacker can trick the victim into opening a shared snapshot and click on the button in the Grafana web UI, which will redirect user to an attacker-controlled URL.

Mitigation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

Grafana: 9.0.0 - 9.0.9, 8.5.0 - 8.5.20, 8.4.0 - 8.4.11, 8.3.0 - 8.3.11, 8.2.0 - 8.2.7, 8.1.0 - 8.1.8, 8.0.0 - 8.0.7

External links
http://github.com/grafana/grafana/security/advisories/GHSA-4724-7jwc-3fpw

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


SUSE update for Security Beta update for SUSE Manager Client Tools
SUSE update for Security Beta update for SUSE Manager Client Tools and Salt
Spoofing attack in IBM Storage Ceph
Multiple vulnerabilities in IBM Netcool Operations Insight
Red Hat Enterprise Linux 9 update for grafana
Multiple vulnerabilities in Oracle Linux
Multiple vulnerabilities in Red Hat Ceph Storage
SUSE update for SUSE Manager Client Tools
SUSE update for SUSE Manager Client Tools
SUSE update for grafana