Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2022-21673

Grafana is an open-source platform for monitoring and observability. In affected versions when a data source has the Forward OAuth Identity feature enabled, sending a query to that datasource with an API token (and no other user credentials) will forward the OAuth Identity of the most recently logged-in user. This can allow API token holders to retrieve data for which they may not have intended access. This attack relies on the Grafana instance having data sources that support the Forward OAuth Identity feature, the Grafana instance having a data source with the Forward OAuth Identity feature toggled on, the Grafana instance having OAuth enabled, and the Grafana instance having usable API keys. This issue has been patched in versions 7.5.13 and 8.3.4.

Published

2022-01-18T22:15:07.873

Last Modified

2024-11-21T06:45:12.247

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 4.3 (MEDIUM)

CVSSv2 Vector

AV:N/AC:M/Au:S/C:P/I:N/A:N

Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: SINGLE
Confidentiality Impact: PARTIAL
Integrity Impact: NONE
Availability Impact: NONE

Exploitability Score

6.8

Impact Score

2.9

Weaknesses

Type: Secondary
CWE-200
Type: Primary
NVD-CWE-Other

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	grafana	grafana	< 7.5.13	Yes
Application	grafana	grafana	< 8.3.4	Yes
Operating System	fedoraproject	fedora	34	Yes
Operating System	fedoraproject	fedora	35	Yes
Operating System	fedoraproject	fedora	36	Yes

References

https://github.com/grafana/grafana/releases/tag/v7.5.13 Release Notes, Third Party Advisory ([email protected])
https://github.com/grafana/grafana/releases/tag/v8.3.4 Release Notes, Third Party Advisory ([email protected])
https://github.com/grafana/grafana/security/advisories/GHSA-8wjh-59cw-9xh4 Third Party Advisory ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2PFW6Q2LXXWTFRTMTRN4ZGADFRQPKJ3D/ ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/36GUEPA5TPSC57DZTPYPBL6T7UPQ2FRH/ ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HLAQRRGNSO5MYCPAXGPH2OCSHOGHSQMQ/ ([email protected])
https://security.netapp.com/advisory/ntap-20220303-0004/ Third Party Advisory ([email protected])
https://github.com/grafana/grafana/releases/tag/v7.5.13 Release Notes, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/grafana/grafana/releases/tag/v8.3.4 Release Notes, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/grafana/grafana/security/advisories/GHSA-8wjh-59cw-9xh4 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2PFW6Q2LXXWTFRTMTRN4ZGADFRQPKJ3D/ (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/36GUEPA5TPSC57DZTPYPBL6T7UPQ2FRH/ (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HLAQRRGNSO5MYCPAXGPH2OCSHOGHSQMQ/ (af854a3a-2127-422b-91ae-364da2661108)
https://security.netapp.com/advisory/ntap-20220303-0004/ Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)