Several vulnerabilities discovered in Grafana, including critical privilege escalation (11th Novemb

Ref# AL2022_73 | Date: Nov 11th 2022

Description  

The open-source, multi-platform, analytics and visualization application Grafana has recently received an update to address several vulnerability issues, one of which was deemed a critical privilege escalation security flaw.  

Summary 

On November 8, 2022, the Grafana team addressed three vulnerabilities affecting all versions of Grafana below version 8. These vulnerabilities are recorded as CVE-2022-39328, CVE-2022-39307, and CVE-2022-39306, with CVE-2022-39328 categorized as a critical flaw with a score of 9.8. 

The vulnerability CVE-2022-39328 is categorized as a Privilege escalation exploit. It involves a race condition in the Grafana codebase, which can allow an unauthenticated user to query an arbitrary endpoint in Grafana. The flaw lies in the race condition during the HTTP context creation that results in an HTTP request to be assigned the authentication or authorization middleware of another call. When under heavy load, it is possible that a call protected by a privileged middleware may receive the middleware of a public query instead. This would result in an unauthenticated user having unauthorized access to protected endpoints within Grafana. 

CVE-2022-39306 is also a privilege escalation exploit that involves Grafana admins inviting other users to the platform. New users would receive an email invite while existing members are added directly to the platform. However, with email invite link, it can allow anyone to sign up with any username/email address that the user chooses and gain access to the platform. This makes it possible to use the invite link to sign up with an arbitrary username/email with a malicious intent. 

The CVE-2022-39307 is a username enumeration that occurs when using the forget password function on the login page. When this function is called, a POST request is made to the /api/user/password/sent-reset-email” URL. If a username or email does not exist in Grafana, a JSON response contains a user not found message. This flaw can leak information to unauthenticated users and introduces a security risk. 

Remediation  

To circumvent these issues, users are advised to update to the latest version of Grafana, that is version 9.2.4. However, Grafana also offers the security patch for the Grafana 8 versions, that is version 8.5.15. Both of these patches can be found at the URL: https://grafana.com/blog/2022/11/08/security-release-new-versions-of-grafana-with-critical-and-moderate-fixes-for-cve-2022-39328-cve-2022-39307-and-cve-2022-39306/ 

The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.     

PDF Download: Several vulnerabilities discovered in Grafana.pdf

References