Grafana has advised its users to patch a critical severity elevation of privilege vulnerability (CVE-2022-39328) via a security advisory. The advisory also addressed two moderate severity vulnerabilities. CVE-2022-39306 is an elevation privilege vulnerability and CVE-2022-39307 is a username enumeration vulnerability.
Grafana is a multi-platform open-source analytics and interactive visualization web application. It provides charts, graphs, and alerts for the web when connected to supported data sources.
Privilege escalation: Unauthorized access to arbitrary endpoints (CVE-2022-39328)
An internal security audit of the Grafana codebase discovered a race condition that can enable an unauthenticated user to query any endpoint in Grafana. The race condition exists in the HTTP context creation. This might result in an HTTP request being assigned the authentication and authorization middlewares of another call. Under heavy load, a call protected by a privileged middleware may receive the middleware of a public query instead.
Privilege escalation: Usernames/email addresses cannot be trusted (CVE-2022-39306)
Grafana administrators can invite additional users to the group that they are admins of. Whenever a new member is added to the organization, non-existing users receive an email invite while the existing users are directly added. When an invite link is sent, it enables anyone with access to the link to register with the organization using any username or email address and become a member of the organization. A malicious attacker can use the invitation link to sign up with an arbitrary username/email.
Username enumeration (CVE-2022-39307)
A POST request is sent to the /api/user/password/send-reset-email URL when a user clicks the “forget password” link on the login page. A “user not found” message appears in a JSON response when the username or email is invalid. The impacted endpoint creates a security risk by disclosing information to unauthorized users.
- CVE-2022-39328: Grafana 9.2.x versions prior to 9.2.4
- CVE-2022-39306 and CVE-2022-39307: Grafana 9.x and 8.x versions prior to 9.2.4 and 8.15.5 respectively.
Grafana has released patches for vulnerabilities. The advisory states, “Appropriate patches have been applied to Grafana Cloud and as always, we closely coordinated with all cloud providers licensed to offer Grafana Pro.”
For more information, please refer to the security advisory.
Qualys customers can scan their devices with QIDs 730643 and 730653 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.