Grafana 8.3.4 and 7.5.13 released with important security fix

Today we are releasing Grafana 8.3.4 and 7.5.13. Among other fixes, these patch releases include an important security fix for all Grafana installations 7.5.x and 8.x. These versions are only vulnerable if the administrator has utilized OAuth forwarding for data sources and utilizes API keys.

Release v8.3.4 contains both a security fix and other patch changes. Because this issue is CVSS low only, we decided to release the fix as part of a normal patch release:

• Download Grafana 8.3.4

Latest stable release in v7.5.13:

• Download Grafana 7.5.13

Forward OAuth Identity Token (CVE-2022-21673)

Summary

In Grafana 7.2, a feature was added that allows opted-in data sources to forward the OAuth Access Token of the currently signed-in user when requesting data. If this feature is enabled on a data source, and a request is made with an API token to the data source, the OAuth Access Token of the most recently signed-in user is used instead of the provided API token.

This is not the expected behavior. We received a report about this issue on Jan. 7 in our security email from Mikko Auvinen.

Solutions and mitigations

If you are on Grafana 7.2 or later or Grafana 8.x and utilize Forward OAuth Identity Token, we recommend that you upgrade to this latest version. If you cannot upgrade, you can mitigate this by limiting the availability of API tokens.

Acknowledgements

We would like to thank Mikko Auvinen for responsibly disclosing this issue to us.

Reporting security Issues

If you think you have found a security vulnerability, please send a report to security@grafana.com. This address can be used for all of Grafana Labs’ open source and commercial products (including but not limited to Grafana, Grafana Cloud, Grafana Enterprise, and grafana.com). We can accept only vulnerability reports at this address. We would prefer that you encrypt your message to us, please use our PGP key. The key fingerprint is

F988 7BEA 027A 049F AE8E 5CAA D125 8932 BE24 C5CA

The key is available from keyserver.ubuntu.com.

Security announcements

We maintain a security category on our blog where we will always post a summary, remediation, and mitigation details for any patch containing security fixes.

You can also subscribe to our RSS feed.