Grafana security releases: New versions with fixes for CVE-2022-23552, CVE-2022-41912, and CVE-2022-39324
Today we are releasing Grafana 9.3.4 and 9.2.10, which contain fixes for CVE-2022-23552, CVE-2022-41912, and CVE-2022-39324.
Release 9.3.4, latest release with security patch:
Release 9.2.10, last 9.2 patch with security patch:
Stored XSS in ResourcePicker component (CVE-2022-23552)
Summary
On Dec. 16, 2022, during an internal audit of Grafana, a member of the Grafana security team, found a stored XSS vulnerability affecting the core Geomap and Canvas plugins.
We have assessed this vulnerability as having a CVSS score of 7.3 HIGH (CVSS:7.3/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N).
Impact
An attacker needs to have the Editor role in order to change a panel to include either an external URL to an SVG file containing JavaScript or use the data:
scheme to load an inline SVG file containing JavaScript. The attacker with the Editor role can edit the panel to include an SVG file containing arbitrary Javascript, which will then be executed when a user is viewing the dashboard containing the altered panel.
Appropriate patches have been applied to Grafana Cloud.
Impacted versions
All installations for Grafana versions >= 8.1.x.
Solutions and mitigations
To fully address CVE-2022-23552, please upgrade your Grafana instances.
As a workaround for CVE-2022-23552, enable the Content-Security-Policy option.
Credit
Kristian Bremberg, part of Grafana Labs internal security team, discovered the vulnerability.
SAML privilege escalation (CVE-2022-41912)
Summary
Grafana Enterprise is using crewjam/saml library for SAML integration. On Nov. 30, 2022, an advisory and relevant fix was published in the upstream library, which described a vulnerability allowing privilege escalation when processing SAML responses containing multiple assertions.
We have assessed this vulnerability as having a CVSS score of 8.3 HIGH (CVSS:8.3/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L).
Appropriate patches have been applied to Grafana Cloud.
Impact
The vulnerability is possible to exploit only when a SAML document is not signed and multiple assertions are being used, where at least one assertion is signed. As a result, an attacker could intercept the SAML response and add any unsigned assertion, which would be parsed as signed by the library.
Impacted versions
Grafana Enterprise versions 6.3.0-beta1 to 9.3.1.
Solutions and mitigations
To fully address CVE-2022-41912, please upgrade your Grafana instances.
As an alternative, you could ensure to sign the entire SAML document or stop using SAML temporarily.
Spoofing originalUrl of snapshots (CVE-2022-39324)
Summary
A third-party penetration test of Grafana found a vulnerability in the snapshot functionality. The value of the originalUrl parameter is automatically generated. The purpose of the presented originalUrl parameter is to provide a user who views the snapshot with the possibility to click on the Local Snapshot button in the Grafana web UI and be presented with the dashboard that the snapshot captured. The value of the originalUrl parameter can be arbitrarily chosen by a malicious user that creates the snapshot. (Note: This can be done by editing the query thanks to a web proxy like Burp.)
We have assessed this vulnerability as having a CVSS score of 6.7 MEDIUM (CVSS:6.7/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L).
Appropriate patches have been applied to Grafana Cloud.
Impact
Since the value of the originalUrl parameter could be arbitrarily chosen by a malicious user that creates the snapshot, the Open original dashboard button no longer points to the real original dashboard but to the attacker’s injected URL.
Impacted versions
All installations for Grafana versions 9.x and 8.x.
Solutions and mitigations
To fully address CVE-2022-39324, please upgrade your Grafana instances.
Reporting security issues
If you think you have found a security vulnerability, please send a report to security@grafana.com. This address can be used for all of Grafana Labs’ open source and commercial products (including, but not limited to Grafana, Grafana Cloud, Grafana Enterprise, and grafana.com). We can accept only vulnerability reports at this address. We would prefer that you encrypt your message to us by using our PGP key. The key fingerprint is
225E 6A9B BB15 A37E 95EB 6312 C66A 51CC B44C 27E0
The key is available from keyserver.ubuntu.com.
Security announcements
We maintain a security category on our blog, where we will always post a summary, remediation, and mitigation details for any patch containing security fixes.
You can also subscribe to our RSS feed.