CVE-2022-36062 – Grafana folders admin only permission privilege escalation
https://notcve.org/view.php?id=CVE-2022-36062
Grafana is an open-source platform for monitoring and observability. In versions prior to 8.5.13, 9.0.9, and 9.1.6, Grafana is subject to Improper Preservation of Permissions resulting in privilege escalation on some folders where Admin is the only used permission. The vulnerability impacts Grafana instances where RBAC was disabled and enabled afterwards, as the migrations which are translating legacy folder permissions to RBAC permissions do not account for the scenario where the only user permission in the folder is Admin, as a result RBAC adds permissions for Editors and Viewers which allow them to edit and view folders accordingly. This issue has been patched in versions 8.5.13, 9.0.9, and 9.1.6. A workaround when the impacted folder/dashboard is known is to remove the additional permissions manually. • https://github.com/grafana/grafana/security/advisories/GHSA-p978-56hq-r492 https://security.netapp.com/advisory/ntap-20221215-0001 • CWE-281: Improper Preservation of Permissions •
CVE-2022-35957 – Authentication Bypass in Grafana via auth proxy allowing escalation from admin to server admin
https://notcve.org/view.php?id=CVE-2022-35957
Grafana is an open-source platform for monitoring and observability. Versions prior to 9.1.6 and 8.5.13 are vulnerable to an escalation from admin to server admin when auth proxy is used, allowing an admin to take over the server admin account and gain full control of the grafana instance. All installations should be upgraded as soon as possible. As a workaround deactivate auth proxy following the instructions at: https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/auth-proxy/ Grafana es una plataforma de código abierto para la monitorización y la observabilidad. Las versiones anteriores a 9.1.6 y 8.5.13, son vulnerables a una escalada de admin a server admin cuando es usado auth proxy, lo que permite a un admin tomar la cuenta de server admin y obtener el control total de la instancia de grafana. • https://github.com/grafana/grafana/security/advisories/GHSA-ff5c-938w-8c9q https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WYU5C2RITLHVZSTCWNGQWA6KSPYNXM2H https://security.netapp.com/advisory/ntap-20221215-0001 https://access.redhat.com/security/cve/CVE-2022-35957 https://bugzilla.redhat.com/show_bug.cgi?id=2125514 • CWE-288: Authentication Bypass Using an Alternate Path or Channel CWE-290: Authentication Bypass by Spoofing •
CVE-2022-31107 – Grafana account takeover via OAuth vulnerability
https://notcve.org/view.php?id=CVE-2022-31107
Grafana is an open-source platform for monitoring and observability. In versions 5.3 until 9.0.3, 8.5.9, 8.4.10, and 8.3.10, it is possible for a malicious user who has authorization to log into a Grafana instance via a configured OAuth IdP which provides a login name to take over the account of another user in that Grafana instance. This can occur when the malicious user is authorized to log in to Grafana via OAuth, the malicious user's external user id is not already associated with an account in Grafana, the malicious user's email address is not already associated with an account in Grafana, and the malicious user knows the Grafana username of the target user. If these conditions are met, the malicious user can set their username in the OAuth provider to that of the target user, then go through the OAuth flow to log in to Grafana. Due to the way that external and internal user accounts are linked together during login, if the conditions above are all met then the malicious user will be able to log in to the target user's Grafana account. • https://github.com/grafana/grafana/security/advisories/GHSA-mx47-6497-3fv2 https://grafana.com/docs/grafana/next/release-notes/release-notes-8-4-10 https://grafana.com/docs/grafana/next/release-notes/release-notes-8-5-9 https://grafana.com/docs/grafana/next/release-notes/release-notes-9-0-3 https://security.netapp.com/advisory/ntap-20220901-0010 https://access.redhat.com/security/cve/CVE-2022-31107 https://bugzilla.redhat.com/show_bug.cgi?id=2104367 • CWE-287: Improper Authentication CWE-863: Incorrect Authorization •
CVE-2022-29170 – Grafana Enterprise datasource network restrictions bypass via HTTP redirects
https://notcve.org/view.php?id=CVE-2022-29170
Grafana is an open-source platform for monitoring and observability. In Grafana Enterprise, the Request security feature allows list allows to configure Grafana in a way so that the instance doesn’t call or only calls specific hosts. The vulnerability present starting with version 7.4.0-beta1 and prior to versions 7.5.16 and 8.5.3 allows someone to bypass these security configurations if a malicious datasource (running on an allowed host) returns an HTTP redirect to a forbidden host. The vulnerability only impacts Grafana Enterprise when the Request security allow list is used and there is a possibility to add a custom datasource to Grafana which returns HTTP redirects. In this scenario, Grafana would blindly follow the redirects and potentially give secure information to the clients. • https://github.com/yijikeji/CVE-2022-29170 https://github.com/grafana/grafana/pull/49240 https://github.com/grafana/grafana/releases/tag/v7.5.16 https://github.com/grafana/grafana/releases/tag/v8.5.3 https://github.com/grafana/grafana/security/advisories/GHSA-9rrr-6fq2-4f99 https://security.netapp.com/advisory/ntap-20220707-0005 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVE-2022-28660
https://notcve.org/view.php?id=CVE-2022-28660
The querier component in Grafana Enterprise Logs 1.1.x through 1.3.x before 1.4.0 does not require authentication when X-Scope-OrgID is used. Versions 1.2.1, 1.3.1, and 1.4.0 contain the bugfix. This affects -auth.type=enterprise in microservices mode El componente querier en Grafana Enterprise Logs versiones 1.1.x hasta 1.3.x anteriores a 1.4.0, no requiere autenticación cuando es usado X-Scope-OrgID. Las versiones 1.2.1, 1.3.1 y 1.4.0, contienen una corrección de errores. Esto afecta a -auth.type=enterprise en el modo de microservicios • https://grafana.com/docs/enterprise-logs/latest/gel-releases/#v121----may-3-2022 https://security.netapp.com/advisory/ntap-20220707-0004 • CWE-306: Missing Authentication for Critical Function •