CVE-2022-21702

Cross site scripting in Grafana proxy

Severity Score

5.4

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Grafana is an open-source platform for monitoring and observability. In affected versions an attacker could serve HTML content thru the Grafana datasource or plugin proxy and trick a user to visit this HTML page using a specially crafted link and execute a Cross-site Scripting (XSS) attack. The attacker could either compromise an existing datasource for a specific Grafana instance or either set up its own public service and instruct anyone to set it up in their Grafana instance. To be impacted, all of the following must be applicable. For the data source proxy: A Grafana HTTP-based datasource configured with Server as Access Mode and a URL set, the attacker has to be in control of the HTTP server serving the URL of above datasource, and a specially crafted link pointing at the attacker controlled data source must be clicked on by an authenticated user. For the plugin proxy: A Grafana HTTP-based app plugin configured and enabled with a URL set, the attacker has to be in control of the HTTP server serving the URL of above app, and a specially crafted link pointing at the attacker controlled plugin must be clocked on by an authenticated user. For the backend plugin resource: An attacker must be able to navigate an authenticated user to a compromised plugin through a crafted link. Users are advised to update to a patched version. There are no known workarounds for this vulnerability.

Grafana es una plataforma de código abierto para la monitorización y la observabilidad. En las versiones afectadas, un atacante podría servir contenido HTML mediante la fuente de datos de Grafana o el proxy del plugin y engañar a un usuario para que visite esta página HTML usando un enlace especialmente diseñado y ejecutar un ataque de tipo Cross-site Scripting (XSS). El atacante podría comprometer una fuente de datos existente para una instancia específica de Grafana o bien configurar su propio servicio público e instruir a cualquiera para que lo configure en su instancia de Grafana. Para ser impactado, todo lo siguiente debe ser aplicable. Para el proxy de la fuente de datos: Una fuente de datos basada en HTTP de Grafana configurada con Servidor como Modo de Acceso y una URL establecida, el atacante debe estar en control del servidor HTTP que sirve la URL de dicha fuente de datos, y un enlace especialmente diseñado que apunte a la fuente de datos controlada por el atacante debe ser pulsado por un usuario autenticado. Para el plugin proxy: Un plugin de Grafana basado en HTTP configurado y habilitado con un conjunto de URL, el atacante debe estar en control del servidor HTTP que sirve la URL de la aplicación anterior, y un enlace especialmente diseñado que apunte al plugin controlado por el atacante debe ser marcado por un usuario autenticado. Para el recurso del plugin backend: Un atacante debe ser capaz de dirigir a un usuario autenticado a un plugin comprometido mediante un enlace diseñado. Es recomendado a usuarios actualizar a una versión parcheada. No hay medidas de mitigación adicionales conocidas para esta vulnerabilidad

A Cross-site scripting (XSS) vulnerability was found in the way Grafana handles data sources. This flaw allows an attacker to serve HTML content through the Grafana data source or plugin proxy and trick a user to visit this HTML page using a specially crafted link and execute a Cross-site scripting (XSS) attack. Should an existing data source connected to Grafana be compromised, it could be used to inappropriately gain access to other data sources connected to the same Grafana org.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

High

Authentication

Single

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-11-16 CVE Reserved
2022-02-08 CVE Published
2023-11-08 EPSS Updated
2024-08-03 CVE Updated
2024-08-03 First Exploit
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CAPEC

References (9)

URL	Tag	Source
https://security.netapp.com/advisory/ntap-20220303-0005	Third Party Advisory

URL	Date	SRC
https://github.com/grafana/grafana/security/advisories/GHSA-xc3p-28hw-q24g	2024-08-03

URL	Date	SRC
https://github.com/grafana/grafana/commit/27726868b3d7c613844b55cd209ca93645c99b85	2023-11-07

URL	Date	SRC
https://grafana.com/blog/2022/02/08/grafana-7.5.15-and-8.3.5-released-with-moderate-severity-security-fixes	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2PFW6Q2LXXWTFRTMTRN4ZGADFRQPKJ3D	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/36GUEPA5TPSC57DZTPYPBL6T7UPQ2FRH	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HLAQRRGNSO5MYCPAXGPH2OCSHOGHSQMQ	2023-11-07
https://access.redhat.com/security/cve/CVE-2022-21702	2022-11-15
https://bugzilla.redhat.com/show_bug.cgi?id=2050648	2022-11-15

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Grafana Search vendor "Grafana"		Grafana Search vendor "Grafana" for product "Grafana"				>= 2.0.1 < 7.5.15 Search vendor "Grafana" for product "Grafana" and version " >= 2.0.1 < 7.5.15"		-		Affected
Grafana Search vendor "Grafana"		Grafana Search vendor "Grafana" for product "Grafana"				>= 8.0.0 < 8.3.5 Search vendor "Grafana" for product "Grafana" and version " >= 8.0.0 < 8.3.5"		-		Affected
Grafana Search vendor "Grafana"		Grafana Search vendor "Grafana" for product "Grafana"				2.0.0 Search vendor "Grafana" for product "Grafana" and version "2.0.0"		beta1		Affected
Grafana Search vendor "Grafana"		Grafana Search vendor "Grafana" for product "Grafana"				2.0.0 Search vendor "Grafana" for product "Grafana" and version "2.0.0"		beta3		Affected
Netapp Search vendor "Netapp"		E-series Performance Analyzer Search vendor "Netapp" for product "E-series Performance Analyzer"				< 3.0 Search vendor "Netapp" for product "E-series Performance Analyzer" and version " < 3.0"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				34 Search vendor "Fedoraproject" for product "Fedora" and version "34"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				35 Search vendor "Fedoraproject" for product "Fedora" and version "35"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				36 Search vendor "Fedoraproject" for product "Fedora" and version "36"		-		Affected