// For flags

CVE-2022-24812

FGAC API Key privilege escalation in Grafana

Severity Score

8.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Grafana is an open-source platform for monitoring and observability. When fine-grained access control is enabled and a client uses Grafana API Key to make requests, the permissions for that API Key are cached for 30 seconds for the given organization. Because of the way the cache ID is constructed, the consequent requests with any API Key evaluate to the same permissions as the previous requests. This can lead to an escalation of privileges, when for example a first request is made with Admin permissions, and the second request with different API Key is made with Viewer permissions, the second request will get the cached permissions from the previous Admin, essentially accessing higher privilege than it should. The vulnerability is only impacting Grafana Enterprise when the fine-grained access control beta feature is enabled and there are more than one API Keys in one organization with different roles assigned. All installations after Grafana Enterprise v8.1.0-beta1 should be upgraded as soon as possible. As an alternative, disable fine-grained access control will mitigate the vulnerability.

Grafana es una plataforma de código abierto para la monitorización y la observabilidad. Cuando el control de acceso de grano fino está habilitado y un cliente usa la API Key de Grafana para hacer peticiones, los permisos para esa API Key se almacenan en caché durante 30 segundos para la organización dada. Debido a la forma en que es construida el ID de la caché, las peticiones consecuentes con cualquier API Key son evaluadas con los mismos permisos que las peticiones anteriores. Esto puede conllevar a una escalada de privilegios, cuando por ejemplo una primera petición es realizada con permisos de Administrador, y la segunda petición con diferente API Key es realizada con permisos de Visor, la segunda petición obtendrá los permisos almacenados en caché del Administrador anterior, accediendo esencialmente a un privilegio mayor del que debería. La vulnerabilidad sólo afecta a Grafana Enterprise cuando la función beta de control de acceso de grano fino está habilitada y presenta más de una API Key en una organización con diferentes roles asignados. Todas las instalaciones posteriores a Grafana Enterprise v8.1.0-beta1 deberían actualizarse lo antes posible. Como alternativa, deshabilitar el control de acceso de grano fino mitigará la vulnerabilidad

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Medium
Authentication
Single
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2022-02-10 CVE Reserved
  • 2022-04-12 CVE Published
  • 2023-12-02 EPSS Updated
  • 2024-08-03 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-269: Improper Privilege Management
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Grafana
Search vendor "Grafana"
 Grafana
Search vendor "Grafana" for product "Grafana"
 >= 8.1.0 < 8.4.6
Search vendor "Grafana" for product "Grafana" and version " >= 8.1.0 < 8.4.6"
enterprise
Affected