Web versions

Grafana web security vulnerability has opened up a plethora of attack possibilities

View this

Research by a pair of bug bounty hunters has led to the discovery of a high-impact web security vulnerability in the popular Grafana dashboard tool.

CSRF (cross-site request forgery) vulnerability – tracked as CVE-2022-21703 – opens the door for attackers to elevate their privileges through cross-origin attacks against administrators on systems running vulnerable versions of the open source platform.

According to the researchers, versions of the Grafana branch prior to 7.5.15 and 8.3.5 are all vulnerable and require security triage.

Fortunately, fixes are already available.

Keep up to date with the latest security research news and analysis

Security researchers using the “jub0bs” and “abrahack” descriptors have demonstrated that instances of Grafana configured to allow frame integration authenticated dashboards are at increased risk of potential cross-origin attacks.

There is no known workaround, so system administrators are advised to upgrade Grafana installations as soon as possible.

Security gaps

Bug hunter jub0bs said The daily sip that the potential consequences of the vulnerability were far-reaching.

“Impact includes stored XSS [cross-site scripting]private [privilege escalation] up to the Grafana admin of the targeted instance, SSRF full read [server-side request forgery]and also pivot against other applications running on the same origin (e.g. GitLab),” they explained.

“The attacker should then lure a high-privileged Grafana user to the vulnerable page in that subdomain.”

RELATED Grafana urges web developers to update the following path traversal bug disclosure

The researcher said the vulnerability resulted from a combination of three security flaws: over-reliance on the SameSite cookie attribute, poor content-type validation of requests, and incorrect assumptions about cross-origin resource sharing. (CORS).

There are certain prerequisites for a successful attack, but even so, assaults could easily be possible.

They explained: “If an attacker targets a Grafana instance with a default configuration on, say, grafana[.]Example[.com]an XSS or subtko [subdomain takeover] on an example subdomain[.]com is required.

In a technical blog postjub0bs and abrahack explain their research in depth.

The daily sip invited Grafana to comment on the latest research on its platform, but we have yet to hear back.

The issue has been resolved in Grafana versions 7.5.15 and 8.3.5.

YOU MIGHT ALSO LIKE An Internet Society data leak revealed the login credentials of 80,000 members