Vulnerability Name:

CVE-2022-31107 (CCN-231304)

Assigned:2022-07-14
Published:2022-07-14
Updated:2022-10-29
Summary:Grafana is an open-source platform for monitoring and observability. In versions 5.3 until 9.0.3, 8.5.9, 8.4.10, and 8.3.10, it is possible for a malicious user who has authorization to log into a Grafana instance via a configured OAuth IdP which provides a login name to take over the account of another user in that Grafana instance. This can occur when the malicious user is authorized to log in to Grafana via OAuth, the malicious user's external user id is not already associated with an account in Grafana, the malicious user's email address is not already associated with an account in Grafana, and the malicious user knows the Grafana username of the target user. If these conditions are met, the malicious user can set their username in the OAuth provider to that of the target user, then go through the OAuth flow to log in to Grafana. Due to the way that external and internal user accounts are linked together during login, if the conditions above are all met then the malicious user will be able to log in to the target user's Grafana account. Versions 9.0.3, 8.5.9, 8.4.10, and 8.3.10 contain a patch for this issue. As a workaround, concerned users can disable OAuth login to their Grafana instance, or ensure that all users authorized to log in via OAuth have a corresponding user account in Grafana linked to their email address.
CVSS v3 Severity:7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
7.1 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L)
6.2 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): Low
7.1 High (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L)
6.2 Medium (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): Low
CVSS v2 Severity:6.8 Medium (CCN CVSS v2 Vector: AV:N/AC:H/Au:S/C:C/I:C/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): High
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Partial
Vulnerability Type:CWE-863
CWE-287
Vulnerability Consequences:Bypass Security
References:Source: MITRE
Type: CNA
CVE-2022-31107

Source: XF
Type: UNKNOWN
grafana-cve202231107-sec-bypass(231304)

Source: CCN
Type: Grafana GIT Repository
Grafana account takeover via OAuth vulnerability

Source: CONFIRM
Type: Release Notes, Third Party Advisory
https://github.com/grafana/grafana/security/advisories/GHSA-mx47-6497-3fv2

Source: MISC
Type: Release Notes, Vendor Advisory
https://grafana.com/docs/grafana/next/release-notes/release-notes-8-4-10/

Source: MISC
Type: Release Notes, Vendor Advisory
https://grafana.com/docs/grafana/next/release-notes/release-notes-8-5-9/

Source: MISC
Type: Release Notes, Vendor Advisory
https://grafana.com/docs/grafana/next/release-notes/release-notes-9-0-3/

Source: CONFIRM
Type: Third Party Advisory
https://security.netapp.com/advisory/ntap-20220901-0010/

Vulnerable Configuration:Configuration 1:
  • cpe:/a:grafana:grafana:*:*:*:*:*:*:*:* (Version >= 9.0.0 and < 9.0.3)
  • OR cpe:/a:grafana:grafana:*:*:*:*:*:*:*:* (Version >= 8.5.0 and < 8.5.9)
  • OR cpe:/a:grafana:grafana:*:*:*:*:*:*:*:* (Version >= 8.4.0 and < 8.4.10)
  • OR cpe:/a:grafana:grafana:*:*:*:*:*:*:*:* (Version >= 5.3.0 and < 8.3.10)

    • Configuration 2:
  • cpe:/a:netapp:e-series_performance_analyzer:-:*:*:*:*:*:*:*

    • Configuration RedHat 1:
  • cpe:/a:redhat:enterprise_linux:9:*:*:*:*:*:*:*

    • Configuration RedHat 2:
  • cpe:/a:redhat:enterprise_linux:9::appstream:*:*:*:*:*

    • Configuration RedHat 3:
  • cpe:/a:redhat:enterprise_linux:8:*:*:*:*:*:*:*

    • Configuration RedHat 4:
  • cpe:/a:redhat:enterprise_linux:8::appstream:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:8169
    P
    		Security update for SUSE Manager Client Tools (Important)
    2023-06-21
    oval:org.opensuse.security:def:639
    P
    		Security update for grafana (Important) (in QA)
    2022-10-06
    oval:org.opensuse.security:def:640
    P
    		Security update for SUSE Manager Client Tools (Moderate) (in QA)
    2022-09-29
    oval:com.redhat.rhsa:def:20225716
    P
    		RHSA-2022:5716: grafana security update (Important)
    2022-07-26
    oval:com.redhat.rhsa:def:20225717
    P
    		RHSA-2022:5717: grafana security update (Important)
    2022-07-26
    BACK
    grafana grafana *
    grafana grafana *
    grafana grafana *
    grafana grafana *
    netapp e-series performance analyzer -