Today we are releasing Grafana 8.3.4 and 7.5.13. Among other fixes, these patch releases include an important security fix for all Grafana installations 7.5.x and 8.x. These versions are only vulnerable if the administrator has utilized OAuth forwarding for data sources and utilizes API keys.
Release v8.3.4 contains both a security fix and other patch changes. Because this issue is CVSS low only, we decided to release the fix as part of a normal patch release:
Latest stable release in v7.5.13:
Forward OAuth Identity Token (CVE-2022-21673)
In Grafana 7.2, a feature was added that allows opted-in data sources to forward the OAuth Access Token of the currently signed-in user when requesting data. If this feature is enabled on a data source, and a request is made with an API token to the data source, the OAuth Access Token of the most recently signed-in user is used instead of the provided API token.
This is not the expected behavior. We received a report about this issue on Jan. 7 in our security email from Mikko Auvinen.
Solutions and mitigations
If you are on Grafana 7.2 or later or Grafana 8.x and utilize Forward OAuth Identity Token, we recommend that you upgrade to this latest version. If you cannot upgrade, you can mitigate this by limiting the availability of API tokens.
We would like to thank Mikko Auvinen for responsibly disclosing this issue to us.
Reporting security Issues
If you think you have found a security vulnerability, please send a report to email@example.com. This address can be used for all of Grafana Labs' open source and commercial products (including but not limited to Grafana, Grafana Cloud, Grafana Enterprise, and grafana.com). We can accept only vulnerability reports at this address. We would prefer that you encrypt your message to us, please use our PGP key. The key fingerprint is
F988 7BEA 027A 049F AE8E 5CAA D125 8932 BE24 C5CA
The key is available from keyserver.ubuntu.com.
We maintain a security category on our blog where we will always post a summary, remediation, and mitigation details for any patch containing security fixes.
You can also subscribe to our RSS feed.