June 15 update: CVE-2022-32275 was assigned a severity score of 7.5 HIGH on June 14. After a thorough review and as documented in the corresponding public issue, we confirm our initial assessment that there is no confidentiality impact and hence, no security impact. We are in discussions with MITRE to have this score reconsidered.
Last week CVE-2022-32276 and CVE-2022-32275 were reported as vulnerabilities affecting Grafana. Prior to that, a community member reached out to the Grafana security team with a report of vulnerabilities that we assessed as non-security impacting UI issues. We have responded to the reporter and since raised public issues to track the proposed changes:
We discovered the existence of these CVEs as part of our regular screening of mentions of Grafana in social media and were able to identify that these were claims that we had previously dismissed when privately reported. We believe that the reporter remained unconvinced by our reasons for dismissal and shared the report publicly.
We are not aware of any evidence which would support the assessment that these amount to security vulnerabilities and have contacted MITRE to dispute the validity of these CVEs. Our summary follows:
The first CVE (CVE-2022-32276) claims that “Unauthenticated and authenticated users can send a false request for snapshot query using random key parameters, having access to the system dashboard area by going through the login page.”
The claim here is that it is a vulnerability that the ‘not found’ page for snapshots is within Grafana’s regular UI rather than the login page.
Grafana is a single-page application where the full frontend is available to any user, authenticated or not. Being able to view this page does not indicate that the backend is providing the user with any level of privileged access. As such, we do not agree that this is a security vulnerability. We do, however, agree that the ‘not found page’ is a confusing UX issue and should be improved, and we have opened the issue referenced above to track it.
The second CVE (CVE-2022-32275) is another variation of the same report where Grafana’s 404 not found page is also showing the top- and sidebars that normally are only seen when logged in — for authenticated and unauthenticated users alike.
The steps to reproduce include references to an earlier XSS vulnerability and references the
/etc/passwd path which is commonly used by operating systems to list the users on the system. Despite this, it is important to note that neither an XSS nor remote file access claim is made in the vulnerability itself, and we are not aware of any indication of a remote file access vulnerability.
We believe that this, too, is a confusing user experience and have opened the issue referenced above to track it.
We’d like to thank the reporter for sharing their report with us and with the community, and we welcome public discussion on the two open GitHub issues referenced above.
Reporting security issues
If you think you have found a security vulnerability, please send a report to firstname.lastname@example.org. This address can be used for all of Grafana Labs' open source and commercial products (including but not limited to Grafana, Grafana Cloud, Grafana Enterprise, and grafana.com). We can only accept vulnerability reports at this address.
Please encrypt your message to us, using our PGP key. The key fingerprint is:
F988 7BEA 027A 049F AE8E 5CAA D125 8932 BE24 C5CA
The key is available from keyserver.ubuntu.com.
Grafana Labs will send you a response indicating the next steps in handling your report. After the initial reply to your report, the security team will keep you informed of the progress towards a fix and full announcement, and we may ask for additional information or guidance.
Important: We ask you to not disclose the vulnerability before it has been fixed and announced, unless you have received a response from the Grafana Labs security team that you can do so.
We maintain a security category on our blog, where we will always post a summary, remediation, and mitigation details for any patch containing security fixes.
You can also subscribe to our RSS feed.