Today we are releasing Grafana 9.3.0, which includes updates such as an enhanced navigation and new localization features. In addition, the Grafana 9.3.0 release contains a security fix for CVE-2022-31097. This vulnerability was first patched July 14, 2022; read more on that here.
We have also released a security patch for Grafana 9.2.7 to address this issue.
Release 9.3.0, latest release with security patch:
Release 9.2.7, last 9.2 patch with security fix:
Stored XSS in Grafana Alerting (CVE-2022-31097)
On Nov. 25, a Grafana community member reported a stored XSS vulnerability in Grafana Alerting. On further investigation, this vulnerability is a regression of CVE-2022-31097. We have assessed this vulnerability as having a rating of CVSSv3.1 7.3 HIGH. (CVSS:7.3/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N) As this issue was raised in our public repositories, we are treating this as a 0-day and are immediately releasing patches to the public.
Appropriate patches have been applied to Grafana Cloud and as always, we have closely coordinated with all cloud providers licensed to offer Grafana Pro.
An attacker can exploit this vulnerability in Grafana Alerting to escalate privilege from Editor to Admin by tricking an authenticated admin to click on a link.
9.1.0-beta1 -> 9.3.0-beta1
See the original vulnerability for the original versions that were impacted.
Solutions and mitigations
To fully address CVE-2022-31097, please upgrade your Grafana instances. Appropriate patches have been applied to Grafana Cloud.
As a workaround, Grafana Alerting may be disabled or users may switch to legacy alerting.
Process improvements to Grafana releases
This regression is clearly a failure in our release process, for which we apologize. Since late 2021, we have been engaging more closely with the security research community and as such have seen an increase in the number of issues discovered in our applications, which has strained our existing build and release processes. Most notably it led to us releasing versions that include the fix for CVE-2022-31097 and then failing to port that to our OSS repository. As such, it was not included in subsequent releases.
For the last six months we have been working on a new, highly automated build and release pipeline and process to mitigate this growing risk. As of this discovery, we have committed to releasing this internally ASAP and will blog openly about the challenges faced and solutions implemented. We’ll share more about our learnings and this process soon.
- 2022-07-14 - CVE-2022-31097 originally patched for versions 9.0.3, 8.5.9, 8.4.10 and 8.3.10
- 2022-08-02 Vulnerability reintroduced due to build process failure
- 2022-11-25 11:41 Stored XSS issue raised in public repo
- 2022-11-27 13:15 Issue moved to private repository
- 2022-11-27 13:20 Incident raised
- 2022-11-27 13:33 Identified regression from previous vulnerability
- 2022-11-28 11:13 Verified hosted Grafana was not exploited
- 2022-11-28 11:47 PRs submitted for fix with backports to 9.1 and 9.2
- 2022-11-28 12:29 PRs submitted for fix with backports to 9.3
- 2022-11-28 17:27 Verified that no other old fixes are missing from releases
- 2022-11-29 23:58 New versions of Grafana released to public
Reporting security issues
If you think you have found a security vulnerability, please send a report to email@example.com. This address can be used for all of Grafana Labs’ open source and commercial products (including, but not limited to Grafana, Grafana Cloud, Grafana Enterprise, and grafana.com). We can accept only vulnerability reports at this address. We would prefer that you encrypt your message to us by using our PGP key. The key fingerprint is
F225E 6A9B BB15 A37E 95EB 6312 C66A 51CC B44C 27E0
The key is available from keyserver.ubuntu.com.
We maintain a [security category](https://grafana.com/tags/security/) on our blog, where we will always post a summary, remediation, and mitigation details for any patch containing security fixes.
You can also subscribe to our [RSS feed](https://grafana.com/tags/security/index.xml)