Grafana 8.3.4 and 7.5.13 released with important security fix

Today we are releasing Grafana 8.3.4 and 7.5.13. Among other fixes, these patch releases include an important security fix for all Grafana installations 7.5.x and 8.x. These versions are only vulnerable if the administrator has utilized OAuth forwarding for data sources and utilizes API keys.

Release v8.3.4 contains both a security fix and other patch changes. Because this issue is CVSS low only, we decided to release the fix as part of a normal patch release:

• Download Grafana 8.3.4

Latest stable release in v7.5.13:

• Download Grafana 7.5.13

Forward OAuth Identity Token (CVE-2022-21673)

Summary

In Grafana 7.2, a feature was added that allows opted-in data sources to forward the OAuth Access Token of the currently signed-in user when requesting data. If this feature is enabled on a data source, and a request is made with an API token to the data source, the OAuth Access Token of the most recently signed-in user is used instead of the provided API token.

This is not the expected behavior. We received a report about this issue on Jan. 7 in our security email from Mikko Auvinen.

Solutions and mitigations

If you are on Grafana 7.2 or later or Grafana 8.x and utilize Forward OAuth Identity Token, we recommend that you upgrade to this latest version. If you cannot upgrade, you can mitigate this by limiting the availability of API tokens.

Acknowledgements

We would like to thank Mikko Auvinen for responsibly disclosing this issue to us.

Reporting security Issues

If you think you have found a security vulnerability, please go to our Report a security issue page to learn how to send a security report.

Security announcements

We maintain a security category on our blog where we will always post a summary, remediation, and mitigation details for any patch containing security fixes.

You can also subscribe to our RSS feed.