CVE-2022-21673Sensitive Information Exposure in Grafana

CWE-200Sensitive Information ExposureCWE-639Authorization Bypass Through User-Controlled Key3 documents3 sources
Severity
4.3MEDIUMNVD
EPSS
0.5%
top 33.11%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
GrafanaFedoraproject Fedora
Timeline
PublishedJan 18

Description

Grafana is an open-source platform for monitoring and observability. In affected versions when a data source has the Forward OAuth Identity feature enabled, sending a query to that datasource with an API token (and no other user credentials) will forward the OAuth Identity of the most recently logged-in user. This can allow API token holders to retrieve data for which they may not have intended access. This attack relies on the Grafana instance having data sources that support the Forward OAuth

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

NVDgrafana/grafana7.2.07.5.13+1
CVEListV5grafana/grafana>= 7.2.0, < 7.5.13, >= 8.0.0, < 8.3.4+1

Also affects: Fedora 34, 35, 36

🔴Vulnerability Details

1
OSV
CVE-2022-21673: Grafana is an open-source platform for monitoring and observability2022-01-18

📋Vendor Advisories

1
Red Hat
grafana: Forward OAuth Identity Token can allow users to access some data sources2022-01-18