Skip to content

Grafana Forward OAuth Identity Token can allow users to access some data sources

Low severity GitHub Reviewed Published Jan 18, 2022 in grafana/grafana • Updated May 14, 2024

Package

gomod github.com/grafana/grafana (Go)

Affected versions

> 7.2.0, < 7.5.13
>= 8.0.0, < 8.3.4

Patched versions

7.5.13
8.3.4

Description

When a data source has the Forward OAuth Identity feature enabled, sending a query to that datasource with an API token (and no other user credentials) will forward the OAuth Identity of the most recently logged-in user.

This can allow API token holders to retrieve data for which they may not have intended access.

Impact

All of the following must be true:

  • The Grafana instance has data sources that support the Forward OAuth Identity feature. Graphite users, for example.
    • Some data sources are not susceptible, like Prometheus, as they do not have support for this feature.
    • The option being available is not sufficient enough to determine if the data source is susceptible.
  • The Grafana instance has a data source with the Forward OAuth Identity feature toggled on.
  • The Grafana instance has OAuth enabled.
  • The Grafana instance has usable API keys.

Patches

The following Grafana versions have been patched:

  • v8.3.4
  • v7.5.13

Workarounds

Administrators of Grafana instances can limit the availability of API tokens.

Reporting security issues

If you think you have found a security vulnerability, please send a report to security@grafana.com. This address can be used for all of Grafana Labs' open source and commercial products (including, but not limited to Grafana, Grafana Cloud, Grafana Enterprise, and grafana.com). We can accept only vulnerability reports at this address. We would prefer that you encrypt your message to us by using our PGP key. The key fingerprint is

F988 7BEA 027A 049F AE8E 5CAA D125 8932 BE24 C5CA

The key is available from keyserver.ubuntu.com.

Security announcements

We maintain a security category on our blog, where we will always post a summary, remediation, and mitigation details for any patch containing security fixes.

You can also subscribe to our RSS feed.

References

@kminehart kminehart published to grafana/grafana Jan 18, 2022
Published by the National Vulnerability Database Jan 18, 2022
Published to the GitHub Advisory Database May 14, 2024
Reviewed May 14, 2024
Last updated May 14, 2024

Severity

Low

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
High
Privileges required
High
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N

EPSS score

0.110%
(45th percentile)

Weaknesses

CVE ID

CVE-2022-21673

GHSA ID

GHSA-8wjh-59cw-9xh4

Source code

Credits

Loading Checking history
Improvements are not currently accepted on this advisory because it uses an unsupported versioning operator. Read more and discuss here.