When a data source has the Forward OAuth Identity feature enabled, sending a query to that datasource with an API token (and no other user credentials) will forward the OAuth Identity of the most recently logged-in user.
This can allow API token holders to retrieve data for which they may not have intended access.
Impact
All of the following must be true:
- The Grafana instance has data sources that support the Forward OAuth Identity feature. Graphite users, for example.
- Some data sources are not susceptible, like Prometheus, as they do not have support for this feature.
- The option being available is not sufficient enough to determine if the data source is susceptible.
- The Grafana instance has a data source with the Forward OAuth Identity feature toggled on.
- The Grafana instance has OAuth enabled.
- The Grafana instance has usable API keys.
Patches
The following Grafana versions have been patched:
Workarounds
Administrators of Grafana instances can limit the availability of API tokens.
Reporting security issues
If you think you have found a security vulnerability, please send a report to security@grafana.com. This address can be used for all of Grafana Labs' open source and commercial products (including, but not limited to Grafana, Grafana Cloud, Grafana Enterprise, and grafana.com). We can accept only vulnerability reports at this address. We would prefer that you encrypt your message to us by using our PGP key. The key fingerprint is
F988 7BEA 027A 049F AE8E 5CAA D125 8932 BE24 C5CA
The key is available from keyserver.ubuntu.com.
Security announcements
We maintain a security category on our blog, where we will always post a summary, remediation, and mitigation details for any patch containing security fixes.
You can also subscribe to our RSS feed.
References
When a data source has the Forward OAuth Identity feature enabled, sending a query to that datasource with an API token (and no other user credentials) will forward the OAuth Identity of the most recently logged-in user.
This can allow API token holders to retrieve data for which they may not have intended access.
Impact
All of the following must be true:
Patches
The following Grafana versions have been patched:
v8.3.4
v7.5.13
Workarounds
Administrators of Grafana instances can limit the availability of API tokens.
Reporting security issues
If you think you have found a security vulnerability, please send a report to security@grafana.com. This address can be used for all of Grafana Labs' open source and commercial products (including, but not limited to Grafana, Grafana Cloud, Grafana Enterprise, and grafana.com). We can accept only vulnerability reports at this address. We would prefer that you encrypt your message to us by using our PGP key. The key fingerprint is
F988 7BEA 027A 049F AE8E 5CAA D125 8932 BE24 C5CA
The key is available from keyserver.ubuntu.com.
Security announcements
We maintain a security category on our blog, where we will always post a summary, remediation, and mitigation details for any patch containing security fixes.
You can also subscribe to our RSS feed.
References