CVE-2022-29170: Grafana server-side request forgery vulnerability

CVE-2022-29170

On May 19, 2022, Grafana officially issued a risk notice for Grafana Enterprise server-side request forgery vulnerability, the vulnerability number is CVE-2022-29170 with a CVSS3 score of 6.6. The severity is moderate. This flaw allows an attacker to bypass datasource network restrictions via HTTP redirects.

Grafana is an open-source visualization and analytics platform that unifies data sets across your company into an interactive diagnostic workspace. Grafana is built on a plug-in architecture that allows you to interact with the underlying data sources without creating data copies. Create, explore, and share dashboards with your team and foster a data-driven culture: Visualize, Dynamic Dashboards, Explore Metrics, Explore Logs, Alerting, Mixed Data Sources.

CVE-2022-29170

Vulnerability Detail

Grafana Enterprise is impacted only if three conditions must be met:

  • Running Grafana Enterprise 7.4.0-beta1 – 8.5.2
  • Request security allow list feature is configured to use at least one host_allow_list or host_deny_list
  • There is a possibility of adding a custom datasource to Grafana which returns HTTP redirects

Request security allow list allows users to configure Grafana in a way so that the instance doesn’t call or only calls specific hosts. The vulnerability allows users to bypass these security configurations if a malicious data source (running on an allowed host) returns an HTTP redirect to a forbidden host.”

Grafana Labs was forced to publish the fix:

  • 2022-05-02 A potential Issue related to the request security feature in Grafana Enterprise has been reported internally
  • 2022-05-02 12:33 Issue escalated and the vulnerability confirmed reproducible
  • 2022-05-02 15:00 Decision is made to release a private patch
  • 2022-05-02 15:21 CVE requested
  • 2022-05-03 15:58 Private release planned for 2022-05-05, and public release planned for 2022-05-19
  • 2022-05-05 12:00 Private release
  • 2022-05-19 12:00 Public release

Solution

Grafana Enterprise has released versions 8.5.3 and 7.5.16 to fix the CVE-2022-29170 flaw, user should update to the latest version as soon as possible.