CVE-2022-29170: Grafana server-side request forgery vulnerability
On May 19, 2022, Grafana officially issued a risk notice for Grafana Enterprise server-side request forgery vulnerability, the vulnerability number is CVE-2022-29170 with a CVSS3 score of 6.6. The severity is moderate. This flaw allows an attacker to bypass datasource network restrictions via HTTP redirects.
Grafana is an open-source visualization and analytics platform that unifies data sets across your company into an interactive diagnostic workspace. Grafana is built on a plug-in architecture that allows you to interact with the underlying data sources without creating data copies. Create, explore, and share dashboards with your team and foster a data-driven culture: Visualize, Dynamic Dashboards, Explore Metrics, Explore Logs, Alerting, Mixed Data Sources.
Vulnerability Detail
Grafana Enterprise is impacted only if three conditions must be met:
- Running Grafana Enterprise 7.4.0-beta1 – 8.5.2
- Request security allow list feature is configured to use at least one host_allow_list or host_deny_list
- There is a possibility of adding a custom datasource to Grafana which returns HTTP redirects
“Request security allow list allows users to configure Grafana in a way so that the instance doesn’t call or only calls specific hosts. The vulnerability allows users to bypass these security configurations if a malicious data source (running on an allowed host) returns an HTTP redirect to a forbidden host.”
Grafana Labs was forced to publish the fix:
- 2022-05-02 A potential Issue related to the request security feature in Grafana Enterprise has been reported internally
- 2022-05-02 12:33 Issue escalated and the vulnerability confirmed reproducible
- 2022-05-02 15:00 Decision is made to release a private patch
- 2022-05-02 15:21 CVE requested
- 2022-05-03 15:58 Private release planned for 2022-05-05, and public release planned for 2022-05-19
- 2022-05-05 12:00 Private release
- 2022-05-19 12:00 Public release
Solution
Grafana Enterprise has released versions 8.5.3 and 7.5.16 to fix the CVE-2022-29170 flaw, user should update to the latest version as soon as possible.
